At Jascom Ltd we are continuously reminding clients that they should be taking care to manage the data collected on their website. We have seen an increase in hacking attempts across all websites lately since more people are working from home where security may not be as tight as in office networks. Clients have an obligation to secure and manage the data they collect under EU GDPR regulations. So our advice is to continuously review the security of your data and to educate your staff on the risks.
You should consider the impact of any of the events below to your business :-
Where a hacker has illegally gained access to the back end of a website and then possibly accessing login details, customer details or financial details. They may or may not deface the website, redirect it to another website or update it with false information.
Where a hacker sends an email to someone in your company with the specific goal of retrieving information by impersonating a company employee (spear phishing) or by getting them to click on an insecure link which loads spyware on to a p.c.
Anti Spam Technology
SPK & DKIM Records
Where a device (Phone/Laptop/Desktop) with customer data is lost or stolen from the company. The device is often wiped and resold but the risk is that any data could used maliciously by hackers, published online or used for extortion purposes.
Where a hacker has gained access to your business or home device/network illegally via a remote connection. The hacker may attempt to steal personal information, inject malicious software onto your network or even record you via your devices webcam or mic.
Clients should appoint a Data Protection Officer no matter how big or small the company is. Under GDPR regulations there is a requirement to manage customer data responsibly and to keep it secure. In practical terms this means doing a review of the places that you store data like computers, email, databases, websites and on paper files. Having completed the review you should categorise the data into how sensitive it is and how long you should store it. You should then allocate a task to have the data further secured or deleted if its no longer relevant eg old customer orders. All of this should be outlined in a Data Protection Policy.
Clients should review who has Customer Data Access within their organisation and whether the data is overexposed unnecessarily. In practical terms a review should be undertaken to see which employees can access what data and for what purpose. Are generic login accounts being used and shared amoung several employees to access data. Do login accounts for former employees still exist on systems that could be used to access data. The recommendation is restrict access to data to employees who need it, never use generic login accounts and delete older accounts and data that is no longer in use.