Beware of using unauthorised IT systems at work


With human error the leading cause of data breaches, the Information Commissioner’s Office (ICO) has produced a handy toolkit to help businesses communicate the importance of information security to staff.

At Hayes Connor, we’re sharing some of the tips included in this toolkit to raise awareness of the importance of this issue, and to help organisations across the UK improve their data protection processes.

Tip: All information you work with has value. Only use authorised IT systems

The risk of using authorised systems  

When personal and sensitive data is processed and accessed via authorised IT systems, it’s easier to keep it safe and prevent cybercriminals getting their hands on it. On the other hand, systems that are not effectively managed will be vulnerable to attacks that may have been preventable.

Quick tips

Here are some quick tips to help employers keep the data they hold on their systems safe.

  • Put strict policies and procedures in place to ensure the safe processing of information – both in and out of the office
  • If you allow mobile working, establish what devices and applications are allowed to access your network, where, when and how it can be accessed, and any penalties for breaching the policy
  • Implement tools and practices to protect data on mobile devices. This should include things like Two Factor Authentication (2FA), password controls, and the ability to remove sensitive data from devices remotely
  • Make sure that all staff receive regular data protection training to make sure they understand the potential consequences of breaching data protection laws.

However, even authorised IT systems can be manipulated if not manged properly. For example, Equifax’s failure to patch a server flaw resulted in hackers potentially stealing 143 million US citizens’ data, and the personal details of up to 15 million Brits. This sensitive information included email addresses, passwords, driving license numbers and phone numbers.

So employers should also make sure that they:

  • Only use supported software, operating systems, web browsers and apps
  • Develop and implement policies to update and patch systems regularly
  • Create and maintain hardware and software inventories: so you know what is being used across your business, together with the version and patch status of all software
  • Deploy tools to help identify unauthorised hardware or software use
  • Make sure that any functionality or application that doesn’t support a business need is removed or disabled
  • Conduct regular vulnerability scans
  • Establish configuration control and management policies for all systems
  • Disable unnecessary devices and prevent removable media access
  • Ensure that regular users cannot install or disable any software or services running on the system
  • Limit privileged user functionality

A key principle of the GDPR is that businesses must process personal data securely by means of ‘appropriate technical and organisational measures’. Find out more about how to do this on the ICO’s website.

Not just hackers

Data breaches are not just caused by cybercriminals. For more advice on how to keep your data safe, follow our #notjusthackers campaign on Twitter and Facebook.

Alternatively, if you have been the victim of a data breach or cyber fraud, find out how we can help you to recover any losses or give us a call on 0151 363 5895 to discuss your case in more depth