Practical data security
Eamonn Fogarty, director of Brookland Computer Services, provides some easy-to-use checklists for maintaining data security in an adviser firm.
Any financial advice is built on its client relationships. This requires firms to keep a range of personal data including financial, medical and other details relevant to an adviser providing the right level of financial advice, potentially over many years.
Consequently it is very important to understand the laws surrounding personal information when reviewing data security in any company, and to ensure all processes within the organisation adhere to them. The Data Protection Act 1998 lays down specific areas and elements in this respect. For further details on businesses’ responsibility under the Data Protection Act go to: www.ico.gov.uk/for_ organisations.aspx.
It pays for a firm to have in place a formal, documented security policy that is communicated and made available to all staff, so they are aware of both the firms’ and their own responsibilities in relation to the Act.
Security policy basics
When developing a security policy a company should ensure the following:
• It addresses security risks for the company in an appropriate way.
• It is feasible and not complicated to implement.
• The processes are concise and easy to understand.
• That data is adequately protected but still accessible.
• It meets fully all the requirements under the Data Protection Act 1988.
Following a logical few steps enables even the smallest of businesses to develop a security policy, or to review their existing business policy to ensure it is up to date and relevant, without too much stress involved.
1. The first step is to assess the information you hold as a firm: What is it? Where is it kept? What would happen if it were lost or stolen?
2. The second step is to identify the potential threats: External threats, such as viruses/hackers etc.; internal threats, such as vulnerable or disaffected staff; and disasters, such as fire or floods.
3. Next, assess the risk. How likely is each threat to materialise and what would be the consequences?
4. Assign responsibilities. Each person in an organisation should know exactly what their responsibilities are under the policy.
5. Put it in writing. The policy should be aligned with other company policy documents and employment contracts.
When implementing the policy ensure the following:
a) All staff are aware of their responsibilities regarding data.
b) A process is established to ensure compliance with the security policy is upheld.
c) It is very clear what will happen if anyone breaches or disregards the policy.
d) A senior member of the company has overall ownership of the policy.
e) Maintain the budget for compliancy with the policy.
Finally, the security policy should be reviewed periodically to take into account any changes in the data protection laws or within the organisation itself.
What impacts on security?
There are many things within a company that have an impact on security and should be taken into consideration to make sure that all the bases have been covered.
There is the physical security of a firm’s offices. Here, alarms and CCTV, door buzzer/keypad entry system and signing-in books can help to monitor visitors. A high level of security for the areas where servers are kept is an obvious measure, as is locking filing cabinets when not in use but also a clear desk policy can reduce the risk of data being accessed by unauthorised persons.
Staff can present a significant security issue. When recruiting, credit and criminal record checks should be in line with the roles involving client data. This should be reviewed on a regular basis so your firm is aware of any problems that may have arisen in the meantime, along with keeping in touch with staff so that changes of personal circumstances can be noted.
Ongoing supervision and training are important, and regular reviews to check that all staff fully understand their responsibilities for data security.
Also, when a member of staff leaves the firm, their email and internal system accounts should be disabled as soon as possible or, where they need to be kept open for a short period, the password should be reset. Third party accounts should also be disabled and any Unipass authority should be revoked.
Easy access to broadband and WiFi has made remote working increasingly commonplace and via cloud computing, administrative and back-office systems now allow financial advisers to access data and work on live files when they are away from the office. This can bring enormous benefits to an adviser business but there are risks as the level of security at a remote location is difficult to maintain to the same standards as in the office. Measures to consider here that can help protect data are:
1. Make staff aware the security policy applies no matter from where they are working.
2. Ensure all machines used for remote working are protected with anti-virus software/firewall.
3. Staff should only connect to the company network via a VPN or encrypted software.
4. Staff should adhere to some basic rules when working remotely.
Protecting data from attack Here are some simple ways to protect your systems and data from attack or loss.
Anti-virus software/Anti- Malware Software: Viruses, Worms and Trojans and other malicious programs can infect your computer and cause serious problems for your business so it is important to protect the servers, desktops, laptops and gateways with anti-virus software as well as carrying out full system scans at regular intervals.
Firewalls: All connections to the internet need protection and a firewall will guard against external threats, such as intrusion, as well as allow you to regulate the sites to which employees have access.
Data Encryption: Encryption only allows authorised persons to fully access it. This avoids the issue of highly valuable/sensitive information getting into the wrong hands should equipment be stolen or left somewhere.
Client data should never be held on a laptop, memory stick or other portable device unless it has been encrypted.
Equipment disposal: Be aware before disposing of old equipment that purely deleting data on a hard drive will only remove the index to the file’s location, leaving the file intact on the disk. Seek professional advice and/or help to clear out the contents of machines that are to be discarded.
General Security Advice
Finally, here are some general tips to employ and to pass on to your staff around maintaining security awareness.
1. Don’t leave your computer switched on when not in use and shut down at the end of the day. 2. Don’t open unexpected or suspicious email or files attached to suspicious messages.
3. Don’t forward virus warnings/ chain letters received by email, as the majority are false.
4. Enable the security settings in your browser and do not remove them permanently.
5. Do not disclose personal/ sensitive/company information on unsecure internet pages.
6. Make sure your software is up to date so you are protected against any security problems.
7. Undertake regular reviews to ensure staff only have access to systems and customer data that they need to do their jobs, so should they change roles within the company their access rights would be revised if the job required it.
8. Preferably, use secure email that provides encryption of emails and their attachments so they can only be opened and viewed by the intended recipient.
Increasingly, data is being held on secure remote servers as part of what are termed cloud computing services. These provide the benefit of ensuring data is secure from attack and loss, with multiple back-up systems and state-of-the-art encryption and anti-virus software. However, there will always be a need for more local security measures and I hope this article has given you some simple but useful checklists that you can use in your business.
Secure email services
An area where we see business issues arising constantly is where personal and financial data is sent to and from clients and providers via non-secured email.
Unfortunately, the prevalence of email as a business tool has made it top of the list for electronic criminal activity which means firms have to seek greater levels of security if they are to both keep data safe and adhere to the Law and the rules of the regulator.
In response to this criminal threat, regulatory bodies have set out their recommended minimum requirements for electronic data security. The Financial Services Authority (FSA) laid down clear guidelines on this subject when it published its paper on Data Security in Financial Services (April 2008). Financial organisations now face investigation and the threat of a fine by the Regulator if they are found to have inadequate provision.
No matter what size of business, where you are sending personal details via email it makes sense to employ a secure, encrypted email service. These days this type of service can often be rolled in with an anti-virus and anti-spam system for minimal cost. Set that against the potential damage to client trust, the possibility of a fine from the regulator and the reputational damage to a business and there is really no reason not to employ a secure email service.
For more information on Brookland Computer Services go to: www.brookland.co.uk