The security of customer data is an increasing area of concern for many organisations. There have recently been several high-profile stories in the press of data being stolen through ‘hacking’ of systems, or of the theft of staff laptop computers containing sensitive information. Here we highlight some of the biggest potential areas of risk, and some basic precautions to consider:
1. Email. Unfortunately, email is not secure, and it is possible for third parties to ‘eavesdrop’ on email messages. The widespread practice of sending login and password information for data systems to colleagues via email can therefore be risky. It is better to send the information in two parts, perhaps sending the login name by email and communicating the password verbally or via SMS message.
2. FTP Transfers. FTP is a method often used to transfer files between two offices or organisations. As with email, FTP is insecure in that both the login information and the files themselves are transmitted as plain text. To improve security, some form of encryption should be used, either by encrypting each file before sending it, or by using Secure FTP (SFTP) instead.
3. Laptop Computers. While the theft of any company computer is a major concern, staff laptops represent a particularly high risk due to their portability. Adding passwords to individual files or the laptop itself offers little protection. The best approach is to ensure that staff laptops do not contain any sensitive data. Where this is impractical, strong encryption should be used to ensure that the contents of a stolen laptop are impossible to access.
4. Web Applications. There are risks attached to any web-based system which provides staff with access to sensitive information. If the system is not on a secure server, it is possible for a hacker to capture staff login details. Furthermore, systems which are not carefully designed and tested may contain loopholes which could be exploited to gain access to the data. It is important to test systems very carefully, and an independent security audit may also be beneficial.
5. Computer Viruses. A computer virus could cause a variety of problems, including the possible corruption or loss of data, or ‘spying’ on login details entered by a user, to be sent in secret to a third party. Up-to-date software to protect against viruses and ‘spyware’ is essential.
6. An ‘Inside Job’. While probably a topic which any company hopes will never arise, there is also a risk of staff members misusing their access to sensitive data. It is a good idea to ensure that access to customer data is only given to those staff who need it. Care should also be taken when staff members leave (potentially to work for a competitor) to ensure that their accounts are cancelled promptly and any shared passwords are changed.