Somebody, somewhere has their eyes on your data. But some of this data is not yours - it belongs to your customers. Rightly so, they expect you to protect it. You have a duty of care to safeguard and nurture their data. Fail in your duty to care for this data and it becomes vulnerable to hackers.
When hackers accessed the details of up to 2.4m Carphone Warehouse customers in 2015, every single one of those customers will have felt let down. Although inertia kicks in, you can bet that a significant number of those customers moved to an alternative supplier.
Unlike others in the animal kingdom, we are programmed to nurture and protect. Security will be considered and managed; some companies may even have a strategy for “Threat Hunting.” However, we are still capable of errors; every precaution you take can be undermined by the Human Factor. As the ICO reported earlier this year; 4 out of 5 data breaches are caused by either human error, or process error. You need to be awake to that risk.
According to J.T. Hallinan, an American Pulitzer prize-winning journalist, humans are pre-programmed to make blunders. We humans are typically overconfident in our own abilities. This attitude leads us believe we are above average at everything (such as driving a car) – a statistical impossibility that can also result in a lack of duty of care to data protection.
Most companies see their backup server as a back-stop not a security risk, but this reactive approach can lead to embarrassing situations caused by the frailties of human nature.
Consider the following to help protect yourself from human error:
- Role Based Access
In the Carphone Warehouse case, the ICO in its investigation, identified 11 key issues, one of which was the lack of “rigorous controls” over who had login details. It is important to ensure that users’ access is appropriate for the requirements of their job. Check that they have secure passwords and that they change them frequently. But don’t just assume that this will protect you. Is your backup system linked to your Active Directory controls?
- Good Leaver or Bad Leaver – have a process for all leavers
What happens when your users leave? Are their accounts automatically disabled as part of the exit process? Is the backup system monitored to ensure that this happens?
- Intrusion Detection
Does your backup system warn you of suspicious activity? Such as an excessive number of invalid passwords, or password resets being made by users with administrative access.
- Password management
What about passwords that are used across the company? Rather than remembering how a backup client authenticates with the backup server, many organisations just set a simple password. That’s a hacker’s dream.
To summarise, your system is only as strong as your weakest link. You have a duty of care to make sure that this is not a member of your own team. Don’t leave your customer’s data to defend for itself.
Contact us about a Security Audit of your backup system and we’ll help you to identify those weaknesses before the criminals do.
Contact Steve at firstname.lastname@example.org