- 3 April 2023
- Posted by:
- Category: News
There are many factors that contribute to the success of a business, but if there is one asset that has become synonymous with business success in recent years, it’s data. Estimates suggest that the volume of data generated globally doubles every 2 years. As businesses, data is integral to our internal processes, it helps us manage and improve client relationships, enables us to anticipate product demand and allows us to scope out new markets and prospects.
As a creative, marketing or communications agency you know the rewards for properly harnessing and exploiting data can be huge, but doing so is certainly not without risk. According to the UK’s 2022 Cyber Security Breaches Survey, almost 2 fifths of UK businesses identified a cyber breach event in the 12-month survey period. Of those attacked, almost one third reported experiencing attacks at least once a week, and a fifth of those afflicted experienced a negative outcome. Over the course of the 12-month study period, the average cost of materially impactful cyber-attacks was found to be £4200, rising sharply to £19,400 when only medium and large businesses are considered.
Unfortunately, these statistics likely conceal a much darker reality, as organisations without the necessary cyber security infrastructure will likely be oblivious to many or all of the breach attempts they face, leading to underreporting.
The importance of taking data protection seriously in your London Based Business
From ransom payments and fraudulent transactions to downtime disruption and hardware damage, the negative impact of cyber breaches can manifest in countless ways, both direct and indirect. Additionally, failing to take data security and privacy seriously in the first place can lead to reduced client confidence in an age where customers are increasingly cognizant of the threats facing their data and how costly data compromise can be.
In the creative sector it’s not just personal data you have to worry about: the content you create needs protection too. Your intellectual property is the manifestation of your brand values, and represents thousands of hours of work. Failing to protect it could see it fall into the hands of competitors who’ll then be able to benefit from your efforts.
Data protection is no longer just a commercially-savvy ‘nice-to-have,’ it’s a legally mandated necessity. The 2010s was the decade when data protection hit the mainstream business consciousness thanks to the EU’s GDPR, which has since evolved post-brexit into the Data Protection Act 2018 (UK GDPR). Enforced by the Information Commissioner’s Office, this legislation gives data subjects the right to enquire about how their information is being used, demand its erasure or modification and prohibit its use in certain processes or activities. It also compels data processors to safeguard the privacy and integrity of personal information using measures that are appropriate to the level of risk faced.
In addition to the severe financial and legal repercussions that can result from data breaches, a failure to take data protection obligations seriously can be a barrier to obtaining cyber insurance or making a claim on an existing policy. We’ll explore this later in this article, but first, let’s consider your business’s compliance obligations and how IT can be used to meet these challenges.
Compliance condensed – Your key data protection obligations and what they mean for your IT systems.
If your business handles or stores personally identifiable information (which it does), then you are bound by the stipulations of the General Data Protection Regulation. As we’ve mentioned, this regulation was superseded by the UK Data Protection Act 2018, but because this newer legislation essentially has GDPR as it’s foundation, we’ll make reference to the GDPR rather than the DPA 2018 for reasons of clarity and convenience.
You may be well aware that the bulk of the GDPR’s provisions relate to why and how data is being used, and the rights of the data subject in terms of controlling their information. The six ‘lawful bases’ for processing for example set out criteria that must be met in order for the processing of personal data to be legally permissible, and the ‘rights of the data subject’ outline the rights held by individuals in respect of their personal data, such as the right to access their data and the right to request its erasure. There are however a small number of key provisions that relate to data security, and adhering to these is a critical element of GDPR compliance.
Article 32 – Security of processing
Article 32 contains the component of the GDPR that is most pertinent to data security: the security principle. It states that:
“Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate:”
It then goes on to advocate a number of measures data handlers should consider to ensure the ongoing integrity of data. Let’s consider how you might go about implementing these…
- the pseudonymisation and encryption of personal data;
Encryption is the practice of encoding plain-text information into an indecipherable format, accessible only to the intended recipient or viewer who possesses the ‘key’ or password needed to decrypt it. Options or implementing encryption include:
- End-to-end encryption. Used to secure data-in-transit, end-to-end encryption safeguards data from malicious interception, and is particularly useful for protecting communications transiting the internet. Protocols for implementing in-transit encryption include HTTPS, SSL, TLS and FTPS.
- Database Encryption. Database encryption converts information stored in databases into indecipherable ‘cipher text.’ Database encryption provides elevated data protection but it’s only recommended for the most sensitive information types, as widespread encryption can be costly and result in significant performance penalties.
- Cloud-based encryption. Cloud based encryption services such as Microsoft Azure Storage Service Encryption provide heightened protection for cloud-hosted data.
- Software-based encryption. This form of encryption refers to a range of software tools that can be used to encrypt information both at-rest and in-transit. Software-based encryption is often used at device-level to protect files stored on a computer’s hard drive, but it can also be used to safeguard network-transiting data.
Pseudonymisation is the process of directly altering plain-text information in a way that makes it impossible for onlookers to directly link it to an individual. Pseudonymisation lowers the potential impact a cyber breach might have by make information less usable to an attacker.
“(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;”
This measure implicitly refers to what you might consider ‘conventional’ cyber security measures and practices.
Maintaining ‘confidentiality’ and ‘integrity’ means ensuring data is only accessible to those who need to see it, that measures are in place to properly authenticate the identities of those seeking access and that controls, are implemented to prevent erroneous or malicious editing, removal or deletion of data. These aims could be achieved in a number of ways:
- Multi-Factor authentication. Requiring the submission of another price of identifying information in addition to the standard username/password combination, multi-factor authentication provides a more secure way to verify identities than conventional practices.
- Access Controls. Administrators should grant access to resources on a strictly as-needed basis, with a minimum access policy recommended to minimise security risk. As a marketing, creative or communications agency you likely divide client projects among your team in a way that partitions responsibility. If so, try implementing role based access controls to grant access to resources, and withdraw access when projects draw to a close.
- Anti-Malware measures. Precluding malware intrusion is vital to protecting the integrity and confidentiality of information. Malware countermeasures can be implemented in a number of ways, from device level antivirus software that’s able to detect and remediate threats to firewall protections that limit access to malevolent corners of the internet.
- Effective patch Management. As security vulnerabilities become apparent, software developers develop fixes – known as ‘patches’ – to correct them. Applying these fixes in a timely manner is important in order to minimise the threat posed by these vulnerabilities, with remote patch management a helpful capability when managing security fixes across a large number of dispersed endpoints.
“(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;”
This requirement demands the establishment of plans and systems that allow for the timely recovery of data following a disruptive event. Such events include any occurrence that is likely to inhibit access to personal data, such as cyber-attacks, hardware failure, utility outages, fire, theft or natural disasters.
Creating an all-encompassing business continuity plan is the best way to go about satisfying this requirement. Designed to ensure swift service recovery following an incident, this plan should make provisions for the restoration of business-critical data by outlining the data backup services in use, and instructions for the operation of each. Staff tasked with actioning the incident response should be clearly named in the plan, as should any third-party organisations designated to provide assistance.
It is recommended to establish data backups in line with best practice guidance in order to guarantee swift data recovery and maximise business resilience:
- Operate an offsite backup. At least one copy of data should be stored in an offsite location. This provides a recoverability option should the main backup location suffer serious damage or compromise. The 3-2-1 backup principle recommends storing 3 copies of data (one of which is the original), on 2 different storage media, one of which should be physically separated from the main storage location.
- Schedule Regular Backups. Backup frequency should achieve a balance between data protection demands and system performance. Most data backup services can automate backups according to a user-defined schedule, and retention periods can be set to balance compliance needs with storage.
- Perform regular tests. Regular testing of backup services should be carried out to ensure that the recovery process is quick and effective, and that data is being copied in a complete and accurate manner.
“(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”
In addition to establishing measures to provide security to personal data, the GDPR expects organisations to implement regular testing to determine the ongoing effectiveness of the measures undertaken. There are a number of ways to evaluate and improve data security posture on a continuous basis, including:
- Vulnerability Scans. Vulnerability scanning should be performed against systems in order to detect the presence of known vulnerabilities. The reports generated from vulnerability scanning can be used by IT security personnel to correct system weaknesses and apply supplementary security measures where necessary. Vulnerability scanning should be conducted at least quarterly in order to maintain network integrity.
- Penetration Testing. Penetration testing (or ‘pen testing’ as it’s often known) is the practice of simulating cyber breach events in order to test the integrity of an IT system and the efficacy its security measures. Pen testing examines security posture much more deeply than vulnerability scans, as multiple breach pathways are explored in order to draw attention to hidden vulnerabilities in multi-layered security architecture. Experts recommend carrying out penetration testing at least annually or following any major IT system change.
- Collect and Review Audit Logs. Audit logs are records of IT system events. In the context of data security, audit logs allow security teams to analyze security incidents post-event, providing details of user activity and the corresponding system reaction. Like vulnerability scans and penetration testing, audit logs can be useful for evaluating current security posture and making enhancements where necessary.
It’s incumbent on all organisations to take all reasonable and proportionate steps to protect the personal data they handle. Failure to do so can carry severe consequences, ranging from loss of customer confidence and reputational damage to litigation and the issuance of fines from the ICO for GDPR non-compliance.
Many organisations seeking indemnity against such financial harm turn to cyber insurance, often failing to realise that the cover doesn’t absolve them of responsibility for maintaining adequate data security protections.
The limitations of Cyber Insurance
Cyber Insurance is a beneficial fallback in a world of constantly evolving and increasingly sophisticated cyber threats. It’s near impossible to make an IT system impervious to cyber dangers, so having a comprehensive policy in place can provide peace of mind, and help an organisation recover from even the most damaging security event.
Insurance is no substitute for taking sensible and measured precautions when it comes to data privacy however, and many providers demand detailed evidence of a proactive approach to security before cover is approved.
The National Cyber Security Centre advises organisations seeking cyber insurance to establish a range of baseline security controls such as those set out in the government-backed Cyber Essentials scheme. This provides sound foundational protection, and accreditation with the scheme offers cyber liability insurance through the IASME consortium.
Insurers use cyber insurance risk assessments to determine an applicant organisation’s eligibility for cover, their coverage limits and the premiums to be paid. This process can be a range of forms from self-assessment questionnaires to third-party audits. Eligibility criteria vary, but most insurers look for evidence of cybersecurity training, centralised patch management, frequent and secure data backups, regular vulnerability scanning, regular auditing of user identities/privileges and firewall protections.
In our online age, the rewards for embracing digital transformation are plentiful, but the stakes are also high. Although not a sector associated with regulatory compliance, the creative industries are far from immune from the challenges and responsibilities of data protection; and while cyber insurance provides a welcome safeguard, nothing is ever a substitute for a well-considered, comprehensive cyber-security strategy.
Cubit Technology – Impactful IT Support and Management for London’s Creative Sector
Located in the heart of Central London, Cubit Technology IT support, management and consultancy services designed to help dynamic creative sector businesses flourish through technology. From forward-thinking IT management that eliminates downtime, to individualised consultancy delivered with a friendly smile, we help businesses harness technology as a stimulant for growth and we’d love to have you onboard. Get in touch today to find out how we could help your business thrive through technology.