Security, Privacy and Data Protection in information technology
systems is NOT "Optional".
And yet, most people prefer to ignore the subject ...
resorting to "ignorance is bliss" convincing themselves that the problem will somehow go away.
For most (small/medium) organizations (and many large ones!) technology project(s) security
is an "afterthought",
which people only consider when they
have to; usually when the "unthinkable" (data compromise) happens...
The loss of people's data can be devastating
both on a personal and organizational level.
Why not take a few simple steps to prevent it...?
Everyone in your organization must have a security mindset!
Preferably everyone in all the organizations you work/associate
with will have be security-educated,
because sadly, (naive/well-meaning) people remain the "weakest link".
Firstly we must come to terms with the fact that it's impossible to be 100% secure because there will always be "uncertainty". That does not mean we should "give up"
There are many areas of IT security that people in your team(s) need to be aware of, they include:
- Malware: https://youtu.be/cKlRc1_f5NY
- Phishing: https://youtu.be/WpaLmeHTp3I
- WiFi Safety: https://youtu.be/T5HCy3udooo
Sadly there is no "magic pill" we can take to make everything secure.
Thankfully, there are several simple principles/practices we can follow that will help!
Be paranoid about security.
(Sadly) Personal data is "Big Business"
(Unscrupulous) people/organizations are (actively) trying to "acquire" your data.
"Nasty" people are constantly running scripts, trying to "crack" websites.
If you hope to be successful, you should expect your website/application to
be "probed" by somebody somewhere.
Don't wait till the breach happens. Plan ahead and be paranoid!
Highly recommend reading "Only the Paranoid Survive" by Andy Grove:
https://www.amazon.com/Only-Paranoid-Survive-Exploit-Challenge/dp/0385483821
If you don't have "time" to read it, listen to the summary: https://youtu.be/jisR88yR9pk
Also, watch: 10 Things to be Paranoid About as an Entrepreneur: https://youtu.be/LqQomkp0P9Y
"Every program and every privileged user of the system should operate using the least amount of privilege necessary to complete the job."
The level of access granted to a person/user or program/script should be only that necessary for its legitimate purpose. The simple rule of thumb is: if the person/program only needs read-access don't give it write access. https://en.wikipedia.org/wiki/Principle_of_least_privilege
If you have an account on a system (e.g: GitHub or AWS) maintain accountability for yourself an others by never sharing your account or password with others.
Note: this is not a question of "trusting" the people in your life/work! We trust drivers with our lives each time we get into a vehicle with them, but not all trust is the same.
Most non-technical people do not have good "security habits".
e.g: some people click on any (every) link sent to them by "Facebook". Most people cannot distinguish a "real" email from "Facebook" from a a fake (phishing) email. These people are trivial to socially engineer. Despite our multiple attempts to "educate" these people, unless they have "felt the pain" of identity fraud, for example, they are unlikely to see the benefit of being careful online.
I know this might sound "dramatic" but if I can impress the seriousness of this
upon you, in a memorable way I will do so:
Note: this is why systems that charge per user-account per month are to be avoided
because they perversely incentivize people to share account in order to avoid paying
for more "users", "seats" or "licenses". Salesforce/Atlassian/Microsoft we're looking at you!!
Encrypting data which does not need to be full-text searchable is generally a good idea.
Encrypting any/all personally identifiable data required by your application is essential.
If you are new to cryptography (encryption) see: https://github.com/dwyl/learn-cryptography
The Open Web Application Security Project (OWASP)
is a great source of information
about the most common vulnerabilities in web applications/sites.
see: https://en.wikipedia.org/wiki/OWASP
Rather than repeat the OWASP "Top 10" here we encourage you to view the list and learn how each vulnerability on the list can be mitigated.
Cheat Sheet: https://www.owasp.org/index.php/OWASP_Top_Ten_Cheat_Sheet
If you are interested in the ISO 27001 Information Technology Security standard,
please see: https://github.com/dwyl/ISO-27001-2013-information-technology-security
The General Data Protection Regulation (GDPR) is the new EU data protection framework that will take over from the UK Data Protection Act 1998 as of 25th May 2018, for any organisations operating in or offering goods/services to individuals in the EU.
[For the UK] The government has confirmed that the UK’s decision to leave the EU will not affect the commencement of the GDPR.
We have read through these and pulled out information relevant to the kind of work that we do at dwyl and focus mostly on changes from DPA, but please see the Recommended Reading section below for resources with further details which may pertain to you and are not included here.
- You must have a lawful basis to process personal data
- The most common one here might be
6(1)(a) – Consent of the data subject
, but a list can be found at https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider
- The most common one here might be
- Consent
- Must be opt-in ("consent cannot be inferred from silence, pre-ticked boxes or inactivity")
- Must be separate from other Terms & Conditions
- Must provide simple ways for consent to be withdrawn
- No need to seek new consent from existing users but "if you rely on individuals’ consent to process their data, make sure it will meet the GDPR standard on being specific, granular, clear, prominent, opt-in, properly documented and easily withdrawn"
- For services offered directly to children, additional measures of protection for children's personal data will be put in place (see 'Children's Personal Data' section on this page: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/key-areas-to-consider)
- Actions around individuals' rights; individuals must:
- Be informed of a number of things upon provision of their information (either by them or by a 3rd party) such as the legitimate interests of the party collecting the data and the individual's right to withdraw consent at any time
- Have access to their personal data and how it is being processed for free, within one month of requesting it
- Have the 'right to be forgotten' and completely erased from the system
- Have access to their data in a 'portable' form , i.e a machine readable form such as CSV, within one month of the individual's request for the data
- Explicit accountability and transparency policies & procedures
are now required (this was implicit in DPA), such as https://github.com/dwyl/ISO-27001-2013-information-technology-security/blob/master/information-security-policy.md
- A good start for this is to have a code of conduct (see 'What will codes of conduct address?' section for more information)
- Personal data must be stored inside the EU (except in exceptional circumstances)
- Data processors will now also be held liable for compliance, not just the data controllers (who decide what and why personal data is processed)
- Privacy Impact Assessments are now mandatory for certain high risk situations (this is still evolving as of the time of writing)
Fines for breaches and non-compliance are considerably heftier than under DPA and remember, both data controllers and data processors are now liable under GDPR.
- Why do we still write insecure software? (by Jeremy Bowers): http://www.jerf.org/iri/post/2942
- Google (Online) Safety Center: https://www.google.com/safetycenter (lots of good advice)
- Node Security Resources: https://nodesecurity.io/resources (loads of great resources!!)
- EU General Data Protection Regulation: https://en.wikipedia.org/wiki/General_Data_Protection_Regulation
- Robot Laws (Data Protection Regulation - Tableflip Podcast): https://overcast.fm/+HVTBxY7_w
- Guide to data protection https://ico.org.uk/for-organisations/guide-to-data-protection/
- Data Protection Principles: https://ico.org.uk/for-organisations/guide-to-data-protection/data-protection-principles/
- HTTPS and SSL in plain english: https://youtu.be/_p-LNLv49Ug
- The UK’s 15 most infamous data breaches: http://www.techworld.com/security/uks-most-infamous-data-breaches-2016-3604586/
- Cyber Security Breaches Survey 2016 (Official UK Gov report): https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/521465/Cyber_Security_Breaches_Survey_2016_main_report_FINAL.pdf
- Calling Humans the “Weakest Link” in Computer Security Is Dangerous and Unhelpful: http://www.slate.com/blogs/future_tense/2016/01/22/calling_humans_the_weakest_link_in_computer_security_is_dangerous.html
- GDPR Overview and Latest Developments: https://ico.org.uk/for-organisations/data-protection-reform/overview-of-the-gdpr/
- Security Now https://twit.tv/shows/security-now is the go-to place to learn "complex" topics in general security and technology security specifically.
- Securing your WiFi network: https://youtu.be/_WHynHcXm7c