GDPR and security

by Dan Taylor on 8th Feb 2018

GDPR - security is a key priority

As the first in our series of blog posts about the upcoming European wide GDPR (General Data Protection Regulation) we'll be looking data security covering some key things to think about including encryption, where data is stored and who has access - as well as telling you about some of the things we're working on.

Keeping your data secure

At See Green this is something you might have heard us harping on about before - this isn't a new thing, hopefully you're already doing the things we're suggesting in order to protect your website.

cyber-security-2765707_1280 social-network-76532_1280

Something to think about:

Ensure personal data is encrypted, both in transmission, using HTTPS security on your website/system, and at rest (where the data is stored). If you're asking people to send you personally identifiable information via your website and don't already use HTTPS security is definitely worth thinking about. Encrypted data is very difficult for someone to read or steal without the keys, so imagine you have a computer stolen, or lose a USB stick - with properly encrypted data this shouldn't really cause any big problems, if it's data anyone could then read or use you could be in big trouble. Some devices (like many smartphones) come with encryption out of the box, which is great - but if you don't set a passcode on your phone it's worthless.
Also, think about data which isn't stored electronically, what do you carry around in a notepad or print-out, does it contain any personal or sensitive data? Those type of things are harder to protect if you lose them. You can't password protect a paper diary. The same goes for anything you keep in your filing cabinet.

What we're doing at See Green:

All websites we host are now encrypted at rest, so every file and piece of data on your website is encrypted as it's stored to disk. So even in the almost impossible scenario where someone broke into a secure data centre (through the access control, CCTV, metal cages the servers are kept in and the guards) and stole one of our servers, your data would still be safe. We also make sure all adminstrative access to our hosting systems is only available to named personnel and they can only be accessed through a secure connection from our office. In fact we check over 147 different elements of the login attempt before approving access to our systems, as well as the location these even include the style and speed of how our engineers input their password to check it's really them.

Know who has access to your data

Once you've covered how you're securing your data, next is to think about who has access to it, and do they need access to it.

blur-2178780_1920 cell-1344985_1920

Something to think about:

There are two main things to consider here, firstly, does everyone who has access to your data need it. Can you restrict staff so that they can just access the data they need to? Do you have a procedure to remove staff access when they leave your organisation, and does that include any online systems and services? It's likely in a very small business most staff will need access to most data, however, when you're in a bigger business you can start to look at role based permissions. Secondly, does everyone who has access to data know their responsibilities for protecting that data - human error is the single biggest cause of a data breach.

What we're doing at See Green:

We're introducing strict new security procedures to verify that anyone who contacts us is who they say they are and have been approved to make changes to an account. As part of this new procedure we'll be contacting all existing customers to confirm the key account holders, and any other contacts who are authorised to account access, along with implementing more advanced controls so only the key account holder can make significant account changes, in some cases this will include two-step authentication. We'll also be conducting regular account reviews, contacting each key account holder to make sure list of authorised contacts we hold is up to date. Our own staff receive regular training on these procedures. 

Five top things 'to do'

  1. Check your websites are as secure as they need to be

  2. Password protect all devices and encrypt them where possible

  3. Audit where data is stored, and not just electronically

  4. Understand who has access to your data and if they really need access

  5. Get help if you need it

If site security is a bit too techy, or you're unsure how best to protect yourself and your systems, get in touch with us on 01904 500500.