Sunday 22nd December 2024
Twitter Facebook Twitter LinkedIn RSS

Comsure operates in:the UK, Jersey, Guernsey

Data security

Find out what steps small firms can take to keep customer data secure.

Customer data is any identifiable personal information about a customer held in any format, such as national insurance numbers, address, date of birth, family circumstances, bank details and medical records. It is extremely valuable to fraudsters and securing it is your firm’s responsibility.

In line with Principles 2 and 3 of the FCA Principles for Businesses, you should make an appropriate assessment of the financial crime risks associated with your customer data.

SYSC 3.2.6R requires firms to take reasonable care to establish and maintain effective systems and controls for countering the risk that your firm might be used to further financial crime.

Physical data security

Many small firms are responsible for their own office security. It is good practice to assess the risk of unauthorised access to your premises and ensure an appropriate level of security to protect your customer data.

You may wish to consider:

  • installing alarms or CCTV
  • restricting access to the office with the use of door buzzers or keypad entry
  • monitoring visitors to your office by recording access and departure with a signing-in book and supervising visitors to your premises at all times
  • discussing with local businesses or your local police force the key security risks in your area
  • raising staff awareness of the risks of poor physical security

Questions to ask yourself:

  • are your premises vulnerable to a break-in?
  • is physical access to your premises and restricted areas, such as computer servers, properly controlled?
  • do you maintain a clear-desk policy to reduce the risk of customer data being lost, stolen, or accessible to unauthorised persons?
  • do you keep your filing cabinets locked when not in use?

Governance

In most small firms, data security is not considered as a specific risk and nobody is assigned responsibility for it. Many firms treat data security solely as an IT issue and do not involve key staff from across the business (such as those with responsibility for human resources, security and countering financial crime) in their data security work.

The FCA don’t expect small firms to use as much money or resource on data security as larger firms, but you should make an assessment of the risks to your customer data. It is also good practice to have written data security policies and procedures that are proportionate, accurate and relevant to your day-to-day business.

Some small firms have simple lists of ‘dos and don’ts’ in place of procedures. For some firms, this is an effective approach that makes the importance of data security easy for staff to understand.

Questions to ask yourself:

  • is there a specific focus on data security in your firm?
  • do you have any written policies or procedures covering data security and are they proportionate and relevant to your day-to-day business?
  • do you have an open and honest culture that encourages staff to report data security concerns?
  • do your staff understand why data security is important and do they know what to do to keep customer data safe?
  • do you seek external help or liaise with peers about data security risks and implementing good internal controls?

Recruiting the right staff

Small firms must meet the FCA requirements for staff in FCA-approved roles to be fit and proper and carry out various checks to determine this, including credit checks and criminal record checks.

However, in most firms, more junior staff such as those in administrative roles tend to have access to the most customer data and therefore present a higher risk in terms of potential data loss or theft. In fact, there have been several cases where junior staff have been bribed or threatened by criminals who wish to obtain customer data to commit fraud.

Small firms’ recruitment processes for such staff often rely solely on personal recommendations or basic references. Firms should be applying a risk-based approach to reducing financial crime and enhancing recruitment checks where appropriate. You may wish to consider:

  • credit checks and criminal record checks on staff with access to large amounts of customer data
  • repeating credit checks periodically to ensure that staff in financial difficulties, who may be more susceptible to bribery or committing fraud, are appropriately managed

Questions to ask yourself:

  • are you satisfied that people you recruit have the honesty and integrity to handle customer data?
  • do you conduct credit checks and criminal record checks on staff with access to large amounts of customer data?
  • do you hold regular meetings with staff and would you identify changes in employees’ circumstances that might make them more susceptible to committing financial crime?
  • are there any aspects of your recruitment and staff management processes that could be improved to reduce the risk of data theft?

Staff training

Many firms rely on staff signing an annual declaration to confirm they have read policies and procedures but do not check whether staff understand them.

The FCA have seen some firms using simple and easily understood guidance and education for staff through group discussions, awareness raising emails, intranet sites, staff magazines and poster campaigns, none of which are expensive or time consuming.

It is good practice to put in place simple and effective methods to raise staff awareness and periodically test your staff’s understanding of data security.

Questions to ask yourself:

  • do your staff understand the importance of data security and know how to keep customer data secure?
  • do you provide your staff with any training on data security, and has this been tested?

Systems and controls

There are many systems and controls which can minimise the risks to customer data. You should consider which of these it is proportionate to put in place.

Poor controls lead to a greater risk of data loss or theft.

Access rights to IT systems

The FCA appreciate that staff need access to customer data to do their jobs. However, it is poor practice for staff to have access to systems or customer data that they do not need. It is good practice to consider whether staff who change roles retain access rights that they no longer need and to conduct regular reviews of individuals’ IT access rights. You should also consider a risk based, proactive monitoring of staff to ensure that they are accessing or changing data for genuine business reasons.

Questions to ask yourself:

  • do my staff have access to customer data that they don’t need?
  • when my staff change roles, are unnecessary access rights removed?
  • could the FCA perform random checking to ensure that staff are only accessing customer records for genuine business reasons?

Passwords and user accounts

It is good practice for each staff member to have their own username and password for IT systems, for good password standards to be in place and for firms to ensure that staff do not share usernames and passwords, or write them down.

Get Safe Online https://www.getsafeonline.org/  recommends that passwords should be a combination of letters, numbers and keyboard symbols at least seven characters in length and changed regularly.

Questions to ask yourself:

  • do each of your staff have their own username and password?
  • do your passwords meet the recommended standards?
  • do your staff understand the importance of strong passwords?
  • do any of your staff write down their passwords or share them with colleagues?

Taking customer data offsite

Many firms have staff who work from home or use laptops and other portable devices such as memory sticks and CDs to store or transfer customer data. You should consider the risks to your customer data that could arise from these situations, particularly loss or theft of a laptop or portable device.

It is poor practice for you or your staff to hold customer data on laptops and other portable devices that are not encrypted.

The Information Commissioner https://ico.org.uk/ has said that firms should ensure laptops and other portable devices used to store customer data should be encrypted.

The FCA support this view. While the FCA appreciate that portable devices such as memory sticks and CDs are good business tools, such devices can be easily concealed and used largely undetected.

Therefore, you should consider the risk of data loss or theft that can arise if they are used without authorisation or in breach of procedures.

For example, you might wish to consider:

  • disabling USB ports and CD writers on your computers if your staff do not need to use memory sticks or CDs to do their jobs
  • issuing encrypted memory sticks to staff who need them

It is good practice to maintain a clear record of who owns laptops and memory sticks to ensure that you would notice if one had been lost or stolen. You might also wish to consider random checks of laptops to ensure that only staff authorised to hold customer data on their laptops are doing so.

Questions to ask yourself:

  • do any of your staff work from home or take customer data offsite on laptops, memory sticks or CDs? If so, are the files containing customer data, or the devices themselves, encrypted?
  • would you know if one of your staff’s laptops, memory sticks or CDs was lost or stolen?
  • do you make regular checks on what customer data is being stored on laptops and other portable devices?
  • if staff use home computers for business purposes, how securely is customer data held?
  • do you understand the threats posed by increasingly sophisticated and quickly evolving mobile technology?

Backing up customer data

Many firms do not appreciate the risks of insecure data backup and storage methods and do not consider encrypting their backup data. This raises further concerns when the backup is held offsite by a third party, particularly when due diligence on the third party is insufficient. Many firms also allow their backed-up data to be held overnight insecurely.

Firms should consider reviewing their data backup procedures and consider the threats to customer data throughout the whole backup process – from the production of the backup tape or disk, through the transit process to the ultimate place of storage.

Questions to ask yourself:

  • do you have agreed and consistent procedures for backing-up customer data?
  • are your storage facilities sufficiently secure to minimise the risks to customer data?
  • do you encrypt your backed-up data?
  • have you carried out adequate due diligence on any third party that is entrusted with the storage of your backup data?
  • if you rely on a staff member to hold backed-up data overnight, do they hold it securely?

Internet and email availability

The internet and external email are important business tools for financial services firms, but both increase the risk of data loss or theft if not controlled. It is therefore good practice to provide internet and email facilities only to staff with a genuine business need.

You should consider carefully the risks of allowing staff to access web-based communications, such as:

  • web-based email
  • social networking sites
  • instant messaging
  • file sharing software

If your staff use these, there is an increased risk that your customer data might be lost or stolen without you knowing. It is good practice to completely block access to these types of sites, especially if staff have access to customer data.

Questions to ask yourself:

  • do all of my staff really need internet and external email access?
  • can my staff access web-based communications tools such as Hotmail, Facebook and MSN Messenger?
  • do any of my staff use file sharing software to listen to music while they are working?
  • do I need to get software to stop staff accessing websites that pose a risk to customer data?

Data disposal

It is important that you consider measures to ensure that all customer data is securely disposed of, whether it is in paper or electronic format.

The reputational and regulatory risks of disposing of data insecurely are high, and so is the financial crime risk to your customers. Many small firms tend to dispose of paper records by shredding all confidential waste in-house, and some use a specialist secure disposal company. It is good practice for you to use these methods.

On the electronic side, computer disks and CDs should be destroyed or shredded before disposal. You should also consider the secure disposal of computers and hard drives when they come to the end of their life. It is poor practice to simply dispose of a computer at a rubbish dump, donate it to a charity or sell it to your staff without first removing, destroying or wiping the hard drive. If you choose to wipe the hard drive, specialist software should be used. You should consult an IT specialist if you need advice.

Questions to ask yourself:

  • do you shred your customer data onsite and are your staff aware of how they should be disposing of customer data? Do they need reminding?
  • if you use a third party to dispose of customer data, do you know the company, how it destroys your data, and how they vet their staff?
  • if you have ever disposed of a computer or given one to somebody else, did you wipe the hard drive with specialist software or remove and destroy the hard drive?

Third-party suppliers

Many firms use third-party suppliers to do jobs that could give them access to customer data, such as secure disposal, archiving, IT administration, office cleaning and security. It is good practice to satisfy yourself that you know your third-party suppliers, how they vet their staff and have a good understanding of their security arrangements. The FCA have found that many firms do not carry out due diligence on third-party suppliers before they hire them and some firms do not know who their cleaning and security staff are, which can put customer data at risk if files are not secure or there is no clear-desk policy.

If you use third-party suppliers, you should consider:

  • conducting good due diligence to assess their policies and procedures, including recruitment, security and levels of service. You could achieve this by visiting third-party suppliers to ensure that you understand how they will treat your customer data
  • monitoring and supervising their access to your offices and customer data
  • using secure internet links, encryption, and registered or recorded mail when transferring data to third parties

Questions to ask yourself:

  • do you know all of your third-party suppliers?
  • have you carried out any due diligence on third parties, including their security arrangements and staff vetting policies?
  • do you allow third parties to work unsupervised in the office? If so, do you lock away your customer data and enforce a clear-desk policy?

Compliance and monitoring

Most compliance officers at small firms don’t check whether data security policies or procedures are being followed. In addition, external compliance consultants used by many small firms do little or no specific work on data security with firms.

Questions to ask yourself: 

  • does your compliance officer or consultant do any work on data security? If so, does it cover any or all the areas highlighted here?

 

Last updated:02 Dec 2015

First published:31 Jul 2015

– See more at: http://bit.ly/1nqq3Ro

 

1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading...

January 22, 2016 < Back
WP2Social Auto Publish Powered By : XYZScripts.com