Alex Dean, a recruitment specialist at Stackhouse Poland, looks at the key issues relating to cyber and data security.
There are dozens of subjects relating to insurance and the recruitment industry that are worthy of exploration within the excellent Boomerang guest blog series. So it is with a mild sense of frustration that I seem only capable of banging on about one – data security and cyber liability.
When I was asked to return with another effort it was with an absolute determination that this one would explore a subject like:
- Employee Benefits
- Fostering an Inclusive Working Environment (this one is particularly relevant given the press my own industry has received over the past couple of months and that we are in the middle of Pride Month)
- Your Responsibilities to Employees on Company Away Days
- Protection of IP and Media Liability etc. etc.
And then in the ten days leading up to the submission of this blog I received no less than five e-mails from hacked accounts requesting that I click on some link or download some urgent document.
All came from recruitment businesses.
So here we go again…
Firstly, I’m not having a go at recruitment businesses here. As an industry, you are generally way ahead of the curve when it comes to data security awareness. This is no coincidence, the implementation of GDPR was a hot topic at all the recruitment networking events I attended in the 12 months leading up to implementation on 25th May. Everyone knows the score and the majority are working proactively to manage their data.
You are an industry whose very foundation is rooted in the processing and storage of data. It is why the ICO has identified the industry as one of particular interest (not least because of the way data is obtained and used).
And that is the trouble. Given that you are required to process data as an integral function of your business you are inherently susceptible to the unscrupulous looking to steal said data, propagate a wider attack or simply, where processing large quantities of data naturally increases the possibility of unintentional disclosure.
I will not go into the details of GDPR here – that in itself is an entire article. For the purposes of this blog, I will be concentrating on the following:
Some Easy Steps to secure your data against attack
- Securing your network
A decent firewall will defend the perimeter and filter out unauthorised access and any malicious content. This should be tested and monitored regularly.
- Update your security regularly
Ensure that anti-virus software updates and patches are implemented when they are published. Create a defined process to implement regular updates and reviews.
- Password protection
This is still an issue with too many people using ‘password’ as their password. Encourage staff to have passwords at least 16 characters long (the minimum here at Stackhouse Poland is 23). The passwords needn’t be complicated random sequences- it should be memorable and something like “!h4dagreathol!dayin1taly” (I had a great holiday in Italy).
- Encourage user vigilance
Implement policies that encourage vigilance in your staff. Do they know the person that sent the e-mail? Do they ‘hover’ over embedded links to check whether the domain address is legitimate? I fully appreciate that recruiters receive huge numbers of unsolicited CVs and any one of these may include malware. It is therefore important to compliment vigilance with virus scanning.
- Portable data storage devices
Produce a policy that seeks to manage all access to your network through removable data and limits the use of mobile media devices. All data devices that access the network should be scanned for any malware and should always be encrypted.
What should you do in the event of a breach?
Whether a breach comes from an attack or an accidental disclosure (i.e. sending an e-mail with client data attached to the wrong e-mail address or losing an unencrypted memory stick), it is imperative that you have a comprehensive and tested plan in place.
Firstly you should have a data management and breach response team comprising of people from HR, IT, Compliance and Legal. When a breach is identified it is imperative that you ascertain as soon as possible the circumstances of the breach, the individuals/records affected, the nature of the records compromised, the number of records compromised and the consequences of misuse by third parties.
The response team should work to a business continuity plan that specifically addresses data breaches and assesses the severity of the risk and the appropriate response – this should include notifying external consultants to assist with the discovery and the ICO (within 72 hours of the breach being discovered).
Your response should also include the process of notifying the affected parties. An assessment of the consequences to your business as a result of the notification should also be conducted – if it is serious and you are demonstrably negligent, you may suffer severe damage to your reputation and your bottom line – the TalkTalk breach is an infamous example.
Breaches are becoming far more common – as I mentioned above, I have received five e-mails in the last ten days alone. Data is an extremely valuable commodity and one that is highly coveted by cybercriminals, so it is extremely important that robust measures are put in place to monitor, prevent and react to data breaches.
Of course it is highly advisable that you have a Cyber & Data Liability Insurance policy in place as this can help not only with prevention (many include additional training and monitoring services) but also with breach investigation, notification, interruption to the business because of the breach, regulatory investigations and, where possible, fines by the ICO.
If you need any guidance on Cyber & Data Liability or Cyber and Data Security, please do get in touch.
Call us on 0330 660 0401 or email firstname.lastname@example.org
I have worked in the Corporate Insurance Broking industry for over eight years, both in new business and technical roles and dealing with all classes of insurance policies and industries.