FEATURE
publishes these principles for the public sector and enterprise cloud service buyers, but the guidance is useful for anyone. Information on the NSCS website on steps to identify cloud services that are suitably secure for your needs is also worth a review: http://ow.ly/u4Tp30se6LO. To boost cloud-based software security at an operational level, you could enable MFA on high-risk accounts. MFA provides an extra layer of protection by using a secondary level of user authentication. This could be appropriate for an administrator account for a cloud-based service, like your e-payslip portal, for example. Technology alone isn’t a threat; it’s how it’s used and manipulated that presents the threat How can businesses implement certain security controls for individuals working from home without compromising the trust of their employees? JD: This is about building on a trusted relationship. Many of us will remember one of the key principles of managing access to data is via screen management. When away from your desk, lock your screen, so the system cannot be tampered with. This principle extends to the home, especially where it is shared by multiple users. You need to consider what printed materials are visible. As with a work environment, impose a clear desk policy on your workspace, so at the end of the working day, all items are stored properly. Any items to be thrown away should be shredded. Lesley Holmes: Businesses should ensure staff are aware of their responsibilities to protect data and privacy and reduce the opportunity for fraud. Businesses can use monitoring, data loss prevention and access controls to reduce this risk if they’re proportionate, and employees are made aware. Fraud can take many forms and checks on financial transactions including changes to bank accounts can work to deter this activity. Any monitoring and surveillance undertaken must be proportionate to the risk and communicated clearly so trust is maintained, otherwise a culture of fear can
arise, which can leave staff feeling untrusted. WN: Organisations shouldn’t be complacent, as aside from the many benefits of the cloud, there are different risks to data security which must be managed properly, or they’ll end up resulting in a security incident. These different risks are easy to manage, so organisations can realise the benefits of the cloud without compromising data security. A common type of cyber-attack is phishing for user passwords. I’d be surprised if any organisation hasn’t been affected by this recently. It’s imperative that you know that the person using your cloud system is really them. As cloud systems aren’t only accessible to internal staff, if a malicious external actor obtains a user’s password, they’ll probably be able to access the system if additional security measures aren’t in place. This makes MFA such an important and valuable additional security measure for cloud systems. This usually involves a code being sent as a text to a mobile phone, which must be entered along with a username and password. This means if a user’s password is compromised via a phishing email, the attacker won’t be able to login and data is safe. The Information Commissioner’s Office (ICO) recommends that MFA is used wherever possible and, most importantly, where the personal data is of a sensitive nature. This would certainly be true for payroll data. The government-backed cyber essentials scheme is making MFA mandatory for all cloud services from January 2023 for all participating organisations. As staff at the cloud service provider maintain the underlying infrastructure, they’ll have access to your data in some form. Encryption can be a useful additional security measure to provide extra protection over the most sensitive types of data. If data on the cloud service is encrypted, even if someone at the cloud service provider has access, it won’t be readable and will remain secure. Cloud service providers appreciate the importance of this for customers and are offering ‘bring your own key’ encryption services, where the customer holds the encryption key and has full control over their own data. Effective security due diligence on the cloud service provider is important. Ensure the security processes the cloud service provider is now responsible for, rather than your in-house IT team, are operated as, or more, securely than your own processes.
Check if the cloud service provider has industry recognised security certifications, such as ISO 27001. However, there’s no better way to gain assurance than a physical, on-site audit of the supplier to check and see all this for yourself. GK: The best approaches have strong information security measures and controls. These include: ● an asset inventory detailing office or home-based equipment and systems used
to store or process personal data ● access controls with user-level
accountability and appropriate privileges ● system-level password security policies, with strong passwords ● regular information security training for all staff. These controls and measures should be regularly reviewed, ideally by independent cyber-crime experts. What protocol should be followed where there’s a breach of personal data? JD: Information and context is key. Quickly engage with those affected. Evaluate who all the key stakeholders are and have a plan to meet them to address and review the situation until all actions have been completed. Have a communication plan alongside this. It’s important to provide key information to those affected. Be clear on what each party is expected to do, or not do. Doing this builds confidence to support the situation. If you’re unclear, or hesitant in your communications, this may reduce trust or create unnecessary concern and anxiety. LH: Every organisation should have a basic procedure for the reporting and management of personal data. This should clearly set out who to notify and what initial mitigation steps can be taken. Start a documented evidence trail for the incident and inform the necessary stakeholders of the event. GK: If you have a data breach, you need to respond quickly and decisively. The last thing you need at that moment is to be learning what steps to take. Make time now to consider how you’d react to a data breach. The ICO website has guidance for the UK. Perform exercises involving all key stakeholders in data privacy impact assessments. Based on these activities, controls and procedures can be implemented to reduce and mitigate the impact, should a breach occur. n
| Professional in Payroll, Pensions and Reward | April 2022 | Issue 79 20
Made with FlippingBook - Online magazine maker