Ask The Expert: Joe Makepeace
Joe Makepeace, Mission Specialist at Nybble, answers questions around data privacy and protection.
What are the main issues facing businesses and individuals around data privacy at the moment?
Whether it's personal or commercial, the rules of engagement are the same. We would almost say that from a data point of view it literally is everywhere and has become the new currency really. Data has become one of the world’s most valuable commodities. Data is what people want, and your personal data and business data is a commodity. Whether it's your e-mail address, your behavioural data, your map data, where you've been, what you've bought, it's all being collated, it's all being collected, it's all being traded, it's all being advertised and it's all being monetised. People are using that data to try and part you from your money and some of that is being done ethically and some of that is being done unethically by what we would describe as hackers.
Most of the data breaches aren't on the scale of Marks and Spencer, Co-op or Jaguar Land Rover, they're everyday hacks. It’s someone losing £50 or £200 on a scam. They're the ones that are probably more straightforward to mitigate against because it's probably due to misconfiguration and poor controls. We'd always say that the weakest link in the process is usually the human. It’s people assuming that it's going to be OK, that standard settings are all right, but in reality, they're not. You need to be doing a little bit more than just the basics with all these things. Whether it's reused passwords, whether it's unsecured devices, oversharing, whatever those bits of information are, they're the things we do as humans to make our life more straightforward. But they're the bits that the social engineers and hackers out there are looking for because they're the weak links, they're the soft underbelly for people to get in.
From a business point of view, if you do suffer some form of breach or hack from your data, there's reputational damage and the downtime stress. Large-scale incidents like these at major manufacturers can even influence national output figures during the period of disruption. If attackers are already inside, the cost and complexity of recovery increases dramatically. The time to put those things in place is before you have an incident, because the reputational damage or indeed financial damage might be irretrievable.
What can businesses and individuals do to protect themselves? What's good practice for people personally and at work?
I'll approach them both together because I think they work together. From a business point of view, you’ll have a partner, you'll have specialists, you'll have professionals hopefully engaging within your business of which obviously Nybble are one. We can do some of that work for you and enforce those policies and enforce structure on a business as well. But again, it rings true for both parties. Start with the basics, the simple things are probably the most effective really. So that's strong, unique passwords or pass phrases. The old ‘password 123’ or ‘password’ is just not going to work anymore. As an absolute minimum you need to be looking at things like multi-factor authentication. People are used to that now with the banking and various other tools. If I try and log into any piece of software or any application, it wants to contact me via some other method for me to confirm who I am. There's also biometric data that you can use, so that’s using your face or a fingerprint to confirm your identity. But you can also have that belt and braces approach, which is sending a text message or an e-mail to an account that's been verified to confirm that it's you. Someone can't access a piece of software without access to other things that you possess as well. That’s what gives you that bit of security.
The other thing we recommend is having secure backups. Make sure you've got a backup - whether it's your personal photos, your files, your e-mail personally, or whether it's commercially, you've got your data backed up. More importantly, demonstrate that you can restore from your backup. There's no point having a backup if it doesn't work. You need to make sure from a data point of view that you can access that data should you need to. In terms of protection, the fewer things you've got available for someone to look at, the better. That's where we would focus on being deliberate about what data you hold, both personally and commercially. If you don't need the data, don't store it. If you've finished with that data, have a policy within your business that purges that data from your system. If you've got people that leave, have a policy or a process in your business for when these people have left. Make sure that everything they had access to has been disconnected, discontinued, suspended.
There’s fear around data security because of what people see in the news about businesses that have suffered hundreds of millions of pounds of damage. We would always advocate that education beats fear every time. Educating people about how they should be compliant and the simple steps they can take to be compliant in plain English is definitely the way to reduce accidental exposure and poor decisions. So, it might be the simulated phishing attacks that we do for businesses where send this stuff out to people randomly to try and get them to do something wrong. We hope they don't do it, but if they do it’s done in a safe environment where you can educate them.
Software patching is key in terms of personal devices and commercial devices as well. If you’ve got a mobile phone, make sure it's up to date, make sure the software's up to date. It's on these devices for good reason. It might be to make the user experience a little bit better, but invariably it's because they've come across some vulnerability or patch that they need to push out to a device to make it more secure. If you are running older versions of software on your devices, you are potentially more at risk than the person who's got the latest version.
When people see in the news that major companies have been hacked, how does that affect smaller businesses?
If you were to sit in a room and talk to these people, most of them would think that's not really going to affect me, I'm not that big. But these hackers have no care or compunction about what size of business you are. They are financially motivated and largely indifferent to business size. Schools are currently a big target because they’re a soft underbelly. If you think about the data that a school retains, it's got parent data, it's got purchase data like bank information for school lunches, for school trips and all manner of information. Historically they’re a weak link from a data control point of view, because it's been a secondary thing in terms of IT systems and infrastructure. It's about delivering education rather than securing data. I know of one case where they suffered a significant data breach, and their only option was literally to pull the plug and start again. It took them about 12 weeks to get back up. But you don't need to lie awake every night worrying about what might happen. Just talk to a technology partner and get some basic advice because some of these things are free and easy to do. Once you've got those things in place, you've at least got that baseline protection that will stop somebody getting in. Going back to the old analogy of a burglar walking around the street at night. They’re going to look for a house with the front door wide open and the back door wide open. They’re not going to look at the one with the burglar alarm and the dog.
We’re often asked to give our details to access services, but should we challenge this?
Yes, I think so, absolutely. You'd be amazed what someone will give you for free Wi-Fi. They'll almost give you their life and soul almost for free Wi-Fi and that's the problem. We've done events at our head office in Blackburn and said to people there will be live simulations of things going on, are you happy for that to be the case? We’ve then set up free Wi-Fi for the people that are coming in. You might get 50% of the people joining the free Wi-Fi. Then we have up on screen that we've just captured all their details and published them live on screen from capturing the free Wi-Fi, because it's that easy to get that information. Once someone has signed up for that free Wi-Fi, you then just send a little bit of information back to verify and confirm it. That gives you visibility of the data they’ve provided and can create a pathway for further exploitation if the network isn’t properly secured. Challenge anybody that wants to retain data on you or your business. Ask why they need that information and ask for how long they will use it. Ask how they are using your data. I appreciate that's administratively heavy if you are going to ask every one of your customers or suppliers to answer, but it’s your right to do so, and they should be managing your data correctly.
Is the legislation on data privacy up to date?
The overarching regulation that's implied on everybody is GDPR, which is more of a personal protection, but there are commercial elements to GDPR. We've all got to make sure we comply with it in terms of how we're capturing that data. When you've got public-facing individuals that are on there, that's a little bit different. But if I'm dealing with a B2C business and I'm selling stuff to the general public and I'm retaining the data, I need to be like Fort Knox with that data to make sure I’m covered from a legislation point of view. Then when you're working for a business that has systems like ISO 27001 in place, this demonstrates that a business operates a formal Information Security Management System and manages data risk in a structured, audited way; they’ve got to have additional layers of security on their business to protect their data from attack but also ensure that they look after and manage data properly within their business. Something like ISO27001 certification from a data management point of view is perfect, but that's not going to be in the gift of a small business. It’s uncommon to find a small business with ISO27001 certification, so it just comes down to speaking to a professional, speaking to someone like the Chamber. I'm sure the Chamber will give good advice to small businesses in terms of how you manage your data. And that's the thing. Always be looking at how you can do it that little bit better all the time. Don't just assume that because it was right today, it's right in six months, because things will move on or the threat will move on. We’ve already talked about software patching and software updates. It’s the same with business information and business legislation. You need to make sure that you are remaining current with updates and you're remaining current with changes in legislation, because every time you stand still, you're going backwards.
How can Nybble help businesses?
We can demonstrate that we are the IT service provider for Greater Manchester Chamber. We can confidently say that from a data provision point of view, the data that we manage and maintain on the Chamber’s behalf, is secure and we can demonstrate its security. So, we're actually practising what we preach from a customer perspective. From a professional point of view, we're there to firstly advise. We're happy to provide that advice on a literally free basis. If someone wants to try and protect themselves from a cyber threat, the first thing we would do is give them that advice about how they do it. We're not necessarily interested in a commercial relationship with them. That's not what it's about. It's about making sure that they leave the conversation in a better place than they were when they phoned up. Now if there is some practical advice over some something we can do, we could look to do that and improve their protections. But I think that the biggest thing is translating that complexity into practical action. We know the rules. We're used to dealing with those rules on a day-to-day basis for businesses across all sectors - hospitality, retail, manufacturing, education, professional services, vehicle transport, the public sector. We deal with customers in all those environments and we're used to all of the vagaries around them. We've got the skill set internally to be able to provide the advice but then put those sensible protections in place quite effectively and manage and monitor them going forward. And that's the key. It’s doing that work diligently and regularly. We’ve already talked about backups and various other things like that. It's about doing regular restorations. It's about making sure the patching's up to date. So, the businesses that we deal with can concentrate on delivering without having to worry about who could sneak in the back door.
I think it comes down to attempting to be a long-term partner rather than a one-off supplier. That's the box ticking we talked about before. We don't want to be a box ticking exercise. We want somebody to approach this almost like an insurance policy. You would insure your business against loss. You'd make sure that you did things so your insurance policy would say you'd got things in place to make sure your cover is valid. We would argue that this is a similar kind of scenario. You need to look at it in the same way. Do I have the mitigations in place that will protect me in the event of an incident? If your business suffered a serious incident, whether it was a fire or whatever, your insurance company would help you to restart your business. But if that fire was a metaphorical fire in your data, where someone ruined it, broke it, hijacked it and you couldn't get it back, then if you've not got that policy in place, then where do you go from there? It's like having no building and no staff.
I've got a background in health and safety, so I look at it from that point of view. If you think of something like asbestos exposure, it's an insidious thing that's got into your lungs over a period of time due to exposure because of lack of knowledge and lack of understanding and 35 years later it kills you. For me the parallels are similar. What we're talking about in terms of data security and data management is that insidious long-term threat that's taking place. You can lock your front door, but unbeknown to you, someone's climbing up the outside wall or someone's walking around the back or someone's got a friend that's got a key or someone's been round to your Mum's house and pinched the key, and that's the longer-term, chronic thing that you're looking to protect. People need to think more long-term, so it's not a transactional fix, it is a partnership fix.