Digital Threat Digest Insights Careers Let's talk

Where is your data?

Do your processes and procedures meet the practicalities of modern information storage and business practices?

Double circle designs8

The past few years have seen a rise in flexible working, with many of us now in remote and hybrid roles. With it, there have been huge changes in the way we store our data, and the way we share with colleagues who are in different physical locations. Change is inevitable, but what happens when organisational processes haven’t kept up? If data is improperly managed, we can lose track of some very important information and put our organisation at risk of avoidable breaches.

For example, a group of NHS Trust staff sharing patient information via a WhatsApp group resulted in a reprimand from the ICO. Technically, NHS staff can use WhatsApp in general as long as they don’t share any sensitive information. However, 26 staff members did just that on over 500 occasions, including names, phone numbers and addresses. The only reason the breach was discovered was because a non-staff member was added to the group.

While it may have made sharing information easy, using WhatsApp in this way not only breached the NHS’s own rules, but also the Data Protection Act 2018.

So, it begs the question: Do you know where your data is?

New technology, new issues

There was a time when information storage in our workplaces was (fairly) straight forward, and we knew which filing cabinet to find something, or which folder on the company server. But now there are endless different methods and platforms for storing data, from these familiar filing systems to Cloud infrastructure and collaboration tools. Putting in place processes for keeping track of how your people should handle and store data means your organisation is less vulnerable in the case of a breach.

Consideration should also be given to whether those processes and procedures will still be effective when applied to new technology. And to the potential for teams taking matters into their own hands and using technology that hasn’t been vetted or implemented officially.

It’s also important to remember that Cloud infrastructure and collaboration tools (even the big ones like Google Drive and Microsoft Azure) are vulnerable to cyberattacks. It’s your organisation’s responsibility to audit your provider regularly to ensure that they can evidence Cloud Sovereignty – the monitoring of their storage services to prove compliance with local data privacy and security laws (DPA regulations in the UK).

The human problem

You’ve audited your cloud service provider, you’ve configured your digital infrastructure and you keep physical data locked away, or securely shred them when they’re no longer needed. You’ve installed extra digital security. That’s your job done, right?

Not quite.

We know that malicious attackers aim to exploit people, (we are human after all, and we make mistakes). According to Mimecast's 2023 The State of Email Security Report, 97% of breaches were caused by human error in 2022 (as evidenced by the story above) and with phishing attempts up 61% in 2022 than from the previous year, as well as a rise in ransomware and web domain spoofing. It’s important to ensure your staff are properly trained to anticipate, identify, and prevent hacking attempts.

How can I mitigate the risk?

We spoke to our Information Assurance team about how you can help protect your organisation’s data and prevent malicious attacks from cyber criminals:

  • Implement an audit programme. Have a plan in place to audit your collaboration tool and cloud services providers (or any supplier!) regularly. You can request documents from your provider to ensure they are up to date on their relevant cyber security processes and certifications.
  • Ensure regular training is conducted for all your staff and stakeholders, including to handle, process and store both physical and digital information.
  • Ensure your digital infrastructure is configured correctly and regularly; you can do this easily and efficiently with a configuration review, usually conducted by a Penetration Tester.
  • Make sure you are making use of Data Loss Prevention tools. This can include technology which detects and blocks suspicious activity, as well as human-led processes to identify and report suspicious activity, which allows you to monitor your data and keep it secure.
  • Ensure that only these official environments are used for data use and storage, and that you have provided guidance on how to keep data secure that members of your organisation can follow when using these platforms.

So, do you know where your data is?

We can support your organisation in identifying any current vulnerabilities in your data security and strengthening your defences. Let’s have a conversation about how our experts can work with you.