How to Deal with Data Incidents and Breaches

How to Deal with Data Incidents and Breaches

Introduction

In today’s digital age, data security is paramount. Despite the best efforts, data breaches and incidents can happen. It is essential to have a robust process in place to deal with such incidents. This post follows on from our blog, Understanding the Difference Between Data Incidents and Data Breaches, and will discuss the steps to take when dealing with data incidents and breaches.

Read more: How to Deal with Data Incidents and Breaches

Internal Reporting

The first step when a data incident or breach occurs is to report it internally. The internal reporting process should be well-documented and communicated to all employees. The incident response team should be notified immediately. The team should consist of members from various departments, including IT, legal, and HR.

Once the incident response team has been notified, they should investigate the incident to determine the cause and scope of the breach. They should also take steps to mitigate the damage and prevent further breaches. The team should document their findings and actions taken for future reference.

Risk Assessing for a Breach

After the incident response team has completed their investigation, a risk assessment should be conducted. The risk assessment should determine the potential impact of the breach on individuals and the organisation. The assessment should consider the sensitivity of the data breached, the number of individuals affected, and the potential harm to those individuals.

The risk assessment should also consider the likelihood of harm occurring and the organisation’s ability to prevent or mitigate the harm. The risk assessment results should be used to determine whether the breach needs to be reported to the Information Commissioner’s Office (ICO).

If you are struggling to identify if it is a breach, check out the ICO self-assessment.

Reporting a Breach to ICO

Under the General Data Protection Regulation (GDPR), organisations must report certain types of data breaches to the ICO within 72 hours of becoming aware of the breach. The ICO defines a data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.”

Organisations should report a breach to the ICO if it is likely to result in a risk to the rights and freedoms of individuals. The ICO provides an online self-assessment tool to help organisations determine whether a breach needs to be reported.

When reporting a breach to the ICO, organisations should provide as much detail as possible about the breach, including the type of data involved, the number of individuals affected, and the steps taken to mitigate the damage. Organisations should also notify affected individuals if the breach is likely to result in a high risk to their rights and freedoms.

Conclusion

Data incidents and breaches are a reality in today’s digital world. It is essential to have a robust process in place to deal with these incidents. The process should include internal reporting, risk assessing for a breach, and reporting a breach to the ICO when necessary. By following these steps, organisations can minimise the impact of a data breach and protect the rights and freedoms of individuals.

If you would like to know how we can help you, you can either check out our services page or book a free discovery call to see how we can support you further.

GDPR: How to Make Your Website Compliant

GDPR: How to Make Your Website Compliant

If you run a business, you likely have a presence on the web, a website, in other words.

For some, that site might be an online store where visitors can purchase your products directly. For service providers, it may be a site promoting those services and informing potential customers about your quality and the benefits your services bring.

A well-crafted, engaging website is all about credibility; it is an opportunity to make that critical first impression. We tend to focus on those things when creating our sites or working with those who can do it on our behalf.

Many, though, tend to forget the importance of GDPR compliance, or at least put it on the back burner; the result, of course, is that an alarming number of websites aren’t as compliant as they should be…

Here are some of the most overlooked areas of website compliance:

Cookies are classified as a type of identifier, one which can often (in the case of authentication cookies) contain personal data used to log in to accounts. They might also collect information such as unique IDs and site preferences to better tailor content to a user’s tastes.

The regulations around cookies relating to GDPR and PECR (Privacy and Electronic Communications Regulations) are complex and wide-ranging depending on your business and the purpose of your site. They might not always be classed as personal data, which confuses many site owners.

The Information Commissioner’s Office has a helpful resource to determine where consent applies for you and your site’s use of cookies; it only takes around two minutes to complete and can save serious issues further down the line.

Website Security

SSL: Secure communication between a site’s server and the device your users browse on is essential. You might notice some sites display a padlock icon in the address bar, and that icon means the connection is encrypted using HTTPS (not the older, less secure HTTP) protocol.

Securing your website is crucial to guarding your data as well as sensitive information from your customers. Taking preventative measures to protect your site can save time and money and protect your brand reputation. It does not matter if you collect payments or personal data; it should still be secure.

Passwords: One other way to secure your website is by logging in. Ensure that you use a strong password AND multi-factor authentication. Ensure anyone with access to the website has a unique and strong password.

Back up your website or automate the backing up of the site. Your hosting provider can provide this.

Updates: Ensure you update your website regularly or automate the updates. Updates are released to improve your site’s security and the plug-ins you use.

Privacy Policies

Disclosing how you gather, store, use and manage your visitors’ data is an essential aspect of good GDPR practice, making your privacy policy a vital working document.

It should contain

  • your contact details,
  • the types of personal information you collect,
  • how it is obtained, and why you have it.

The policy should also state how the data is stored along with the rights of the individual and how to make a complaint if they feel it necessary to do so.

It also needs to be easily accessible for all to see.

Opting-In & Opting-Out

Online marketing can be challenging to understand the regulations (PECR). As a rule of thumb, do not rely on legitimate interests to send emails.

When adding a sign-up form, it is crucial to give them a choice to opt into specific types of communication. Remember that opting in is always preferable, and being specific is essential.

You might send different types of emails, such as newsletters, marketing, product updates or essential emails. Subscribing and unsubscribing from some or all of these should be as easy as possible for your users.

Are you doing enough to ensure your website is compliant? If you need advice and support, I’d be delighted to help make your website GDPR-compliant. Get in touch today to schedule a chat.

Have a conversation with your website designer/tech, who will be able to ensure the site is secure. If you would like support, advice or guidance on policies, then why not book a free discovery call with us?

Phishing, Smishing and Vishing, the Fight to Keep your Data Secure

Phishing, Smishing and Vishing, the Fight to Keep your Data Secure

Scammers and cyber criminals use every tool they can to access data and gain control of computers and mobile devices.

That means businesses and employees must be on guard constantly, treating every email, every phone call and even text message with extreme caution.

Here are some of the techniques they use and how to avoid falling victim to them

Email phishing

Phishing scams try to trick you, and sadly, many people fall for them, getting their passwords, account details and business data stolen.

They may pretend to be from your bank or a company you know and trust; that is why it is good practice to treat every email with suspicion, especially those claiming to have noticed suspicious activity in your account or asking for personal information, as well as those asking you to click links.

In the case of ‘spear phishing’, these emails will appear to be targeted at you.

How to protect yourself and your business from phishing and Spear Phishing scams:

  • Protect your devices with security software (and set it to update automatically)
  • Protect your accounts by using multi-factor authentication; this can either be something you have, such as a passcode sent to you via a security key or something you are, like a fingerprint scan, retina or facial scan.
  • Back up your data regularly to a trusted cloud-based storage solution or an external hard drive.

Whaling

Whaling is similar to phishing but aimed at the highest members of an organisation, such as executives and senior managers, particularly those in financial and payment-related businesses.

A Whaling attack can be well-researched and sophisticated, containing personal information, a sense of urgency and often a solid understanding of the industry’s technical terms and tone. They can cause devastating damage to a company’s reputation.

How to protect yourself and your business from whaling attacks:

  • Training and awareness at the highest level
  • More training and awareness, including regular refresher courses
  • Flag emails that are not from your network automatically
  • Consider making social media profiles private
  • Invest in data loss prevention measures and protocols

Smishing

Do we treat the danger of SMS or text-based ‘smishing’ with the same levels of diligence as we might with email phishing? Many might not and fall prey to revealing personal information such as credit card numbers and passwords or downloading malicious programs to their work mobile devices.

How to protect yourself and your business from smishing attacks:

  • Treat so-called urgent security alerts, offers and deals with extreme caution
  • Remember, no reputable company will ever ask you to confirm banking details, ATM pin codes or account information via text message.
  • Avoid storing bank details on smartphones; if the information isn’t there, it can’t be stolen.
  • Be wary of unfamiliar or suspicious-looking numbers

Vishing

Vishing or voice calls are one of the most widely used methods by fraudsters looking to access data, bank details and personal information.

Many scammers are incredibly good at gaining confidence; combine that with an exponential rise in remote working and the ease with which scammers can access basic information about any of us, and it is easy to see why so many are caught off-guard and fall prey to the (friendly) voice on the end of our phones.

How to protect yourself and your business from vishing attacks:

  • Calls from your bank or official agency are a mobile number; it is almost always a reason to be suspicious
  • Check the number even if it appears to be genuine. An automated caller ID is no guarantee of a legitimate call.
  • If the caller asks for money, mentions a deadline or tries to ask about confidential information, that is a sign of vishing.
  • Refuse to install software on your devices to fix an alleged problem if prompted to do so

If you would like to learn more about how to make your business stronger against the threat of cybercrime and data theft, I’d love to help. Get in touch today to schedule a free chat.