What is Records Management?

Keeping good records is vital for a business of any size. However, figures suggest that UK businesses are far from setting a good example when it comes to record-keeping. HM Revenue and Customs found that until January 2012, 39% of businesses inspected had some issue with their record-keeping.

All information that is created, sent and received in business is potentially a record. Management of these records is the process of looking after information through careful supervision and administration, whether they’re digital or paper records, they need to be managed to a high standard.

What is Record Management?

Records management activities include the creation, receipt, maintenance, use and disposal of records. These records could be in the form of contracts, memos, paper files, electronic files, reports, emails, videos, instant message logs or databases. Paper records may be stored in physical boxes on-premises or at a storage facility whilst digital records may be stored on storage media in-house or in the cloud. Whatever the format, and however they are stored, they need to be managed carefully.

The goal of records management is to help organisations keep the necessary documentation accessible for both business operations and compliance checks. This kind of conscientiousness saves a lot of time and a lot of stress in the event of something like an audit. In smaller businesses, spreadsheets may be used to track where records are stored and for how long, but larger organisations may need to install records management software suites. These can be linked to tax collection and a records retention schedule to help streamline processes.

Good records management will:

  • Help you to do your job better by increasing the ease and efficiency of work; you can find the information you need quickly which allows you to get on with your work
  • Increase your accountability, allowing you to provide evidence of previous events/transactions, offering up clear information that can be used if problems occur
  • Increase company efficiency by making sure that you’re only keeping records you need
  • Give you reliable records of high value if they’re ever needed as evidence due to their standards in validity, accuracy, and relevance
  • Prove you’re are following legislation by complying to the expected standards

The consequences of poor records management are:

  • Poor service delivery through a lack of efficiency
  • Inaccurate and less confident decision making from employees because they’re having to work with below-standard/no records
  • Little or non-compliance with legislation that can lead to penalties from HMRC
  • Potential financial losses if an organisation is unable to defend its interests
  • Wasted time and manpower from trying to find the records you need

What is a Vital Record?

Vital records, as the name suggests, refer to important events, specifically they are records of life events that are kept under governmental authority. This includes birth certificates, marriage licenses, and death certificates.

When it comes to records management the term ‘vital record’ means the records that are essential to the organisation in order to continue with its business both during and after a disaster, in other words, it would prevent the company from carrying on with day-to-day work if it wasn’t available.

Less than 5% of records are identified as vital and although losing most records will cause inconvenience, you can often work around it or recreate records. Vital records are the ones required in order to operate.

There are four areas that could count as a ‘disaster’: flood, fire, security, and environmental pollution. Vital records allow businesses to continue functioning even if the disaster destroys all other records.

Different Types of Vital Records

There are five categories of vital records:

  1. Emergency: This is needed immediately after a disaster to help recovery such as staff contact details
  2. Legal: They prove ownership or interests such as contracts and leases
  3. Financial: Demonstrates the income and spending of a business, this could be a monthly report or bank details
  4. Operational: They are required for critical services such as security procedures and IT configuration information
  5. Organisation/Stakeholder right: This protects the interests of all parties, for example, annual accounts and shareholder registers could be included

Identifying a Vital Record

It is necessary to identify vital records to ensure that the records remain secure, accessible and easily locatable during a disaster. The vital records form a vital part of disaster recovery and business continuity planning.

Companies need to protect the right records, rather than spending lots of resources on securely storing non-essential records whilst leaving vital records open to vulnerability.

To identify your vital records you should consider the following:

  • Identify the key functions, business processes and stakeholders of your department
  • Identify the potential impact of not providing these functions
  • Identify the records needed to support these functions and processes
  • Identify which of these records are vital – of the functions of these records can be re-established if they’re lost, then they’re not vital

How to Protect Vital Records: Electronic

  • Electronic vital records must be stored on central servers so that they are protected by back-up and disaster recovery
  • Don’t store vital records on portable hardware, such as USBs, DVDs/CDs
  • Don’t store vital records on a laptop’s hard drive or on your personal hard drive
  • Use a readable format such as PDF/PDFA or plain text or rich text format for records that need to be stored for a long period of time

How to Protect Vital Records: Hard Copies

Vital Records which are only available in paper format should be duplicated, in the same or original format depending on requirements, with the originals and copies stored in separate locations, if possible. There are two ways of doing this:

  • Scan and save them electronically
  • Use off-site storage

What is a Record?

A record is anything that supports the business such as business decisions, policy documents and approval documents. This includes emails, paper documents or electronic files that provide evidence of a business’s activity.

Data and information can then be held as a record physically such as a book or electronically in a computer file, or even as a video. Most of the information you use in day-to-day working life will be classed as a record as a result.

Whilst records can deal with business activities such as policies and procedures, invoices, and meeting reports, the following are not generally classed as records:

  • Personal communication
  • Externally published information
  • Blank forms or templates
  • Personal emails
  • Personal diary
  • Draft of a policy

Different Types of Records:

Unrestricted records tend to cover information that is easily found on web pages. They are made available to the public, such as details of available services, contact information, organisational decisions, or environmental information.

Contextually sensitive records are normally available to the public, but sometimes circumstances prevent this. If the record is in draft form, it cannot be released until it is in its final format. If the information includes a third party, then this information cannot be made public without that person’s permission. In these examples, records may only be contextually sensitive for a short time, although this may vary.

Personal and Confidential Records are held about citizens, clients, customers, employees or any other individuals. This could include basic details such as names and addresses or go much more personal such as sexual orientations and political views.

Extremely Sensitive Records may be any type of information, meaning it doesn’t always have to be personal data. If these types of records were lost or made public, it would have a very negative effect on the reputation of the organisation as it could lead to consequences such as loss of life, damage to our ability to carry out our work, massive financial losses or the public’s safety being put at risk.

Why Record Management is Important

Management of records is the process of looking after information through careful supervision and administration, whether they’re digital or paper records, they need to be managed to a high standard.

The goal of records management is to help an organisation keep the necessary documentation accessible for both business operations and compliance checks, improving organisation which saves a lot of time, and a lot of stress.

The benefits of good records management are that it…

  • Increases the ease and efficiency of work
  • Increases your accountability by offering up clear information that can be used if problems occur
  • Means that your records are of high value if they’re ever needed as evidence due to their standards in validity,accuracy, and relevance
  • Shows you’re following legislation by complying to the expected standards

Records Management Policy

Equipping your business with a records management policy means having a structure ready when you need it. By having a strong policy in place, it means that you are prepared to keep records to a high standard, and benefit as a result.

A policy should clearly set out your approach to records management and address your overall commitment, the role of records management, links to relevant policies and documents, staff roles and responsibilities, and monitoring of compliance.

Steps you can Take Towards a Good Policy…

Records management organisation: Your business has allocated records management responsibilities.

Records management risk: Your business has identified records management risks as part of a wider information risk management process.

Records management training: Your business incorporates records management with a formal training programme. This includes mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.

Monitoring and reporting: Your business carries out regular checks on record security and monitors the compliance with records management procedures.

Record creation: Your business has set minimum standards for the creation of paper or electronic records.

Information you hold: Your business has identified where you use manual and electronic records keeping systems and actively maintains a centralised record of those systems.

Information standards: Your business has processes in place to ensure that the personal data you collect is accurate, adequate, relevant and not excessive. Additionally, regular reviews are carried out to remove any records that are out of date or no longer relevant.

Tracking of paper records: Your business has tracking mechanisms to record the movement of manual records.

Offsite transfer of electronic record: Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.

Secure storage of records: Your business stores paper and electronic records securely with appropriate environmental controls and high levels of security around special categories of personal data.

Access to records: Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. This can be done by implementing role-based access and checking it regularly.

Business continuity: Your business has business continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of your business, also known as vital records.

Disposal of data: Your business has a retention and disposal schedule which details how long you will keep manual and electronic records. Your business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.

The BBC

The BBC’s records management policy incorporates the freedom of information requirements as well as all information held in the former Core Records Policy and the Records Management Standards. The policy defines how the BBC records information and how it should be managed to standards which ensure that vital and important records are identified.

Additionally, their policy makes sure that the corporation holds records that meet the expected standards. This means that they are relevant, sufficient, timely, reliable and consistent with operational need, and that legal and regulatory obligations are met. It also defines the roles and responsibilities for the creation, safekeeping, access, change and disposition of the information.

They comply by having the policy in the first place, and it is subject to a regular review process too, to keep it efficient.

Records Management Compliance

Records Management Compliance Image
Keeping good records is vital for a business of any size. However, figures suggest that UK businesses are far from setting a good example when it comes to record-keeping. HM Revenue and Customs found that 39% of businesses had some issue with their record-keeping, highlighting how records management isn’t up to the standards it should be.

All information that is created, sent and received in a business is potentially a record. How you manage these records, whether they’re digital or paper, can be detrimental for a business.

The goal of records management is to help an organisation keep the necessary documentation accessible for both business operations and compliance checks, all things that save a lot of time and stress.

Making sure your business is compliant around record management is a must. By complying, the efficiency and accountability of the business increases, and it keeps you on the right side of legislation to avoid penalty fees.

Compliance Checklist –

Records management organisation: Your business has allocated records management responsibilities.

Records management policy: Your business has approved and published an appropriate records management policy. This should be subject to a regular review process.

Records management risk: Your business has identified records management risks as part of a wider information risk management process.

Training: Your business incorporates records management with a formal training programme. This includes mandatory induction training with regular refresher material, and specialist training for those with specific records management functions.

Monitoring and reporting: Your business carries out regular checks on record security and monitors the compliance with records management procedures.

Record creation: Your business has set minimum standards for the creation of paper or electronic records.

Information you hold: Your business has identified where you use manual and electronic record keeping systems and actively maintains a centralised record of those systems.

Information standards: Your business has processes in place to ensure that the personal data you collect is accurate, adequate, relevant and not excessive. Additionally, regular reviews are carried out to remove any records that are out of date or no longer relevant.

Tracking of paper records: Your business has tracking mechanisms to record the movement of manual records.

Offsite transfer of electronic record: Your business has appropriate measures in place to transfer electronic records off-site and protect personal data from loss or theft.

Secure storage of records: Your business stores paper and electronic records securely with appropriate environmental controls and high levels of security around special categories of personal data.

Access to records: Your business restricts access to records storage areas in order to prevent unauthorised access, damage, theft or loss. This can be done by implementing role-based access and checking it regularly.

Business continuity: Your business has continuity plans in place in the event of a disaster. This includes identifying records that are critical to the continued functioning or reconstitution of your business, also known as vital records.

Disposal of data: Your business has a retention and disposal schedule which details how long you will keep manual and electronic records. Your business has confidential waste disposal processes to ensure that records are destroyed to an appropriate standard.

Good Records Management…

  • Increases the ease and efficiency of the business, you can find the information you need quickly, allowing you to get on with your work
  • Increases your accountability by providing evidence of what has happened in the past, offering up clear information
  • that can be used whenever they’re needed
  • Gives you reliable records of a high value if they’re ever needed as evidence
  • Shows you’re following legislation by complying to the expected standards

Poor Records Management Means…

  • Poor service delivery through inefficiency
  • Inaccurate decision making from employees because they’re having to work with records of a low standard
  • Little or non-compliance with legislation that can lead to penalty fines from HMRC
  • Potential financial losses if an organisation is unable to defend itself
  • Wasted time and manpower from trying to find the records you need

Information Quality in the Workplace

Having good quality of information means that you keep records to a high standard so that they are accurate, secure, and reliable. Good record management can only be achieved by making sure your records are up to scratch in the first place if you’re managing badly kept documents, it takes away the whole point of looking after them in the first place.

Every organisation needs its information to be reliable in order to plan, allocate and prioritise resources and deliver their services effectively. As an employee, you have a responsibility to ensure that the quality of records you create will support this.

The importance of good documentation shouldn’t be underestimated.

Information Quality Criteria

Accurate: Records must be accurate, meaning that all the details are correct and exact. To ensure that the information in a record is accurate, it should be captured as soon as possible after the event has taken place.

Valid: Information in records must be valid. This means that it has a sound basis working alongside logic and fact. It also means that where national rules apply they need to be followed. For example, the government requirements require that financial records need to contain certain information in order to be classed as valid for businesses in the public sector both. Pushing for validity also means that the information you are producing is consistent over time too.

Reliable: Information in records should always be collected in the same way to ensure reliability. This means that anyone using the records can be confident that variations are due to real changes, rather than differences caused by a changing collection method.

Timely: Information in records must be used in a timely manner, this doesn’t mean rushing, but you can’t be slow when it comes to record management. This is because they can quickly become out-of-date, something that means they lose their value.

Relevant: Information in records should be relevant to its purpose. If the requirements for the records change, then you need to review the information to make sure that it meets the new requirements, maintaining its relevance as a result.

Complete: This sounds simple, but an unfinished document is pretty useless. There tend to be requirements for records that need to be met so that they achieve everything they’re supposed to. By including everything needed, you are meeting these requirements.

Information Security at Work

Having a file plan is the perfect way to keep control of your records to increase efficiency and organisation of the business information. A file plan is a structure for the organisation to control their documents, whether that’s paper-based or electronic records. File plans should be based on the activities and functions of the company rather than organisational structures as these are more likely to change. A good file plan in place means that:

  • It’s easier and quicker to find records
  • Information sharing is improved
  • Duplication is reduced
  • Retention and disposal are more manageable
  • Records are accessible when someone leaves

An Electronic Document and Records Management System (EDRMS) is a computer-based system that holds file plans and guidance on where and how to file digital records. Many other tools may be provided, such as search and retrieve systems, version control systems, e-discovery tools, tools to assist with records requests and tools to manage the record 4-stage lifecycle.

Records need to be stored safely, securely and in good conditions. Avoiding shared storage areas is a great way of doing this, but if filing cabinets are used, then make sure they are kept locked. Basic things like making sure records are dry, kept out of extreme temperature conditions, and out of reach of unwanted visitors make all the difference too.

How to Effectively Manage the Four Stages of a Record’s Lifecycle

Related Courses

If organisations manage their records well, it makes it so much easier to make sound, evidence-based decisions, and to maximise the value of information your organisation holds. If, on the other hand, records are poorly managed, you could soon find yourself coming face-to-face with serious business, legal, and financial issues. Remember, information is one of an organisation’s most important assets – it needs to be recorded and stored with care.
The life cycle of records is an important process when it comes to records management. It is basically a way of looking at how records are created and used, highlighting how records become less important as time passes. This is backed by the fact that the first 90 days of the “life” of a record are when 90% of the use takes place; after that 90 days period, records tend to be forgotten about and stored away. Since there’s a short period of high-use, followed by a longer period of low use, the use and value of a record will come to an end and it may be destroyed.
This process is known as the lifecycle of a record, made up of four stages: create, maintain, store, and dispose of. Weirdly, the lifecycle of a record actually holds similarities with that of a biological organism:

  • It is born = Creation
  • It lives = Maintain and Store
  • It dies = Dispose


 
1. Create
When you first create a record you need to make sure that you’re creating it in the best format possible. Checking on factors such as accuracy, validity, reliability, and relevance is important at this stage.
2. Store
Accessibility is vital for a record, if you fail to store it correctly there is little point having it at all! Records should be stored in a well-organised filing system to ensure that people can always find them in order to use them when needed, without having to go on a wild goose chase in the process!
3. Maintain
Maintaining records correctly means that no matter how old they are, they can always be accessed when required. The information contained in the records should be easy to read by explaining any jargon or codes, achieving a consistent level of understanding from the readers as a result.
4. Dispose
Records must be disposed of appropriately to avoid problems in the future, whether this means they’re transferred to archive storage, to another organisation, or completely destroyed. Details of destroyed records must be kept by the organisation to avoid anything getting into the wrong hands.
Why is the Lifecycle of a Record Important to Manage?
The lifecycle is crucial as it is the starting point when creating a records management program. If you didn’t have the lifecycle, records management programs wouldn’t ever be cost effective and the efficiency of how they are run would decrease.
Tools, systems, and procedures are developed to manage each phase of the life cycle. For example, file plans and tracking systems are specifically made to help manage records. A retention schedule is a tool that manages the movement of records from one phase to the next.
Having good record management means that the efficiency, performance, and accountability of the business is increased because of how they manage their records.

Related Courses

What is Social Engineering?

Social engineering is another technique used by hackers to gain personal data from individuals through unauthorised access. This happens by hackers either contacting you directly and conning you into handing over your details, or through getting you to open a link/attachment that installs malware onto your device. If you have ever received an email asking for personal information or telling you that your account is at risk unless you provide login details, or attempted to open something that caused you see a security flag from your anti-virus software, then you have encountered social engineering.

The Strains of Social Engineering:

There are different techniques of social engineering used by hackers depending on their own personal knowledge and skills. It doesn’t tend to be the most challenging form of cybercrime, but it is for this exact reason that is the fast-growing type of crime hackers are committing. The accessibility of the resources mean that the attacks can potentially result in big prizes with limited effort needed to get them.

Baiting

Working in disguise, baiting is when malware is hidden, and you don’t know it’s there until you have installed it onto your device. It can be physical, in the form of an infected USB stick lying around that once plugged in exposes the device to malware. Most commonly though, it comes electronically. This comes when you are sent a link that, despite appearing to be harmless, creates an entry point for malware as soon as you click on it, highlighting how fast you can have problems through the most unexpected areas.

Phishing

Falling victim to phishing is when you are targeted through a fraudulent message by a hacker pretending to be a legitimate source. Their aim is to either get you to hand over personal information directly or providing you with a malicious link to spread malware, in both cases though, phishing is the most personal type of attack.

Hackers are getting better at it too, through using professional marketing techniques, they are able to create an incredibly legitimate looking email, causing recipients to do as it says because they don’t question the source at all. It is because of this growing sophistication in the preparation of phishing, that hackers are achieving success 50% of the time. Stressing how too many people are falling victim to hackers through an avoidable case of human error.

Attackers pose as legitimate sources such as well-known high-street names in order to gain the trust of the recipient. This could be sent to a group of people, for example a group of customers that use a certain bank or sent to one specific person that is targeted through a highly tailored message, this is known as spear phishing.

Pretexting

This technique became much more mainstream topic when Barclays produced a number of adverts on the dangers of cybercrime in 2017, one of which was a perfect example of pretexting. This is when someone lies to gain privileged information over the phone. This specific example showed a profession dressed “bank worker” asking for the security PIN of a customer over the phone, by handing this over, the hackers gain access to you accounts and from there they have the power to cause significant financial damage. It doesn’t take many pieces of information for criminals to be able to access your accounts and take everything.

Scareware

Presenting itself as a ‘knight in shining armour’ is how scareware infects your device with a virus. An example of this could be a pop-up advertised as a ‘fix’ against a supposed viral threat to your device. By agreeing to this fix, malware is installed. The technique scares you into thinking you’re in trouble and causes you to make a panicked decision, and as a result you actively download the virus instead, rather than avoiding it.

Social Engineering Trends

The development of the internet means that as we become more and more dependent on it, the number of vulnerabilities increase too. This has caused a species of hackers to grow in skills and sophistication to keep finding new ways to catch people out.

Not matter the size of the company, hackers will try and make a profit from it. This is displayed by, ironically, the security company, RSA. The attack started with two phishing emails being sent out to a number of employees titled ‘Recruitment Plan’ and included an excel spreadsheet attachment supposedly containing further information on the plans. What it really contained was a malicious form of malware that was then let lose into the systems, compromising all of the company’s network and data. The result was a $66 million (£49m) loss, alongside a dangerous knock to their reputation.

This case points out how quickly a danger can spread through a company due to human error from employees. By failing to educate and train them on the threats of cybercrime, you are creating nothing but a weak line of defence, and consequently leaving your organisation at risk.

Steps to Protect Yourself from Social Engineering

Cyber security training means that the level of understanding within a business is increased and results in a consistent workforce in their attitudes around the topic. At the end of the day, employees are the ones that are on the lookout for suspicious activity, so training in email/social media/password/anti-virus software use can allow them to be prepared in detecting and responding to problems effectively. Social engineering is the human interaction and tailoring that comes with cyber attacks, so dealing with that effectively requires a prepared workforce. At the end of the day, the software can only benefit an organisation when it is in the hands of people with the right skills.

As a support to human training, the use of email gateways add further security by controlling and monitoring what gets in and out of your networks. This can prevent the majority of harmful messages from even getting close to the inbox, and as a result the organisation can remain in a protected bubble, keeping out the hackers to avoid financial and reputational ruin.

Nothing you download can give you 100% protection guarantee but teaming it with strong levels of human competency through training means that the chance of hackers getting in is reduced significantly.

What is Phishing?

The concept of phishing is simple, pretend to be someone you’re not to get money/personal details out of someone through an element of trust. What is worrying is that nearly 100,000 people reported receiving phishing emails in 2015, and with this style of attack being successful (for the hackers) 50% of the time, too many people are falling victim to phishing through an avoidable case of human error.

Attackers pose as a legitimate source such as well-known high-street names in order to gain the trust of a victim. From there, they can distribute malicious links and attachments in the form of malware, all in the hope that the unsuspecting user will click on the link, open the attachment, or even hand over sensitive information voluntarily such as bank details or login information, all because they think the sender is legitimate.

How Phishing Works

Phishing works through careful preparation in order to create a convincing email that has a strong chance of being delivered successfully. This is why social networking is a prominent technique in phishing through any kind of electronic communication methods such as email or direct messages on social media.

The hackers work by gathering information on their target to make the message as tailored as possible, resulting in something that seems more legitimate. By knowing details like your name, address and work history, they can personalise their attack so that you are less likely to see it as a con, and as a result, you will innocently follow the instructions they send you, causing you to fall into their trap.

The prime time for phishing is around major current events such as the coronavirus pandemic to keep the scam current and therefore seem more ‘real’ for the recipient. For example, during the coronavirus pandemic, security experts have reported a substantial rise in phishing email scams related to the coronavirus – the worst they have seen in years. The BBC followed up on reports of individuals and businesses being targeted with phishing emails and came across a variety of campaigns including tax refunds from the HMRC, email attachments from the World Health Organisation (WHO), bitcoin donations to help fight the coronavirus and scare tactics aimed at giving up work or personal email details.

Whatever the subject, the objective is to gain an entry point for malware to infect the device.

The Ever-Growing Field of Cybercrime

The sophistication of hacking groups is growing due to the increased research and skill they have in their techniques of attack. So whilst phishing emails used to frequently be poorly written with fuzzy graphics that gave the game away, they are now using the same techniques as professional marketers to compose the most effective messages.

The first waves of cybercrime came when emails and social media became popular because it was an accessible way for hackers to target a large audience with minimal effort and skill needed. Criminals are able to target users directly by sending infected emails straight to someone’s inbox, all ready for the unsuspecting recipients to open and consequently spread malware into the network.

The cost of phishing scams can be catastrophic for companies, no matter what size or industry you’re in, you can become a target for hackers if there is a profit to be made. Waltar Stephan is a perfect example of how anyone can be caught out and how having the ‘I wouldn’t fall for it’ attitude isn’t something you should try relying on.

Stephan was the CEO of a plane company called FACC for 17 years, so he was far from being a newbie in the industry. After receiving an email from what he thought was someone superior within the company, he fell for the lie around a secret transaction needing to be carried out. The result was that a whopping $56.79 million (around £39m) was taken, and he lost his job immediately.

This example not only highlights how any business can be targeted with phishing emails, but also the creativity that hackers use to achieve their desired result – a profit. As well as the direct effect on the company, the knock-on reputation cannot be ignored either. Only 17% of customers said they trust companies now, compared to a decade ago, highlighting how the growing number of online crimes is something customers are more than aware of. If customers cannot trust you to look after their sensitive data, there is little chance of prosperity in the future. An increasingly digitally-aware public means that reputation is everything.

Combating Phishing Threats:

Defending your organisation from phishing comes from knowing what to look out for, this can only come from a strong email gateway and having the human understanding around the topic achieved through training so they know what to look out for.

Training and Education in the Workplace

By downloading infected programs, links, or documents through what seems like a harmless email, the hacker can get into your whole system to do whatever they want with the data they find.

Remaining vigilant over cybersecurity is exactly how you can protect your organisation because breaches are often caused by employees inadvertently creating an entry-point into the systems and networks, a factor that email awareness training can prevent from happening. Computer literacy can sometimes be snubbed off as ‘common sense’, but the increased sophistication of the phishing emails being produced means that anyone can be a target, meaning that everyone should be able to understand the threats and reduce the success rate of the criminals. Regular training should never be neglected, as the damage it could prevent could make or break for the future of a business.

Email Gateways

As a backup for the human training that comes in reducing the risks of phishing, having a strong email gateway is something that all organisations should also look at as a priority.

Acting as the controller of what gets in and out of a network by using different filters and checks, an email gateway can prevent the majority of harmful messages getting to you in the first place. Finding the right gateway for your organisation is very important. By having one with advanced features that challenge the basic antivirus/antiphishing/antispam settings and include the newest technologies to keep up with the threats out there. Also, look out for something that is customisable to you and maintains a reliable reputation through a low level of false-positive/negative cases.

Remember that no solution provides 100% protection, which is why the training as well as having a gateway is so important.

How the Data Protection Act affects businesses

Data Protection is the precautionary procedure used to control personal information used by businesses and organisations. The Data Protection Act (DPA), recently updated in 2018, complies with some of the directives stated within the European General Data Protection Regulation (GDPR). Businesses in the UK are obliged to abide by the protection principles listed in the DPA, from the initial period of receiving personal data to the terminating period, in which data is either returned or destroyed.

Consequently, it is essential that staff members are thoroughly educated and trained with handling personal data. The Information Commissioner’s Office (ICO) maintains and enforces the DPA across the UK, therefore awareness and understanding of the DPA is essential to businesses to ensure they do not breach it, which would result in action from the ICO.

The UK’s DPA is now in its third generation; therefore, organisations are required to modernise and comply with these new regulations. Data protection regulations vary in relation to small and medium-sized enterprises (SME) and large business. This variation is only slight, yet still calls for comprehension.

How does the DPA affect SMEs in particular?

Researchers have suggested that the SME sector is quite unclear as to how the DPA will affect them, therefore the ICO’s guidelines have established that if an organisation, regardless of size, is handling personal data from a living and identifiable individual, then they must comply.

The recent Cambridge Analytica scandal highlights that the size of a company has little impact on whether it should comply with data protection regulations. Cambridge Analytica was considered an SME, with less than 250 employees; however, Cambridge Analytica’s implication in the data breach of ten million Facebook users has led to financial consequences. Facebook users’ data was leaked to Cambridge Analytica, the small firm campaigning for Donald Trump in 2016. Subsequently, Cambridge Analytica has been banned from Facebook following its data breach and refusal to delete this data back in 2015.

This exemplifies the mis-handling of personal data by a business giant such as Facebook and an SME such as Cambridge Analytica. Consequently, SMEs and all businesses which handle personal data fall within the scope of the DPA.

Data Destruction Policy

Businesses are required to formulate a data destruction policy to comply with the DPA. This data destruction policy is formulated to ensure that devices, such as company hard drives, flash memory devices and mobile phones, have made previous data irretrievable.

Computer recycling has hindered data destruction policies, as organisations have discarded of computers, without effectively destroying the data on its IT system. The business sector is saturated with IT systems, therefore there is a responsibility to destroy the data on these computers to prevent cyber-criminals from gaining access to personal data.

Researchers in the UK retrieved personal information in the form of bank account details, company data and medical records from over 300 hard drives bought on eBay and at computer auctions. This research was headed by BT’s Security Research Centre following the highly sensitive case in which a hard drive bought from eBay contained details of a US military missile air defence system. Consequently, data destruction has become imperative if a business wants to mitigate the risks of a data breach.

How serious are the repercussions of a data breach within a business or organisation?

The repercussions of a data breach have intensified with the new legislation. The ICO can now fine an organisation up to four percent of their annual global turnover, or twenty million euros, whichever is higher.

Yahoo! UK Services Limited were fined £250,000 by the ICO following a data breach in November 2014. This data breach encompassed 500 million Yahoo! users and witnessed the compromise of their personal data.

The ICO considered the response from Yahoo! UK Services Limited as inadequate as it did not conform with the correct organisational measures needed to protect personal data. Therefore Yahoo! UK Services Limited were found guilty of breaching the seventh protection principleof in the DPA 1998.

This principle states that:

‘Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.’

The severity of this economic repercussion enforced by the ICO upon this organisation demonstrates the crippling nature of a data breach. Therefore, it is essential for a business or organisation to avoid a data breach, to ensure that such repercussions are not experienced.

Through well-formed knowledge and training which has modernised in conjunction with the new DPA legislation, businesses can ensure that compliance with the DPA is upheld. Therefore, staff members and businesses collectively will have a confident base to work from regarding their data protection.