Technology insight
Improving data security
Mark Robson, IT and information security officer at Cintra HR & Payroll Services, provides some suggestions for workplace improvements
I n view of existing data protection legislation, the 2017 Data Protection Bill now working its way through parliament, and the imminent introduction of the General Data Protection Regulation (GDPR), how much attention should we be paying to the security we place on the information we hold? This is a good question, which often gets missed or not assigned enough effort to ensuring it has high priority. Though some companies may even say that they don’t have the resources to maintain good information security, a counter argument must be made keeping in mind the fines that the Information Commissioner’s Office (ICO) may issue once GDPR is in place. Under the Data Protection Act the maximum fine that could be issued was £500,000, but under the GDPR ICO can impose fines up to twenty million euros or 4% of group worldwide turnover (whichever is greater). The significant increase can be crippling to those companies that are not planning for fines, and work on a maximum turnover but small profit margin. The industry regulator is concerned about data breaches due to the scale of them in recent years, and may well respond by saying prevent breaches or face larger fines. What can everyone do to prevent a data breach and show that they’re being proactive in the light of such an incident? Some companies are developing and building GDPR project plans to ensure they’ll be ok and some companies are working on the theory they’ll be fine if they are accredited for certain standards (e.g. ISO27001). However, I want to walk readers through some simple steps towards protecting
the information inside the company they work for. I think we can all agree that the information we hold in payroll, human resources, recruitment and accounting is among the most valuable assets within the company. ...no matter the size of company, complexity of the job or nature of business The solutions below can be implemented no matter the size of company, complexity of the job or nature of business. ● Clean desks – At the end of the day, clear all paperwork away from employees’ desks by placing documents in locked drawers or cabinets. This ensures both a clean desk at the start of every day when an employee comes in the office, and also that cleaners, employees from other departments and guests cannot see sensitive information when walking around the office outside of standard office hours. It takes only seconds to photograph information on a desk. ● Computer screen locking – This is probably the quickest and easiest of all solutions to implement and ensures that whenever an employee is away from their computer no one is accessing the information they have on it, without the accountable employee being aware of their actions. On a Microsoft Windows PC this can be achieved by pressing the Windows + L keys; and on a Mac it can be achieved by pressing the Control + Shift + Eject keys. Returning to normal operation is simply achieved by unlocking the
screen with the employee’s normal login credentials. ● Secure disposal of information – The payroll and accountancy industries are both financial, so it’s expected that information is held for no longer than required, but how many companies are ensuring that the information is being disposed of correctly? For all paper disposal is it being securely shredded and removed from site? Are all electronic hard drives, USBs, CDs and DVDs being removed and destroyed securely as well? To do this it’s possible to contract with services that come to site and do the shredding securely for a company. ● Bring your own device (BYOD) – As technologies develop they’re increasingly becoming smaller, so inevitably they’re entering the office environment. Problems arise when someone’s mobile phone or USB key is infected with a virus, worm, Trojan or ransomware, as such malware can quickly spread across the network and inflict a lot of damage. If a BYOD must be used ensure deployment of an anti-malware solution that can scan on hardware detection. Ideally, restrict all BYODs from being used and connected to the office network. With the above four activities we are not providing 100% protection for the sensitive information being held by the companies we work for, but they are steps in minimising the likelihood of information being leaked from the organisation. The important thing all companies should remember is that as technology develops, so do the threats. The solutions implemented now are great additions to companies, but they must not remain static, and therefore must evolve and change just as businesses, technologies and industries change. n
47
| Professional in Payroll, Pensions and Reward |
Issue 37 | February 2018
Made with FlippingBook flipbook maker