It is essential that organisations are familiar with their legal requirements when it comes to data storage and access. The General Data Protection Regulation (GDPR) is an EU directive that regulates the handling of personal data. Fines for breaches may amount to €20 million, or more for organisations with large turnovers. Access restrictions differ dependent on the sector you operate in, for example, The Freedom of Information Act 2000 allows public access to information held by public authorities. Regulating storage and access permissions, and ensuring employees are aware of best practices, will help protect your organisation from damaging information security breaches.
Storage Principles
Given the technological world we live in, a large proportion of data is stored electronically. Consequently, it must be adequately protected to prevent data breaches. It is important to manage things like desktop files and data bases effectively, allowing them to be accessed quickly and easily by yourself and colleagues but maintaining the integrity of the data they hold. Remember, screens should never be left unlocked when unattended as unauthorised people could gain access to sensitive information stored on your PC if it is not encrypted.
Mobile devices such as laptops and phones are accompanied by an additional set of risks. Care must be taken when transporting mobile devices out of the office as they may be lost or stolen. Mobile devices should be kept on you whilst travelling, and extra care should be taken when using them, as this is a prime opportunity for theft. If any work devices are lost or stolen you should report the absence to your organisation immediately. Sensitive information should not be stored on laptops unless it is encrypted. Encryption means that, without possession of the specific key (an algorithm to reverse the encryption), the information is nonsense to anyone who attempts to access it. Laptops should not be lent to anyone who should not have access to the information it contains. Nor should they be connected to external data networks, unless they have recently been connected to the corporate server and had their security tools updated.
Paper or hard-copies are subject to data protection regulations just like electronic data, and should be treated accordingly. Important information should be filed properly into secure cabinets so it is safe but accessible by authorised personnel. Any paper-copies that contain sensitive information should be shredded as soon as they are no longer required and disposed of properly/recycled. You must make sure that no sensitive information is left lying around on desks or cabinets, some organisations ensure this through implementation of a ‘clean desk’ policy. Similarly, password protected photocopiers should be used and awareness about leaving papers in the copier/scanner raised, e.g. with office poster campaigns.
Portable storage devices (e.g. USBs and CDs) should be subject to increased levels of protection. They should not be taken out of the office without authorisation to do so. Again, given their portable nature, they can easily fall into the wrong hands or be misplaced. In order to minimise the chance of unauthorised data access, these devices should be stored in a secure place and files should be encrypted. Any information stored on portable storage devices should be backed up to a hard drive at the nearest opportunity. Due to the increased vulnerability when using these device, personal and sensitive information should not be stored on them unless strictly necessary. Portable storage devices should never be plugged into an unknown PC without a virus scan to ensure both devices are clean and free from malware. Plugging an infected portable device into a PC could result in the virus being spread to entire office networks.
A less permanent form of information storage is on temporary displays (e.g. posters and whiteboards). Information stored on whiteboards should be limited to what is strictly necessary and must not include any personal, sensitive or confidential information. Anything displayed on whiteboards should be accurate and must be removed as soon as possible.
Access Principles
The importance of simple measures designed to maintain the security of your office building should not be underestimated. Unauthorised access to your building could result in theft, release of stolen information, confidentiality breaches, risks to the privacy and safety of employees and customers, legal action, and disruption to business functions. Door codes or electronic fobs should be used to gain entry to the building and employees should be trained not to write the code down. Many organisations insist that employees wear ID cards. If implemented, these should be worn at all times within the building but never outside of work. If worn outside of work, criminals may quote your information (e.g. name, company and position) to gain access to the building. Two factor authentication can be implemented to add an additional layer of security, preventing unauthorised personnel from accessing information they shouldn’t. This is where users have to provide two things to gain access, normally something that they know (like a door code) and something that they have (like a fob).
Passwords are essential frontline access restriction tools. A strong password is at least eight characters long; contains upper and lower case letters; contains numbers and special characters and is not easy to guess. You should not share your password with anyone, even you manager, IT support and colleagues. If you disclose your password and crimes are committed using your login credentials then you are responsible for them. You should change your password at least every 90 days and immediately if someone discovers it.
Why are Good Storage and Access Practices important?
Good storage and access practices ensure information security compliance. This not only benefits your organisation, shielding it from fines, reputational damage and impaired functioning, but also all those whose data you process. Data breaches can lead to individuals having their rights and freedoms compromised and result in emotional, physical and material damage.
Information security breaches within the health and social care sector often have greater backlash due to the confidential nature of information held by these organisations. In 2017 it came to light that an IT system used by 1/3 of UK GP practices enabled unauthorised access of patient’s medical records. A massive 26 million patient’s data was breached as their records could be accessed by healthcare workers across the UK, for no legitimate reason. Doctors were informed that they had unknowingly breached their patent’s data protection rights and could be subject to complaints and even disciplinary action. An inappropriate lack of access restrictions in this case led to millions of patient’s data being compromised. Learning points from past breaches should be used to inform practice within your organisation and escape similar repercussions.