If you have a website, use email or cloud services, learn from the mistakes of others…
Someone out there really likes you. They think you have something that has value to them or to someone else (whom they will sell it to). They might be wrong…but they’re going to try and get hold of that thing any way, just so they can find out. That thing is personal information.
Or they don’t like you. They don’t like what you stand for. Or they’re just bored and curious and mischievous…either way, they might look to cause disruption, embarrassment or both.
Either way, the underlying issues are the same: (i) there is value in personal information; it is one of your key assets (ii) online services bring benefits – e.g. easy ways to collect and process personal information; flexible storage; remote access – but also risks that must be addressed (iii) there are increasing expectations that you will take appropriate steps to look after personal information you decide to handle using online systems and services.
Top 5 tips to protecting personal information online
1. Check that the forms on your website are set up correctly
2. Change default usernames, passwords and settings
3. Hold your passwords securely
4. Ensure each and every password is difficult to crack
5. Keep your software up to date
Check that the forms on your website are set up correctly
Computers are dumb. They do what they are told. A criminal looking to steal all the personal data you hold will therefore try and simply ask a database for the information – e.g. “Tell me all the information you have about all donors.” And the database will automatically oblige…unless it’s set up correctly.
The criminal will look to give this instruction via the places on your website you use to collect and receive information – e.g. a form, such as ‘contact us’ or ‘submit your details here,’ or a search box. This works because these forms will often link to a database (or a part of the website which is hidden behind the scenes) which stores the personal information. So all the personal information could be accessed and copied without authorisation…or your knowledge.
This type of threat is known as “SQL injection.” The ICO states that this method “has been a common theme across the many computer-related data breaches” that they have investigated. Unsurprisingly, the ICO states that preventing, detecting and addressing this threat should “…be a high priority…in comparison to other vulnerabilities.”
How can I address this? Identify who is responsible for maintaining the source code; this will vary depending on whether the application is maintained externally or internally. One accepted best practice is to use the secure tools provided by the application programming interface (API) in use. These will make sure that information entered on your website is never treated as a set of instructions.
Change default usernames, passwords and settings
If the criminal knows, or guesses, the type of system, software or service you are using to store your personal information, they will try using the default settings and credentials (which can often be found with a simple search of the internet)…in the hope you haven’t changed them.
How can I address this? Ensure the default usernames, passwords and settings have been changed on, for example, your Content Management System (CRM); any database – e.g. holding Donor or Service User information, and any operating system – e.g. Windows.
Hold your passwords securely
Gaining access to the credentials (e.g. username and password) of your staff is valuable to criminals because
- it enables them to impersonate an authorised user;
- there is a chance that the user will have used the same credentials for other systems – whether work related or personal – meaning the criminal could gain unauthorised access to more than one system; or
- the one password may suggest a pattern, enabling the criminal to guess other passwords.
Where and how you store your staff and other users’ credentials is therefore essential.
How can I address this? The ICO highlights a number of tools and recommendations that can be used:
Do not store passwords literally as they appear – i.e. in plain text.
Do not remind users of their passwords in plain text
Do use Hashing – a process of converting a password into a hashed value. Only the hashed value is stored. If the criminal somehow obtains the hashes, they cannot directly work out what the passwords are.
Do use Salting – adds a string of random data unique to each user. Increases the length and complexity of the password. A typical length is 128-bits.
Ensure each and every password is difficult to crack
Should the criminal get hold of all, some or just one of your passwords, the time it takes them to successfully guess (‘crack’ or otherwise ‘decode’) the password needs to be made as long as possible. This will give you a chance to either detect the breach or be told about it (by an informed member of staff) and then do something about it (e.g. reset passwords) before the criminal can use the password.
The aim is to delay the point at which the criminal ‘cracks’ the measures you have put in place. The criminal will use software to try and guess passwords that are known to be common.
How can I address this? Ensure strong passwords are used. The ICO outlines the follow:
(i) Creating a long password or phrase.
(ii) Using a wide range of characters, such as Uppercase letters; Lowercase letters; Numbers; Punctuation marks; and other symbols.
(iii) Avoid use of dictionary words; simple substitutions (such as ‘p4$$w0rd’) and patterns from the physical keyboard layout (such as ‘qwert’ or ‘1qaz2wsx’).
Keep your software up to date
Threats keep changing…so software providers try to keep up. They do this by issuing updates (patches) to their software. Criminals can run automated scans across a range of online services searching for un-patched, out-dated or otherwise vulnerable software which they will then attack. Applying security updates as soon as they are available can be difficult in practice.
How can I address this? Adopt a practical procedure to ensure your software is being kept up to date. For example:
- Update during suitable maintenance periods.
- Co-ordinate with other updates.
- Test updates before rolling them out.
- Group multiple systems together that have similar requirements and therefore a similar update policy.
- Use automatic updates (if available, and if they do not impact upon business critical systems where testing might be needed first).
- Prioritise updates according to severity of the security flaws that they fix.