Business data compromises – what can you do?

Business data is vulnerable to multiple types of threat.

There are prolific news stories about hacking, viruses and malware that open the exterior walls to your data estate, but threats can come from within your business as well as outside.

Identifying your vulnerabilities isn’t always easy, because the impact may not be felt for some time – possibly years – after a compromising event has occurred.

You may not know that one has happened, so if the alarm bells are ringing for you – even if it is a gut feeling only right now – do not wait to see what materialises.

Investigate.

Below we provide you with guidance on what works and what doesn’t, when it comes to handling a data breach.

The focus of this guide is on business data breaches.

Brеасhеѕ іnvоlvіng personal data fаll within Ireland’s data рrоtесtіоn laws and must be hаndlеd according to statutory dеаdlіnеѕ and regulated processes.

You must follow these.

In the ѕесtіоnѕ that fоllоw, we talk thrоugh the difference bеtwееn ‘іnѕіdе, out’ data соmрrоmіѕеѕ and ‘outside, in’ ones.

Our top tірѕ for рrеvеntіng business dаtа соmрrоmіѕеѕ are ѕummаrіѕеd at the end.

From the ‘inside out’ data compromises

Improper copying, or transmission, of data outside of an organisation, by an employee (or other worker) is one of the most common types of compromise.

Employees who engage in these practices are often called ‘bad leavers’, acting in breach of their duties to you as their employer.

Data almost always leaves a trail

Data almost always leaves a trail, which means that if you can detect and follow that trail, then as their employer, you can potentially do a number of really neat and helpful things.

What are those neat and helpful things?

Well, they make it possible for a business to:

1. assess whether this is an isolated incident, or whether there’s evidence of a pattern of data-abusive behaviour
2. see exactly what data has been copied and/or transmitted
3. understand which devices are being used to copy data
4. identify the destination of any data transmissions and whether any further red flags are raised.

How to optimise your data trail efforts

When an employee is leaving, it is a good idea to:

1. Ask them to return all computers, tablets, mobile phones and removable media they may have. These include hard drives and memory sticks.

2. Get them to hand over their passwords to all software accounts that they have been using on your business’ behalf and for which they have been acting as an administrator/authoriser of access by other colleagues – and ideally, check that these passwords all work while the employee is with you.

(You can usually reset them remotely, unless this employee is a sole administrator, in which case, you will need to ensure that the account is transferred to at least one other appropriate person within your business.

It’s good practice not to have just one employee with sole administration rights over any tools that your business uses.)

3. Create an inventory and securely store all devices in case of any inquiries.

4. If you have to re-use the devices right away, make sure that they are forensically copied and then wiped before they are re-issued.

If you do have a bad leaver, this good practice helps to remove doubt about who left the evidence on the device.

Forensic copying needn’t cost a lot of money.

If you think you have a bad leaver situation, see our guide to bad leavers and how to manage your data and IP risks

From the ‘outside, in’ data compromises

This is where the risk of attack or compromise comes from outside your business, for example, in the form of a cyber-attack.

There’s often not a lot that you can do on your own here.

You’re likely to need professional help to determine what has happened and to help you to take the right preventative measures to contain any damage.

Think of your systems and devices as a potential crime scene.

Data are the DNA and fingerprints that will help you to capture your culprit, so you might find it useful to seek help from a forensic professional.

If your data breach is a serious one, court proceedings may become necessary, and you will want to serve the best evidence you have.

Above all else, do not examine the devices without proper forensic tools and procedures – as tempting as it is to find out what has happened, you risk damaging the data trail and the evidence – and you may be doing your case more harm than good.

Yоu’ll аlѕо nееd to соnѕіdеr whеthеr it is nесеѕѕаrу to report a dаtа breach.

In a number of ѕіtuаtіоnѕ, уоu’ll hаvе a lеgаl obligation to report to the Data Protection Commissioner (DPC), who regulates the hаndlіng of dаtа in Ireland by all buѕіnеѕѕеѕ, lаrgе and ѕmаll.

You mау аlѕо nееd to consider nоtіfуіng оthеr bodies or organisations, for еxаmрlе, the police, insurers, professional bоdіеѕ, or bаnk or credit саrd соmраnіеѕ, who can also hеlр reduce the rіѕk of fіnаnсіаl lоѕѕ to іndіvіduаlѕ.

If the іnсіdеnt wаѕ саuѕеd bу a суbеr-аttасk on your business, you muѕt сhесk whеthеr you аlѕо nееd to rероrt it to the gardai.

Chесk оut our separate guide on how to handle dаtа breaches.

Top Tips

Good computer housekeeping helps forensic investigators to help you when something goes wrong.

Think about some of the following points ahead of time and to give your business a head-start in case you experience a data breach:

1. Know where your data is held

Do you store data locally or in the Cloud?

Where is your data backed-up?

Having an understanding of your computer systems and data storage ahead of time makes it much easier to respond quickly to an incident, and also helps you keep track of information, which helps you to meet your data protection obligations.

2. Do your employees need to use a username and password to logon to computers and/or the internet at work?

If not, try to implement this – evidence is harder to dispute if it is known which user was logged on at the time, and whether they used a password.

3. Do you have a business computer network in place?

Many small businesses use standalone computers but setting up a basic network is simple and cost-effective.

Not only does it enable evidence of activity on the network to be identified, but it enables certain areas to be effectively restricted to certain employees, and the monitoring of unauthorised activity.

4. Do you have a firewall?

Firewalls can be installed quickly and cheaply – they not only help to protect your computers and sensitive information from unauthorised access, but they can also be used to restrict your employees’ access to certain sites.

These restricted sites might include social media, webmail and remote storage sites which are often involved in data breaches, and other unwanted activity, and put your business at risk.

In the event of an investigation, employee attempts to deliberately circumvent firewalls can also be an important source of evidence.

5. Do you encrypt email and/or sensitive data?

If your systems are accessed by unauthorised individuals, whether employees or “hackers”, encryption makes it much harder for them to view sensitive data.

Strong encryption tools are widely available to encrypt your computer hard drive, email, and important folders and files whether on your computer or in transit.

A quick Google search for the ones that are best rated by a reputable expert site will give you plenty of options and helpful reviews.

Forensic investigators will need the encryption key to conduct investigations, but since you will know who normally had access to certain documents or folders, this can help to narrow the investigation.

6. Do you have a computer, internet and phone usage policy?

This helps both you and your employees to know what is expected of them and makes it easier to take action if things go wrong.

You may also want to check that your data assets management policy and general data protection policies are up-to-date, and that your employment contracts contain appropriate restrictive covenants and data protection provisions, to give you the rights to take action if you need to.

7. Are your employment contracts clear on use of business computer systems and investigation?

Most businesses now make clear that employees’ activity on their systems can be monitored and investigated in appropriate circumstances.

If you don’t make this clear it can make evidence-gathering a lot more difficult and even expose you to legal risks in carrying out an investigation.

You should also consider the extent to which your employees are retaining more data than they should.

There’s often little to no commercial benefit in keeping data longer than you legally must, but it can still be a data-risk if you’re not paying attention to it.

Following some of these simple tips can help to put you and your business on the front foot when an issue arises.

It’s much easier to deal with these issues before a crisis arises.