Safety & Security

1. Safety & Security By Kieran Bolko

2. Laws • The main law that you should be taking note of is the Data Protection Act 1998 – this law sets rules for the electronic processing of personal information. • As you will receiving a lot of your customer’s data such as email addresses, DOBs, mobile numbers and bank details, you will be classed as a ‘data controller’. Meaning you must follow information-handling practices including the eight data protection principles, you also have to register with the Information Commissioner to tell him/her you are storing personal data. • You must provide the information commissioner with the following details: • Your full name and address. • A description of the data being processed. • The purpose for which the information will be used. • From whom the information was obtained. • To whom the information will be disclosed and countries to which the may be transferred.

3. Laws continued … • After registering with the Information Commissioner, you must follow the eight principles behind the Act: • The data must be fairly and lawfully processed. • The data must be only processed for registered reasons. • The data must be adequate, relevant and not excessive. • The data must be kept accurate and up to date. • The data must be not kept for longer than is necessary. • The data must be processed in line with the data subject’s right. • The data must be kept secure at all times. • The data must not be transferred to countries without adequate protection.

4. Case Studies … • http://news.bbc.co.uk/1/hi/business/6227748.stm • The above story outlines how two massive high street brands broke the Data Protection Act, the two companies were Orange and Littlewoods. • The Information Commissioner reported that Orange had not kept their customer’s data secure (breaking principle 7) while Littlewoods did not process their customer’s details properly (breaking principle 1 and 2). • http://www.theinquirer.net/inquirer/news/2120515/mps-prison-sentences-protection-act-breaches • This story also reports on how the British government is demanding harsher punishments for people/companies that break the Data Protection Act.

5. Potential threats • Due to the presence of your business and the fact that you store a huge quantity of personal data on your system, you will be increasing your risk of being targeted by computer crime. • For example - http://www.guardian.co.uk/technology/2009/jan/27/hack-monster-data-recruitment • The theft of information is a type of computer crime and a severe case of it is reported in the above news article where 4.5 million people’s personal data was stolen by hackers. • With this in mind, computer crime and even malpractice may mean you could face threats in the future – An example of malpractice would be if you left your computer in your shop logged on and then someone saw information in a database opened up on the screen, which may result in theft of information.

6. Weak points Other potential threats result from weak points within ICT systems, including: • Data being wrongly entered into a system –fraudulent acts by which employees enter data with criminal intent are unlikely with your business situation but there is always a possibility. • Viruses, worms and Trojan horses – These could pose a big threat to your business, as viruses and Trojan horses can be programmed to steal data, so the large quantity of personal data you have on your system is at risk. • Data being stored offline, such as on an USB memory stick – Such data is vulnerable to loss or theft, this is relevant to you and your business as you may opt to use USB or CD-Rs to back up your databases, but if left unattended they could end up lost or stolen. • Internal staff not following procedures – Your employees must be trained to know how to efficiently and securely manage all the personal data being stored, if not, then all that information is at risk of theft. • Data being transmitted using a network – Because it is likely that you will need to transmit the personal data at some point, you will be using a network to do so, and there in itself increases your vulnerability to external threats due to the ease of unpermitted access.

7. Hardware measures These could include: • Introducing CCTV and alarm systems to the shop in order to prevent any thieves from physically stealing ICT equipment. • The computer/ICT system inside the shop could hold technologies such as voice recognition or biometric scanners to stop any unwanted people from accessing information stored on these devices, protecting customers’ personal data such as email addresses/bank details. • Other additional measures may include introducing passive infra-red alarm systems to the shop itself, to detect any movement, this would be appropriate to your business as this technology is relatively inexpensive.

8. Software measures • http://www.wired.co.uk/magazine/archive/2013/01/features/hacked?page=1 – Passwords are no longer as safe as they used to be so in order to maximise the protection of a password, you need to make sure all your passwords are a mixture of letters, numbers and capital letters, they shouldn’t be dictionary words, you should also try to make it as long as possible – an ideal password length is no less than 8 characters long. • Other software measures include: - Installing anti-virus software on all computers to ensure protection against malware. An example is Kaspersky which can detect a virus and destroy it instantly. - Changing the level of access on certain files depending on what is stored on the file. For example making the database full of your customer’s email addresses only have access for a certain user, this user then needs to enter a password to edit or look at the file.

9. Procedural measures • Procedural precautions are vital to ensure your business on and offline is secure, most procedures are very simple but greatly improve your security. • One obvious measure is to make sure all your passwords are kept secret and only the correct people know them, they should never be revealed and to optimise security, they could be regularly changed every month. • Additionally, your files should be stored in the correct places and under proper filenames to decrease the likelihood of loss.