In this golden age of data, the need for organisations to effectively meet their privacy and risk obligations is paramount. Privacy and risk expert, Daryll Holland, offers the following tips that schools can implement to help mitigate the risk of breaches.
8 tips for data security!
1. It might sound obvious but…
- Beware of social engineering. If you didn’t expect the email, chances are it could be a phishing attempt. If you didn’t expect the call, validate the person’s identity and call them back on their registered office number. If you didn’t expect the person, don’t let them in until validated.
2. Be secure
- Beware the dangers of working on public WiFi. Put your laptop away and enjoy your latte instead.
- Always make sure your computer is receiving updates to its antivirus, speak to your IT team if you have any doubts.
3. It’s not just digital
- Be careful what you leave laying around in the office, ensure your desk remains clear of confidential or personal information.
- Always collect your printouts. You will be surprised at what you can sometimes find left on a printer!
- Having visitors is lovely, just be careful what they can see and ensure they are accompanied wherever possible.
4. Get in the habit
- Always lock your computer when you walk away from it, even if it’s for a couple of minutes. It can take seconds for someone to access something they shouldn’t have access to – imagine the consequences in a school environment. Have you ever had to investigate a situation where a student changing their own behaviour record on a staff computer when it was left unlocked? I have!
5. Transferring data
- Always transmit data containing personal information securely.
- If you have to use email then password-protect files that contain personal information before transferring out of your organisation’s control. Deliver the password via another means such as a phone call to the individual.
- Double check your To: field and always remember to use BCC if contacting large numbers of people.
6. USB/removable media
- Avoid using USB sticks altogether for storage of any data that contains personal information. With modern cloud technologies at your disposal, think about changing your habits in this area.
- If you have to use a USB stick in your role, consider purchasing an encrypted USB stick. Remember, a lost USB stick with lots of personal information on it could easily become a notifiable breach.
7. Embed security into your work pattern
- Consider security at the start of a project, rather than as an afterthought. A Privacy Impact Assessment is a very good way of risk assessing a project at the early stages and ensuring the necessary security controls are in place to protect personal information.
- Consider keeping a departmental risk register. Using a risk register can help you remain transparent about any security concerns you have and quickly decide on ways to mitigate the risk. It’s also very useful evidence that you are considering security in your work.
8. Get to grips with your passwords
- Consider using a password manager where appropriate and make your passwords suitably complex. On that note, the US National Institute of Standards and Technology (NIST) announced last year new recommendations on password management. In short, they recommend 8-64 characters, not forcing a routine password change and using a combination of random words instead of your traditional complex password. It will take a while for this to be generally accepted as it’s a significant change to current practice almost everywhere.