Are you ready to answer client questions about security?
Professional firms are now being asked more often about their security arrangements and how they protect client data from Cyber attacks and data loss generally. In the midst of the high profile Cyber attacks and data loss, business clients as well as consumers are starting to question their professional advisors about their safe-guarding arrangements.
The following questions are an example of those being asked – can you answer these now?
1. Do you conform to any established security standards?
There are a range of security standards including Cyber Essentials, IASME and ISO27001. Achieving a security standard will help to demonstrate that the business has considered and takes data security seriously. The choice of standard will depend upon the risks perceived by the business but having achieved the first level of Cyber Essentials is a good starting point and in most cases for a professional firm an ‘essential’ first step.
2. Do you have an Information Security Policy?
A policy of this nature demonstrates an awareness of the need to address security within the business and should be made available to stakeholders as well as employees. The policy can include: - responsibilities for security; references to relevant legislation; personnel security; asset management; access management; system procedures; processes relating data management, etc.
The development of a policy will enable the business to examine and understand areas of risk to data held and to ensure processes are in place to protect the data.
3. Where is our data stored?
On the face of it a straight forward question but all too often senior management cannot answer this question without asking more questions internally first.
This is a key concern for clients and fully understanding the stored locations of data is vital in demonstrating professional custodianship. Locations will include not only live or working storage but also backup locations such tape or online services.
4. Who has access to our data?
In many instances access to key data will be through applications where users are allocated access for specific purposes. However, some businesses use generic login accounts for such applications or do not have password requirements. In addition, key clients detail may be held in unprotected document files in general directory folders available to all staff for convenience rather than necessity.
Professional firms and other businesses retaining confidential information should review access rights on a regular basis and a policy should be developed detailing the rules on data access.
5. Has the system been tested against Cyber attacks?
This is a very generalised question as the variations in Cyber attacks is so wide and constantly being developed…sadly. Undertaking a Vulnerability or Penetration test can provide useful information about the systems strengths and weaknesses, and will enable this question to be answered with greater confidence.
Vulnerability testing is part of the Cyber Essentials Plus and seeks to identify weaknesses in the external Cyber defences. Penetration testing can take many different forms and can include the testing of physical security as well as Cyber and system defences.
6. How do you check new employees?
Recruitment is often difficult enough and adding a layer of security checking may be seen as a step too far. It will be up to each business to assess the risks involved in recruitment and the extent to which checks are required.
Obtaining references from previous employers should be seen as a minimum and checks with regulatory bodies; criminal record and credit references agencies may be deemed necessary.
7. How do you deal with redundant systems?
This is typically asked by more security aware clients and generally professional firms have processes in place when disposing of servers and desktop PCs. There are many recycling companies providing services to destroy hard disks and the data stored, and will provide certificates to this effect.
Caution is required when allowing employees to buy redundant equipment and the need to delete data securely is often overlooked. The only safe approach is to replace the hard disk and to securely destroy the disk and the data stored.
If you are not comfortable with your ability to answer the above questions or the issues have not yet been dealt with by your business, it is strongly recommended that steps are taken to developed the necessary policies and answers before your clients and prospective clients pose the questions.
The first step would be to consider achieving the Cyber Essentials security standard – the process is straight forward, for more information see our web page. Otherwise look at developing an Information Security Policy as this will also enable you to answer the questions with confidence. A template is available from us and for other enquiries – please email us to request a copy or telephone 020 3195 3957.