By Simon Rice, Group Manager for Technology.
Cyber security is a frontline issue and a boardroom issue, not just a matter for information security experts. If you hold personal data and that data is on a device connected to the Internet, then the customers, patients or citizens the information relates to are at risk of that information being attacked.
Last month David Freeland, from the ICO’s Scotland office, and I presented a webinar on cyber security.
It should come as no surprise it was a very popular session. Recent headlines have made it clear that a cyber security breach can lead to a fine from the ICO if we find you have breached the Data Protection Act by failing to keep that personal data secure. It can also result in customers complaining that you haven’t taken appropriate measures to safeguard their information and it can damage your organisation’s reputation.
If you missed the webinar, that’s probably the best place to start and you can view it through our website.
I’m following up on the webinar with this blog to address the questions that were raised during the session.
Many of the queries are answered in our guidance so I’ve linked to relevant sections below, as well as answering nine of the more specific questions.
- Can you recommend a cloud service?
- Should I be using a cloud encryption gateway?
- Should I force users to change their passwords at regular intervals?
- Should I be using two factor authentication?
- You fined TalkTalk £400,000, why not the maximum £500,000 you can issue?
- Do we have to report a breach?
- Can we use encryption for our live chat service?
- What should I do about the threat of ransomware?
- What does the GDPR say about cyber security?
It isn’t possible to recommend one cloud service over another because each will provide different assurances and you will always need to check that these match the assurance you are looking for. A security techniques document entitled ISO/IEC 27017:2015 is a good starting point but there may also be industry specific standards. The National Cyber Security Centre (NCSC) also has guidance relating to cloud security. You also need to look for ongoing assurance which might include evidence of regular penetration testing. If you are processing information within a particular sector or for another data controller, for example health bodies or local government, you should also discuss with them whether the type of cloud service you are considering is appropriate.
Should I be using a cloud encryption gateway?
In this type of arrangement you need to look closely at where the encryption key is stored, who can gain access to it and the circumstances under which they can do this. If the key remains entirely within your organisation’s control and inaccessible to the cloud provider, then the encryption will be providing a high degree of security to that data. However, you must still consider the remaining adequacy criteria explained in our guidance if you are transferring personal data outside the EEA.
For more information on cloud computing, read our guidance.
This is a hot topic in cyber security, with research suggesting that such a practice can lead to users choosing less secure passwords so they can remember them. The NCSC has re-issued the earlier National Technical Authority for Information Assurance (known as CESG) guidance on passwords and offers recommendations.
It is important to look at your password policy as a whole and ensure that is it being followed in practice. If it isn’t, and you drop a requirement such as regular resets, then you could be opening yourself up to greater risks.
For more information on passwords, read our guidance.
Should I be using two factor authentication?
You will also need to consider the measures that you have in place to detect whether there has been a compromise of credentials – unusual login patterns (time, IP address and so on) are a good place to start with this. Use of two factor authentication and account lock-out following repeated failed attempts could also be used. This will be ever more critical if you remove or extend the password reset interval.
Two factor authentication can be an effective measure against the compromise of the access credentials and would be highly recommended for administrator accounts or remote access via SSH and VPN.
For more information on BYOD, read our guidance.
You fined TalkTalk £400,000, why not the maximum £500,000 you can issue?
This was a big fine – a record fine. But we have to be fair and proportionate. If TalkTalk had acted deliberately, if the attack had impacted on more people or if it had involved sensitive personal data – like health records – we would have looked at a bigger fine.
Do we have to report a breach?
Under the Privacy and Electronic Communications Regulations a breach must be reported within 24 hours but this only applies to certain types of organisations. Under the GDPR, you will have to report within 72 hours. We would urge organisations to report as soon as possible. We would not expect a full in-depth forensic report within a short time period. You can provide timely updates or even confirm that no personal data was at risk after the initial notification, if that turns out to be the case.
For more information on enforcement and breach reporting, read our guidance.
Can we use encryption for our live chat service?
I really liked the question because it shows how we need to think beyond traditional means of communication and highlight the risks. Live chat, social media direct messaging, VOIP and messaging apps all have the potential to process personal data or be intercepted as they travel across the internet.
Firstly, you would want to ensure there is encryption on the connection. As an example, the ICO’s live chat feature is protected by HTTPS and this was something we looked for during procurement. Secondly, you will want to look at data retention. How long are messages stored for and where are they stored? Finally, there will be staff training to consider. Staff should know what types of personal data can and cannot be requested via these means. So if a customer gets in touch using live chat or social media messaging, your staff should know the limits of what is appropriate with that particular technology. If you reach that limit then you can look to move the communication from the live chat to, for example, a telephone call.
For more information on encryption, read our guidance.
What should I do about the threat of ransomware?
Ransomware is a big problem in the cyber security world and there are two potential issues in terms of compliance with the DPA.
Firstly, the technical and organisational measures you should have in place to prevent the infection in the first place should be effective. Secondly, you will need to consider the measures you have in place to recover from an incident.
It is also worth noting that the security provisions of the GDPR also explicitly refer to the “ability to restore the availability and access to personal data in a timely manner” in Article 32.
We’re planning to publish a separate blog on ransomware soon to look at this topic in more detail.
For more information on ransomware, read our guidance.
Secure email exchange
There was a specific question relating to systems such as GCSx and the transfer of CJSM and how this might impact on the secure transfer of personal data, especially across email.
We are aware of forthcoming changes in this area and are working with, and providing assistance to, various central government departments.
For more information on secure email exchange, read our guidance.
What does the GDPR say about cyber security?
The government has now confirmed that the UK will be implementing the General Data Protection Regulation (GDPR). – Security will continue to be an important requirement of the new legislation (see Articles 5(1)(f) and 32). If your organisation is currently adopting best practices you’ll be in a good position but it is also worth remembering that cyber security is a fast moving discipline and best practice today might have moved on by May 2018 when the GDPR comes into force. There are some aspects of cyber security that get a specific mention in Article 32 of the GDPR, including encryption, disaster recovery, testing and on-going monitoring.
For more information on the GDPR, read our guidance.
|Simon Rice is the Group Manager for the Technology team, which provides technical expertise to all ICO departments in order to support the broad range of activities undertaken by the ICO.|