Where is your data?
Do your processes and procedures meet the practicalities of modern information storage and business practices?
The past few years have seen a rise in flexible working, with many of us now in remote and hybrid roles. With it, there have been huge changes in the way we store our data, and the way we share with colleagues who are in different physical locations. Change is inevitable, but what happens when organisational processes haven’t kept up? If data is improperly managed, we can lose track of some very important information and put our organisation at risk of avoidable breaches.
For example, a group of NHS Trust staff sharing patient information via a WhatsApp group resulted in a reprimand from the ICO. Technically, NHS staff can use WhatsApp in general as long as they don’t share any sensitive information. However, 26 staff members did just that on over 500 occasions, including names, phone numbers and addresses. The only reason the breach was discovered was because a non-staff member was added to the group.
While it may have made sharing information easy, using WhatsApp in this way not only breached the NHS’s own rules, but also the Data Protection Act 2018.
So, it begs the question: Do you know where your data is?
There was a time when information storage in our workplaces was (fairly) straight forward, and we knew which filing cabinet to find something, or which folder on the company server. But now there are endless different methods and platforms for storing data, from these familiar filing systems to Cloud infrastructure and collaboration tools. Putting in place processes for keeping track of how your people should handle and store data means your organisation is less vulnerable in the case of a breach.
Consideration should also be given to whether those processes and procedures will still be effective when applied to new technology. And to the potential for teams taking matters into their own hands and using technology that hasn’t been vetted or implemented officially.
It’s also important to remember that Cloud infrastructure and collaboration tools (even the big ones like Google Drive and Microsoft Azure) are vulnerable to cyberattacks. It’s your organisation’s responsibility to audit your provider regularly to ensure that they can evidence Cloud Sovereignty – the monitoring of their storage services to prove compliance with local data privacy and security laws (DPA regulations in the UK).
You’ve audited your cloud service provider, you’ve configured your digital infrastructure and you keep physical data locked away, or securely shred them when they’re no longer needed. You’ve installed extra digital security. That’s your job done, right?
We know that malicious attackers aim to exploit people, (we are human after all, and we make mistakes). According to Mimecast's 2023 The State of Email Security Report, 97% of breaches were caused by human error in 2022 (as evidenced by the story above) and with phishing attempts up 61% in 2022 than from the previous year, as well as a rise in ransomware and web domain spoofing. It’s important to ensure your staff are properly trained to anticipate, identify, and prevent hacking attempts.
We spoke to our Information Assurance team about how you can help protect your organisation’s data and prevent malicious attacks from cyber criminals:
We can support your organisation in identifying any current vulnerabilities in your data security and strengthening your defences. Let’s have a conversation about how our experts can work with you.
Online influence campaigns are becoming increasingly common as political parties and state actors around the world seek to manipulate public opinion.
To most people, online influence operations involve competing ideologies battling it out in the public sphere.
Last week, Russian President Vladimir Putin complained that former Fox News anchor Tucker Carlson had been too soft; saying Carlson avoided “sharp questions” during their interview on 06 February.