The ANPD is encouraging small businesses to teach their employees about information security. There are numerous things that a lot of small business employees may not be fully aware of the dangers or problems that occur every day. Things like avoiding click bait scams, using strong passwords, and not using external storage devices may seem commonplace for some but not all.
Employees
The recommendations from ANPD suggest better awareness and training for employees. It should cover things such as:
- How to use work related IT system security controls
- Keep physical documents away in drawers or cupboards
- Not share workstation logins and passwords
- How to avoid becoming victims of common security incidents; such as click bait links or pop-ups
- Lock computers when moving away from your workstation
- Always follow the information security policy guidelines
Businesses also need to make sure that they are creating an environment that encourages employees to report security incidents and how to detect vulnerabilities. There is also advice about having employees sign NDA agreements covering confidential information with personal data.
Outsourcing and Use of Cloud Services
Most businesses will find that they need to outsource elements of their service at some point and cloud services are becoming increasingly popular. When it comes to outsourcing it’s vital that there is a contract signed with any third-party provider. It should include:
- Information security clauses
- Data destruction clauses
- Rules for suppliers, partners and about data sharing
- Definition of relationship between the business and third-party
- Guidance on how data processing is to be carried out
When it comes to cloud services there are a few options to choose from now. It’s important to do your research and find the best choice. Some providers have greater data protection guarantees and it’s important to evaluate what a provider offers to find the best one for your needs. When you do make a decision make sure that you enter into a service agreement with the provider to ensure there is adequate security on any stored data.
Destruction of Data
Any device that has data stored on it must have all data wiped from it before it can be disposed of. If it’s not possible to remove the data from the device before disposal then it must be physically destroyed.
Data Security
Article 6(VII) of LGPD requires businesses to use technical and administrative measures to protect personal data. This is to ensure that only those with authorized access can obtain the data. It should also stop any accidental or unlawful situations of destruction, loss, alteration, communication or dissemination.
Policy
Businesses must ensure they have an effective information security policy. This should be periodically reviewed and must include controls related to data processing, such as:
- Data backups
- Use of passwords
- Data sharing
- Software updates
- Use of email and antivirus software
Access
An organization is expected to have an internal computer network for employees to access. An employees access should be controlled by permission levels meaning each employee only has access to what is necessary. Any access to specific locations, systems or networks will be entirely based on whether it is necessary to complete their role and responsibilities.
Passwords
A small businesses computer network should be able to detect and prohibit weak or dangerous passwords. They should be able to implement a control that means all passwords created must meet certain criteria, such as a certain number of characters, use of upper and lower case letters, numbers and special characters.
Employees should be discouraged from reusing passwords or using default passwords. Systems should also be able to set timescales in which employees must change their password. Where possible multi-fact authentication should be used.
Sensitive Data
If a business requires storage and processing of sensitive data then they must do what they can to make identification of the individual difficult. Whether it’s pseudonymization, anonymization or encryption, sensitive data should not be easily identifiable. This type of data should not be accessible on public networks.
Storage
Employees should avoid transferring any personal data to external storage devices. This includes USB sticks or external hard drives. If an external device is absolutely necessary then additional controls must be implemented, such as:
- Inventory
- Encryption
- Storage in a safe place
Backups of data should be carried out regularly. When data backups do take place it should be checked that the process has been completed and there hasn’t be a problem that has stopped the process partway. These backups should be stored in a place that is secure and distinct from the primary storage devices.
Communication Security
Sometimes within a business it is necessary to transmit sensitive personal data such as salary information or medical records. When this needs arises it’s vital that the data and process of transferring it is protected. Things like end-to-end encryption apps, TLS and HTTPS are important things to consider when undertaking such tasks.
Network Traffic
An organization can do a great job of protecting their internal networks and applications but it will always be necessary to access external networks. It’s important to install and maintain a firewall system. This will monitor, protect and prevent connections from untrusted networks. It’s also important to protect emails as well, this can be done with built-in antivirus and anti-spam tools.
Vulnerability Management Program
All of your systems and programs will need to do regular updates. This helps to protect against security risks but also helps to improve the program and fix and bugs or problems. Businesses must be aware of any new versions of their systems and applications as well as keeping them all up to date. When necessary you will need to install security patches or update anti-virus and anti-malware software.
Mobile Devices
We have seen a massive change in the way we access our work over the last two years with most of us working from home. Mobile phones played a huge role in this and yet this has a lot of risks. Where it’s necessary for smartphones and laptops to be used these must have controls like multi-factor authentication and safe storage when not in use.
Using a mobile device for both work and personal use is dangerous as personal use devices are more vulnerable. Our personal devices are more likely to have unsecured apps on them leaving them open to a security incident. Regardless of what device is being used it’s a great idea to make sure that the device can be wiped remotely in case of it being lost.
There are a lot of recommendations that may be difficult to implement for a small business or someone who doesn’t have experience in technology or privacy. Value Privacy can help in all aspects of protecting your company. From policies to security patches, anti-malware to a privacy health check we can make sure your company is protected from any risks. Contact us today to find out how we could help you.
