Improving data security could save you a fortune

If your business fails to keep personal data secure, it could be breaking the law and heading for enormous costs. Darren McMahon, marketing director at Viessmann, says the best defence is to follow government recommendations for best practice.

Viessmann has recently been made aware of an email scam, known as phishing, where emails appear to originate from Viessmann Limited. Having been on the receiving end of our name used to commit fraud, we reviewed our security and are satisfied that our working practices mean that customer data is secure. At Viessmann, we take data security very seriously and therefore would like to ensure Viessmann installers are aware of their responsibilities when it comes to the handling of customer’s data.
One of the greatest commercial risks facing plumbing and heating businesses, no matter how large or small they are, is breaches in data security. If you are involved with the processing of personal data, you will be required by law to comply with the Data Protection Act, but this legal responsibility is threatened every day by cyber attacks on UK companies by unknown enemies attempting to steal information, to steal money, or to maliciously disrupt business.

If this sounds sensationalist, consider the facts: the government’s latest annual Security Breaches Survey reveals that a breach was suffered during the previous year by no less than 90 percent of the large organisations surveyed and 74 percent of the small businesses. The typical cost of the worst single breach suffered by these companies was £75,200 to £310,800 for small businesses (with less than 50 employees) and a staggering £1.46m to £3.14m for large organisations (with more than 250 employees). This financial damage arises from business disruption, lost sales, recovery of assets, fines and compensation. On top of all this, the reputational damage which drives away customers can cost untold sums for years.

It’s not only malicious outsiders who pose a threat: 75 percent of the large organisations and 31 percent of the small businesses questioned in the government survey had also experienced, during the previous 12 months, staff-related security breaches. And this isn’t usually the work of disgruntled employees. Half of the companies reported that the single worst breach they suffered was caused by human error. Inadequate staff training can have costly consequences and the increasing popularity of portable data-carrying devices, such as tablets and smart phones, is escalating the risk.

Your legal obligation

All this is happening despite companies having legal responsibilities under the Data Protection Act to safeguard “personal data,” which means information about staff and customers. The Act is underpinned by eight principles and the seventh of these states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”

‘Data’ is defined by the law as information that is, or is intended to be, processed by computer. This extends to information that is recorded as part of a filing system that allows easy access to specific information about individuals. ‘Personal data’ relates to a living individual who can be identified from the data. This includes opinions about the individual and any indications of intentions of any person in respect of the individual.

In practice, this means you must have appropriate security to prevent the personal data you hold being accidentally or deliberately compromised. You can never be totally safe, but most online attacks can be prevented or detected with basic security practices for your staff, processes and IT systems. These security practices are as important as locking your doors or putting your cash in a safe. In particular, you will need to:

  • Design and organise your security to fit the nature of the personal data you hold and the harm that may result from a security breach
  • Be clear about who in your organisation is responsible for ensuring information security (the ‘data controller’)
  • Make sure you have the right physical and technical security, backed up by robust policies and procedures and reliable, well-trained staff
  • Be ready to respond to any breach of security swiftly and effectively

Six easy safeguards for all businesses

You don’t need to be an IT expert to take crucial precautions for your online security. These are six easy steps:

  1. Download software updates as soon as they appear. These contain vital security upgrades that keep your devices and business information safe.
  2. Use strong passwords made up of at least three random words. Using lower and upper case letters, numbers and symbols will make your passwords even stronger.
  3. Delete suspicious emails as they may contain fraudulent requests for information or links to viruses.
  4. Use anti-virus software on your computers, tablets and smartphones to help prevent infection from viruses or malware.
  5. Increase protection of your networks (including wireless networks) against external attacks through the use of firewalls, proxies, access lists and other measures.
  6. Train your staff so that they are aware of cyber security threats and how to deal with them. One way of doing this is via the government’s free online training courses, which take about an hour to complete. Visit www.nationalarchives.gov.uk/sme

Six more steps for bigger businesses

Larger businesses, with in-house or third-party IT services, should ensure that whoever handles systems and data also has these security controls in place:

  1. Risk assessment: Identify the areas where the data held by your business may be at risk. Consider physical risks such as fire, flooding, theft or vandalism and the potential impact of human error, such as the careless carrying or disposal of data.
  2. Secure configuration: maintain an inventory of all IT equipment and software. Identify a secure standard configuration for all existing and future IT equipment used by your business. Change any default passwords.
  3. Manage user privileges: restrict staff and third-party access to IT equipment, systems and information to the minimum required. Keep items physically secure to prevent unauthorised access.
  4. Encrypt home and mobile working: ensure that sensitive data is encrypted when stored or transmitted online so that data can only be accessed by authorised users.
  5. Removable media: restrict the use of USB drives, CDs, DVDs and secure digital cards, and protect any data stored on such media to prevent data from being lost and malware from being installed.
  6. Monitoring and reviewing: monitor use of all equipment and IT systems, collect activity logs, and ensure that you have the capability to identify any unauthorised or malicious activity.

With these steps taken, it will still be necessary to guard against complacency. It is crucial to test, monitor, and improve your security controls regularly to manage any change in the level of risk to your IT equipment, services and information.

If after all these precautions you still fall victim to online fraud or attack, you should report the incident to the police via the Action Fraud website. You may also need to notify your customers and suppliers if their data has been compromised or lost.

More advice on your business’s personal data responsibilities, plus guidance on IT security, can be found on the Information Commissioner’s Office website: https://ico.org.uk/for-organisations.

What is Viessmann doing?

Viessmann has recently announced that it is introducing the first boilers with WiFi and internet connectivity. This will help installers increase customer loyalty and repeat business by responding promptly to automatic fault notifications, with the added convenience of remote performance monitoring and online service-planning. This technology gives installers the opportunity to manage servicing and repairs more conveniently while providing the highest levels of customer service, enhancing the prospects of valuable repeat business and new referral business.

Just as important as the features of the internet connected boiler is the assurance that homeowners data, such as usage and settings, is safe and cannot be accessed by any third party. Viessmann has achieved this by using Secure Sockets Layer (SSL) protocol – the same technology found in email - to establish an encrypted connection. Viessmann’s WiFi connectivity on its new boiler range has been independently certified by VDE, the Smart Home test platform.