16 Nov 2022

How to keep employee data safe and prevent data leaks

Personal data is a valuable asset in today’s world. Protecting information has never been as important as it is now, with data breach fines reaching up to £4M and 39% UK of companies reporting a cyber attack in 2022.

What is PII and why is it so valuable?

As an employer you are a handler and a controller of your employees’ personal data (PII). This means that you need to handle it in accordance with GDPR principles, so it does not end up in the wrong hands. Information such as bank accounts, addresses and salary information can be used in fraudulent activities, which can have harmful financial and emotional consequences for the affected employees. That makes your HR system, and the data it contains, a top target for hackers.

The cost of complacency when it comes to data protection

Not taking all the necessary actions to keep your employees’ data safe can lead to costly consequences. In a recent UK data breach case, the ICO fined Interserve with £4.4m for not having appropriate measures in place to protect their employee’s data from a phishing attack. According to the ICO report both the company’s systems and the lack of proper staff training enabled the hackers to gain access to the the personal data of over 100,000 employees using a phishing email. John Edwards, the UK Information Commissioner warns companies that “the biggest cyber risk businesses face is not from hackers outside the company, but from complacency within the company. If your business doesn’t regularly monitor for suspicious activity in its systems and fails to act on warnings, or doesn’t update software and fails to provide training to staff, you can expect a similar fine from my office.”

How to manage data security?

Data sharing code of practice

The most important step you can take is to have a data sharing code of practice, which stop the use of email to share any type of PII. Most modern HR and business systems store data safely and encrypted in the cloud where there is no risk of unauthorised access. Whenever the data leaves that system to be uploaded in another system or be shared with someone else, for example, the risk of a breach increases.

Data security awareness

On top of that, you need to ensure your staff are properly trained on data security awareness, cybersecurity risks and on how to identify phishing attempts. 90% of data breaches are caused by human error (adding the wrong address in cc, a typo in the email) and the majority of the remaining 10% of breaches are caused by phishing attacks (someone impersonating your accountant etc).

What is the alternative to sharing sensitive information via email?

To handle data with due care you need to either let employees input data themselves where you need it, or make sure the data is password protected or encrypted before sharing via email or use an access-restricted cloud drive. Zelt is the single interface for all employee data, and we take data protection extremely seriously. Personal data is provided and kept up to date by employees themselves and it never leaves the platform. Any external parties such as accountants can be given access and you can determine precisely what they can see or not see, and you can easily take away access again. This removes the use of emails for PII exchange and significantly reduces risk. This approach is not only more secure but it also makes emails and manual data entry obsolete and who wouldn’t want to get rid of that.

How a Cyber Essentials certification can help reduce the risk of a data breach

Overview of Cyber Essentials

Cyber essentials is a UK government baked programme, which helps organisations protect themselves against a range of common cyber attacks and allows them to demonstrate their commitment to cyber security.

Cyber Essentials certification

Cyber Essentials is the self-assessment option, which gives protection against a host of common cyber attacks.

To gain a Cyber Essentials certification you will need to carry out a Cyber Essentials questionnaire which you can do via a National Cyber Security Centre approved partner. Obtaining a Cyber Essentials certification not only demonstrates to external stakeholders your commitment to defending against common cyber attacks but also attacks as a deterrent against criminals who seek out organisations without Cyber Essentials defences in place.

Cyber Essentials Plus certification

Cyber Essentials Plus is built on the same framework as Cyber Essentials, however, to achieve a Cyber Essentials Plus certification your organisation will have to undergo a verification step carried out by an independent auditor.

Cyber Essentials requirements

As mentioned, the first step in the Cyber Essentials checklist consists of doing a self assessed questionnaire, which relates to the five Cyber Essentials security controls:

The second Cyber Essentials requirement is for organisations to confirm that they have read the requirement’s for IT infrastructure document as part of their application. Once you’ve have completed this Cyber Essentials checklist you’ll be issued with your Cyber Essentials certification, which is valid for 12 months.

Cyber Essentials Plus requirements

Cyber Essentials Plus certification involves completing the same Cyber Essentials questionnaire as above. However, an additional Cyber Essentials plus requirement is having a technical audit of in-scope systems, an on-site assessment, internal vulnerability scans and an external vulnerability scan, all of which is carried out by a Cyber Essentials Plus certification body. A summary of which is as follows:

  • The internal scan will check patches and system configurations.
  • The security and the anti-malware test ensure that an organisation’s systems and processes are resistant to malicious attachments and downloadable binaries.
  • The external scan will check patches and system configurations for your public-facing infrastructure.

These tests include:

  • Inbound email binaries and payloads.
  • Malicious and non-malicious browser file download tests.
  • Authenticated and unauthenticated vulnerability and patch verification scans.
  • Account separation to confirm standard users do not have administrative privileges.
  • Multi-factor authentication checks.

Cyber Essentials Plus checklist

  • Step 1) Download and read the requirement’s for IT infrastructure document.
  • Step 2) Complete your Cyber Essentials questionnaire.
  • Step 3) Submit your questionnaire to a Cyber Essentials assessor. Once you have your Cyber Essentials certification you will then have three months to complete your Cyber Essentials Plus submission.
  • Step 4) Undergo on-site or remote assessment and external scans & tests.

If you have successfully complete all of the steps in the Cyber Essentials Plus checklist you will be issued with your certification, which is valid for 12 months.

How ISO 27001 can help reduce the risk of a data breach

What is ISO 27001?

ISO 27001 is an internationally recognised standard for information security. It sets out a framework for organisations of any size to protect their information, based on an information security management system (ISMS) tailored to the ISO 27001 certified company.

Why is ISO 27001 important?

Implementing ISO 27001 helps companies manage information security by addressing people, processes, and technology. ISO 27001 is globally recognised and as result provides a valuable certification to show customers and partners that you safeguard their data.

Why has ISO 27001 become so popular recently?

With the explosive growth of business software in the last 5 years, companies are storing more and more data, even small to mid-sized companies. Data about their employees, suppliers, customers, financial data, market data and more. Regulation like GDPR and institutions like the ICO show that governments take it seriously protect their citizens from abuse of their data. While data security has been a topic mostly relevant for large enterprises 10 years ago it is now top of mind also for SMBs, resulting in growing demand for information security certifications like ISO 27001, SOC2 and CyberEssentials.

How to prepare for ISO 270001?

Besides building a tailored information security management system together with your consultant, you need to get your business systems set up to be able to comply with the requirements and Annex A controls, ideally without adding too much overhead.

ISO 27001 security controls: Device register and device security

From an IT perspective, you need to establish a central asset register for your company’s devices. Whether they are owned by the company, rented or BYOB devices, you need to be able to list all devices that access company data in one central register, in real-time. On top of that, devices need to be protected to a reasonable degree in order to prevent sensitive data from leaking. For example, you may want to be able to apply company level security configurations such as password rules and encryption, remotely install antivirus software for new computers and be able to remotely lock a device in the unfortunate case of loss or theft.

ISO 27001 controls: Access management

You need to be able to monitor in real-time who has access to any computer system that holds potentially sensitive data. This spans all core business systems like HR, payroll, accounting and CRM but also productivity and communication tools like Google Workspace, Microsoft 365, Slack, Notion, Salesforce or AWS. Also, you need to have a system in place for onboarding new joiners and offboarding leavers to make sure your record of access is always up to date.

ISO 27001 controls: Secure HR platform for employee data

Employee data is some of the most sensitive data you as a data controller possess and it is vital to store it securely – in order to comply with controls in Annex A7.A modern HR system ensures that data is stored encrypted in the cloud, that your team members can see coworkers’ data only on a need-to-know basis (i.e. managers see more than non-managers) and that data does not leave the system unnecessarily, for example by viewing data and documents directly in the browser rather than having to export it into the computer or sharing it via email with others.

ISO 27001 & Cyber Essentials FAQ

ISO 27001 vs SOC2: How do they differ?

Both the ISO 27001 standard and SOC 2 state that organisations only need to adopt a control if it applies to them, but the way they approach this differs slightly. ISO 27001 focuses on the development and maintenance of an ISMS. In order to remain compliant, you must conduct a risk assessment, identify and implement security controls and regularly review their effectiveness. SOC 2, is much more flexible. It comprises five Trust Services Principles: Security, Availability, Processing Integrity, Confidentiality and Privacy, but only the first of those is mandatory. Overall, on the question of SOC2 vs ISO 27001, the former is easier and less expensive to implement and maintain, but it’s also less rigorous.

ISO 27001 vs Cyber Essentials: How do they differ?

The Cyber Essentials certification is required to be able to work with public bodies in the UK but is also very popular with private companies seeking to improve their data security. While ISO takes a risk-adjusted approach, where you as a company can apply a certain level of judgement about the amount of risk related to a control, CyberEssentials has a more rigid approach. For small companies this may result in a number of measure that have to be taken that in an ISO 270001 certification would have not been necessary due to a low amount of risk. For other companies however, for example larger enterprises, Cyber. Essentials may end up being less labour insensitive for the same reason.

What are the ISO 27001 security principals?

The three ISO 27001 security principals are confidentially, integrity and availability of data. Together, these three principles help organisations adopt an Information Security Management System (ISMS) that will help minimise the chances of an information security breach as well as limit its impact (if it still happens).

Should I buy an ISO 27001 toolkit?

If you’re a new ISO 27001 lead implementor then purchasing an ISO 27001 toolkit could be a good way to help with your ISO 27001 training whilst keeping your ISO 27001 cost down. An ISO 27001 toolkit will typically contain a list of templates such as an ISO 27001 risk assessment that allow you to speed up your ISO 27001 implementation process. Whilst ISO 27001 toolkits can speed up the time before you get an ISO 27001 auditor into to asses your business, they won’t be sufficient by themselves to get your through ISO 27001 certification and you should be careful to avoid businesses that overpromise in this area.

What are the ISO 27001 benefits?

The main ISO 27001 benefit is that it provides your business with greater quality assurance and higher levels of trust for stakeholders. The ISO 27001 auditing process follows a rigid framework, which results in a business adopting a set of ISO 27001 controls that demonstrate that data is being handled with integrity. Furthermore, the ISO 27001 certification demonstrates that strategies are in place to continually review data handling processes & policies.

What are the ISO 27001 controls?

The ISO 27001 controls (Annex A controls) are split into 14 categories and within those there are 114 controls that are outlined as tools for effective risk management. Each category of ISO 27001 controls can be attributed to a different area of your business and they’re not all IT related. They range from organisational , IT, HR, legal and physical controls. ISO 27001 controls are implemented to mitigate risks identified in an ISO 27001 risk assessment, which your ISO 27001 auditor will ask to see evidence for during your audit.

How much does ISO 27001 certification cost?

ISO 27001 certification costs can be broken down into a few elements. The first is the cost of ISO 27001 training. An ISO 27001 lead implementer course can be around £2225 with a company such as BSI, however, if you’re looking to keep the cost down, there is great free material from companies such as Advisera. The cost of an ISO 27001 toolkit would typically be into the low to mid hundreds of pounds. The second cost to take into account is that of an ISO 27001 consultant, which would typically be around £140 per hour. On average a business may need anywhere from 24 – 160 hours of ISO 27001 consultancy work in order to achieve ISO 27001 certification. This would put the cost between £3360 – £22,400.The ISO 27001 cost of auditing is typically based on the number of employees within an organisation. The range then depends on which ISO 27001 auditor you choose and how many on-site days and how many remote days they need to spend with your business to do their ISO 27001 auditing. ​Number of employees Estimated cost1-45£3750 – £750046-125£8750 – £10,000​126 -425£11,250 – £12,500​426 – 625 ​£13,750 ​626 – 875 £15,000​876 – 1175£16,250

How much does Cyber Essentials certification cost?

The cost of Cyber Essentials follows a tiered pricing system as show in the table below:​Number of employees ​Cost ​0 – 9£300 + VAT 10 – 49£400 + VAT50 – 249 £450 + VAT ​250 + £500 + VAT

How much does Cyber Essentials Plus certification cost?

The additional cost of Cyber Essentials Plus varies depending on the complexity of your network. To better understand the Cyber Essentials Plus cost you should contact IASME who will be able to help gain a quote.