By Simon Rice, Group Manager
Does the date 8 April 2014 mean anything special to you? If you’re responsible for ensuring your organisation keeps personal information secure and you’re still using old IT equipment then it should do.
On this day, official support for Microsoft’s Windows XP and Microsoft Office 2003 will end. It is not a death sentence and PCs running either of these two products will not stop working when the clock runs out, but it does mean that if a security flaw is discovered, Microsoft will not release an update to fix it and therefore your system, and the personal data stored within it, will be potentially vulnerable. This problem will get worse over time as more vulnerabilities are gradually discovered, creating more opportunities for an attacker to exploit and potentially gain unauthorised access to your systems.
With 30% of all PCs still using the 13-year-old operating system, this could become a serious problem and means that many organisations should already be in the processes of migrating across to a supported operating system, or taking steps to mitigate the risks. If you’re not, then the clock is ticking.
It is important to remember that this is not a unique situation. Organisations regularly end support for their older products. And those with supported systems still need to be vigilant, as vulnerabilities will be discovered over time. As a responsible data controller it is your organisation’s responsibility to make sure you have ‘appropriate technical organisational measures’ in place to keep people’s details safe. This means having processes in place to make sure that when new vulnerabilities are identified they can be addressed at an early stage.
Don’t forget, this applies to third-party software too. Java, Adobe Flash and web browsers regularly issue security updates, which need to be managed. Again, anti-virus and other malware protection software will also need to be regularly updated.
You may also need to consider any bespoke software you are responsible for within your organisations. If this is not being actively maintained and you are not looking for potential vulnerabilities then there may not be any updates to apply. But you should still be monitoring it to ensure it’s continuing to keep your data secure.
The penalty issued last week to the British Pregnancy and Advisory Service is a clear example of what can go wrong if you fail to keep your systems in a secure state. In this instance, a hacker was able to exploit the organisation’s vulnerable software to access and download the details of thousands of people who’d made contact with the service requesting pregnancy advice. The problem had existed for a considerable period of time, but the advisory service had failed to check that their systems were secure, and this went unnoticed until the individuals’ details were compromised.
The organisation’s failure to spot problems with their software has led to a serious breach of the Data Protection Act, caused substantial damage and distress to those affected and left the organisation with a fine of £200,000. The hacker, meanwhile, is now in prison.
So, what should you be doing to make sure you don’t fall foul of the Data Protection Act and put your organisation in line for a similar penalty of up to £500,000?
For a small office environment, the steps you need to take can be relatively simple. Making sure you stay on top of the updates that need to be regularly applied to desktop and laptop operating systems is relatively easy to do. All of the major vendors have a system to regularly check for updates and a pop-up will usually display on the screen alerting you to the fact that a security update is required.
In a more complex environment you might need to test these updates first to make sure they are compatible with your existing infrastructure. Where you cannot apply an update, you may need to put additional measures in place to mitigate the risk.
The UK government’s National Technical Authority for Information Assurance (CESG) has published short-term mitigation advice for public sector organisations that are unable to fully migrate away from Windows XP prior to its end of support date.
You should also consider whether your other IT assets need an update. Recently, a number of vulnerabilities have been discovered in the firmware of routers and firewalls. You can check the manufacturer’s website to see if an updated firmware has been released. For the novice user these are not as easy to update as an operating system or desktop software. If you get the configuration of your primary defence wrong you could be leaving your organisation in a worse position than if you’d done nothing at all; so call in the professionals if you are unsure.
It is also important to recognise that the modern working environment does not start and finish at the office door. There are over 30 million smartphone users in the UK, and this number increases when you take into account those that own a laptop or tablet device. Research carried out by our office last year has shown that 47% of these people will be using their personal devices for work purposes.
If personal information is being processed on these devices for your organisation, then you must have measures in place to keep the information secure. This includes making sure that the security software installed on these devices is up-to-date. You can find further advice on this issue in our Bring You Own Device guidance available on our website.
So if you are unsure whether your security software is up-to-date across all devices make sure you follow these three basic steps:
Step one – Carry out an audit of your IT equipment so you know the size of the problem. Make a list of devices, operating systems, serial numbers, installed software and which members of staff this kit is issued to.
Step two – Plan and Prioritise. Work out which updates you need to apply and in which order you are going to do these. If you are disposing of equipment that has reached the end of its life, make sure this is done securely by following our IT asset disposal guidance and any other guidance provided by the manufacturer.
Step three – Roll out security updates to the remaining equipment where required and continue to keep the software up-to-date.
In the case of Windows XP and Office 2003, from 8 April there will be no updates to apply. Anyone using these two products must consider their options and look at migrating to a supported operating system. Failure to do so will leave your organisation’s network increasingly vulnerable over time and increases the risk of a serious data breach that your actions could have prevented.
In the next few weeks we will be publishing more detailed security guidance that will cover many of the common issues that IT security professionals and those leading on an organisation’s compliance with the Data Protection Act need to be aware of.
In the meantime, now is the perfect time to make sure your organisation doesn’t have any chinks in your security armour.
Last updated 10/03/2014 14:00
|Simon Rice is the Group Manager for the Technology team which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|