Business data is vulnerable to multiple types of threat. There are prolific news stories about hacking, viruses and malware that open the exterior walls to your data estate, but threats can come from within your business as well as outside.
Identifying your vulnerabilities isn’t always easy, because the impact may not be felt for some time – possibly years – after a compromising event has occurred.
You may not know that one has happened, so if the alarm bells are ringing for you – even if it is a gut feeling only right now, do not wait to see what materialises. Investigate.
We asked Ankura Managing Director, Rob Jones, one of THE experts on data security and data forensics to collaborate with us on producing this guide, because Rob and his colleagues face exactly these challenges on behalf of their clients on a daily basis. And while the risks are always evolving and changing, Ankura are in one of the best positions, globally, to provide guidance on what works and what doesn’t, when it comes to handling a data breach.
What’s the most important question to ask at this point? …
“What kind of compromise do you think has occurred?”, advises Rob. “There are several types and how you handle them will depend on the answer to this initial question.”
The focus of this guide is on business data breaches.
Breaches involving personal data fall within the UK's data protection laws and must be handled according to statutory deadlines and regulated processes.
You must follow these.
In the sections that follow, Rob talks us through the difference between 'inside, out' data compromises and 'outside, in' ones.
His top tips for preventing business data compromises are summarised at the end.
1. From the 'inside, out' data compromises
Improper copying, or transmission, of data outside of an organisation, by an employee (or other worker) is one of the most common types of compromise. Employees who engage in these practices are often called 'bad leavers', acting in breach of their duties to you as their employer.
Data almost always leaves a trail
“Data almost always leaves a trail, which means that if you can detect and follow that trail, then as their employer, you can potentially do a number of really neat and helpful things,” Rob confirms, grinning wryly as he describes some of the techniques that Ankura's experts use to rapidly detect and trace data that an employee might be pretty confident they’ve obscured.
What are those neat and helpful things? Well, according to Rob, they make it possible for a business to:
1. assess whether this is an isolated incident, or whether there’s evidence of a pattern of data-abusive behaviour
2. see exactly what data has been copied and/or transmitted
3. understand which devices are being used to copy data
4. identify the destination of any data transmissions and whether any further red flags are raised.
How to optimise your data trail efforts
When an employee is leaving, it is a good idea to:
1. Ask them to return all computers, tablets, mobile phones and removable media they may have. These include hard drives and memory sticks.
2. Get them to hand over their passwords to all software accounts that they have been using on the your business' behalf and for which they have been acting as an administrator/authoriser of access by other colleagues - and ideally, check that these passwords all work while the employee is with you.
(You can usually reset them remotely, unless this employee is a sole administrator, in which case, you will need to ensure that the account is transferred to at least one other appropriate person within your business.
It's good practice not to have just one employee with sole administration rights over any tools that your business uses.)
3. Create an inventory and securely store all devices in case of any inquiries.
4. If you have to re-use the devices right away, make sure that they are forensically copied and then wiped before they are re-issued.
If you do have a bad leaver, this good practice helps to remove doubt about who left the evidence on the device. Forensic copying needn't cost a lot of money.
2. From the 'outside, in' data compromises
This is where the risk of attack or compromise comes from outside your business, for example, in the form of a cyber attack.
“There’s often not a lot that you can do on your own here,” Rob observes. “You’re likely to need professional help to determine what has happened and to help you to take the right preventative measures to contain any damage.
"Think of your systems and devices as a potential crime scene.
"Data are the DNA and fingerprints that will help you to capture your culprit, so you might find it useful to seek help from a forensic professional. If your data breach is a serious one, court proceedings may become necessary and you will want to serve the best evidence you have.
Above all else, do not examine the devices without proper forensic tools and procedures – as tempting as it is to find out what has happened, you risk damaging the data trail and the evidence – and you may be doing your case more harm than good."
You'll also need to consider whether it is necessary to report a data breach.
In a number of situations, you’ll have a legal obligation to report to the Information Commissioner’s Office (ICO), who regulates the handling of data in the UK by all businesses, large and small. You may also need to consider notifying other bodies or organisations, for example, the police, insurers, professional bodies, or bank or credit card companies, who can also help reduce the risk of financial loss to individuals.
If the incident was caused by a cyber-attack on your business, you must check whether you also need to report it to the National Cyber Security Centre, (known as the ‘NCSC’), and/or Action Fraud, which is the UK’s national fraud and cyber-crime reporting body (or Police Scotland if you’re based in Scotland or the incident took place there).
Check out Farillio's separate guide on how to handle data breaches.
Rob's top tips for preventing business data compromise
Good computer housekeeping helps forensic investigators to help you when something goes wrong. Think about some of the following points ahead of time and to give your business a head-start in case you experience a data breach:
1. Know where your data is held
Do you store data locally or in the Cloud? Where is your data backed-up?
Having an understanding of your computer systems and data storage ahead of time makes it much easier to respond quickly to an incident, and also helps you keep track of information, which helps you to meet your data protection obligations.
2. Do your employees need to use a username and password to logon to computers and/or the internet at work?
If not, try to implement this – evidence is harder to dispute if it is known which user was logged on at the time, and whether they used a password.
3. Do you have a business computer network in place?
Many small businesses use standalone computers, but setting up a basic network is simple and cost-effective. Not only does it enable evidence of activity on the network to be identified, but it enables certain areas to be effectively restricted to certain employees, and the monitoring of unauthorised activity.
4. Do you have a firewall?
Firewalls can be installed quickly and cheaply – they not only help to protect your computers and sensitive information from unauthorised access, but they can also be used to restrict your employees’ access to certain sites.
These restricted sites might include social media, web-mail and remote storage sites which are often involved in data breaches, and other unwanted activity, and put your business at risk.
In the event of an investigation, employee attempts to deliberately circumvent firewalls can also be an important source of evidence.
5. Do you encrypt email and/or sensitive data?
If your systems are accessed by unauthorised individuals, whether employees or “hackers”, encryption makes it much harder for them to view sensitive data.
Strong encryption tools are widely available to encrypt your computer hard drive, email, and important folders and files whether on your computer or in transit.
A quick Google search for the ones that are best-rated by a reputable expert site will give you plenty of options and helpful reviews.
Forensic investigators will need the encryption key to conduct investigations, but since you will know who normally had access to certain documents or folders, this can help to narrow the investigation.
6. Do you have a computer, phones and other devices policy?
This helps both you and your employees to know what is expected of them and makes it easier to take action if things go wrong.
You may also want to check that your data assets management policy and general data protection policies are up-to-date, and that your employment contracts contain appropriate restrictive covenants and data protection provisions, to give you the rights to take action if you need to.
7. Are your employment contracts clear on use of business computer systems and investigation?
Most businesses now make clear that employees’ activity on their systems can be monitored and investigated in appropriate circumstances.
If you don’t make this clear it can make evidence-gathering a lot more difficult and even expose you to legal risks in carrying out an investigation.
You should also consider the extent to which your employees are retaining more data than they should. There’s often little to no commercial benefit in keeping data longer than you legally must, but it can still be a data-risk if you’re not paying attention to it.
Following some of these simple tips can help to put you and your business on the front foot when an issue arises.
It’s much easier to deal with these issues before a crisis arises.
Want to access this guide?
Already have a Farillio account? SIGN IN
Get unlimited access to 100s of legal resources by signing up to Farillio today.
- Manage your legal documents online
- Well written legal templates by our partners
- Guides to help you understand law
- Legal help available every step of the way