Thursday, 21 July 2016

Designing for Data Protection

The rise in cybercrime cannot have escaped many people’s attention. The national news regularly includes stories about organizations that have been the victims of hacking. LinkedIn and TalkTalk are two recent high profile incidents, but there are many more. So prevalent is cybercrime that the Office for National Statistics now includes it in the crime statistics.

Smaller companies often believe that they are less vulnerable than their larger corporate siblings, but this is not the case. Smaller companies often have fewer resources, and are less well educated in the issues surrounding cybercrime. At the same time, many small companies keep personal data about customers and staff in database systems, which is exactly the sort of data that cybercrime is targeting.  According to the Federation of Small Businesses, over 40% of its members have been a victim of cybercrime in the last year, at a cost of £4,000 to each business.

So how can organizations protect personal or sensitive data?

As a first step, identify the sensitive and personal data that is being held in databases, either on-premises or in the cloud. Organizations have a responsibility to protect data that an individual considers personal, such as email addresses, date of birth, telephone numbers, etc. If you have personal data in more than one system, consider whether that data could be held in a single database, and then securely accessed from other systems when needed. It may be easier to increase the level of protection for one database, rather than ensure that multiple spreadsheets and local databases held on laptops are all secure.

Then consider whether all the sensitive data that is being held actually needs to be stored. Credit card information, for example, often should not be stored in a company database. Although customers may be asked to provide credit card details multiple times, this is small beer compared to the trauma of credit card data being compromised. Read one of the recent stories about hacking, and then look at the list of personal data that you hold. You may find that some of that data is not being used sufficiently for the risk it posts.

Passwords should never, ever, ever be stored in plaintext. They should always be stored using salted hashing. If you are storing passwords in plaintext please take steps to amend your systems. Now.

Security is a multi-layered problem, which means that you need to employ a multi-pronged approach. Ensure staff understand the importance of using strong passwords to secure workstation and servers, and that passwords are changed regularly. Personal data can and should be encrypted, ensuring that not even database administrators have access to sensitive data. Keeping database software up to date also means you have access to the latest encryption technologies.

Data protection is a big subject, but thinking defensively gives you a head start. If you think it could never happen to you, you probably don’t have the right mind-set. We design SQL Server databases, upgrade them, and migrate data to the cloud, all with data protection issues firmly in mind. If you are considering developing a database for your organization, or migrating an existing database to the cloud, contact us for a free 2-hour Data Protection Review. We can advise you about sensible steps you can take to protect sensitive data from hackers, as well as advising on the new security features included in SQL Server 21016.

No comments:

Post a comment