Cybersecurity and the protection of member data has risen to the top of trustee risk registers.
Many trustees will have had detailed training leading up to the introduction of GDPR in May 2018 and will have been through a wholesale review of their contracts, policies and procedures.
Due to the nature of technology, there is a risk that some of the training may be a bit outdated. In particular, we find ourselves pushing trustees to re-run their response training so they are on the front foot when a breach occurs. And unfortunately, it is ‘when’, not ‘if ’.
Attacks always seem to happen on a Friday evening, there is never enough information and it is stressful.
A simple plan helps navigate first interactions, gives structure to the discussions and increases the chances of making good decisions over whether ICO notification is needed within the 72-hour deadline.
This includes confirming facts such as who is impacted, implementing the response plan, establishing who needs to know what and determining remediation.
The plan should also make sure that the increased focus on member data doesn’t obscure other priorities such as running payroll, member transactions and good governance.
Any real-life threat along these lines will be difficult to deal with, but training and a robust response plan will give structure and help to alleviate stress
With many of us now working from home, making video conference calls, uploading documents and conducting business online, how can you ensure that your data and systems are secure?
While you should really do this on a regular, ongoing basis, making sure your devices are completely up to date with the most recent security patches and upgrades can make a huge difference in securing your data.
Things like your operating system, antivirus and antimalware programs, and your router are just some of the things you should immediately shore up and protect since those are generally your first and last defence against external threats. If some of your staff are using their own, personal devices when working remotely, your firm can roll out secure platforms such as Mobile Iron, which can be installed on those devices, in order to keep company data secure.
If you are working from home, ensure that your WiFi network is encrypted. A good start is to change the router’s default password as it’s susceptible to attack from a hacker.
The default passwords tend to be weaker. ‘Admin’, for example. Note that this is not the password you use to access the network; it’s the one you use to protect your settings and configuration.
2FA requires two forms of identification to gain access, such as a password and a PIN code. This makes it harder for hackers to guess user login details. If you don’t want to rely on set numbers and codes, you can also use apps like Microsoft/Google Authenticator – this will send an approval notification to your phone which you can either approve or deny.
Having the right training in place is central to working remotely. Assign appropriate training courses to your team/ask your manager for the appropriate training and ensure that they all complete it. Reinforce staff responsibilities, including when to report cyber security issues.
Remind employees that while they work remotely, they have to maintain the same level of professionalism when it comes to secure and sensitive data as they do in the office. That includes reminding people that personal email is not to be used in an official capacity and that any physical documents kept at home must either be disposed of properly with a shredder or set aside securely (in a locked cabinet) to be shredded or securely filed at a later date.
If you have any questions, please contact us on 020 7112 8300 alternatively you can email email@example.com. Sign up to our newsletter here to receive similar content to your inbox on a monthly basis.