Of late, there have been a few files uploaded to some hosting accounts that contained viruses and/or potentially malicious coding.

Our policy on such malware (Viruses, Spyware, Trojans etc) is well established – we don’t tolerate them under any circumstances.  Any uploaded file found to be, or containing, Malware is permanently deleted.

All of our N&S servers run AntiVirus software that is regularly updated, with full system scans taking place each night.  Any infected file will be deleted without any prior notification.

Orange and Littlewoods have both been found in breach of the UK Data Protection Act (DPA) by the Information Commissioner’s Office (ICO) over the handling of customer’s information. Orange’s transgression was that new members of staff were sharing usernames and passwords when accessing the company’s IT system; whilst Littlewoods’ offence was to fail to remove a person off their marketing mailing list despite multiple requests to do so. Full details of the ICO ruling can been found here (PDF file.

Even though it is reassuring to see that the ICO is willing to investigate and address breaches of the DPA, it is worth noting that the result sanction (both Orange and Littlewoods are required to sign a formal undertaking to comply with the Data Protection Act) amounts to little more than a slap on the wrist.

Even though it is only 9 years old (a veritable early teenager compared to the age of most English Laws), the Data Protection Act is in dire need of being updated. Compared with other western countries, the powers and sanctions available under UK computer laws are somewhat laughable. Unlike other government oversight bodies (like the HM Inspector of Prisons), the Information Commission does not have the power to perform snap inspections or inspect premises at will. Instead, he or she must first gain consent from the target organisation prior to an inspection taking place. Equally redundant in the modern information age is the sanctions available for breach the Data Protection Act or the Computer Misuse Act. If you are found to be in breach of the former, you are most likely to be prosecuted and fined, whilst the latter can lead to prison sentences, but even those normally only equate to a few years at most.

Compare this to the United States, where back in the 1990’s convicted hackers like Kevin Mitnick were given sentences of 5 years for hacking and stealing Intellectual Property.

Leaving to one site the lack of teeth of the Data Protection Act, regardless of your status (business, charity, self-employed etc.), if you store any personal information about people, you are required under the Act to be registered with the Information Commissioner’s Office.

The process itself is fairly painless, and can be done online in a few minutes.   Basically, you are required to declare the nature and type of data you are storing, how it is stored, and to nominate one person inside your organisation at the Organisation’s Data Controller (aka the person nominally in charge of the data).

There are several core methods that you should employ to ensure compliance with the DPA, and to protect your IT systems:

• Protect and secure the data you are holding. Limit access to data to only those persons that actually need access as part of their job description. All too often I have seen sensitive data stored in location accessible by any user across a network. Review your passwords. Ideally, you should not be using anything known as your password – family names, dates of birth, where you live are out of the question.
• One thing that is often overlooked is the physical security of information stores. You may have tightened down access and security controls on your company server, but if the actual computer itself is not secured, then your attempts may about to nowt if a thief walks off the server. Critical company computers (servers, network attached storage, backups etc) should be secured inside a locked room (a server room), with access restricted to a select group of people who actually need access as part of their job.
• Don’t allow access to your information resources by anyone outside of your organisation unless they have a business-related reason to do so. Again, I have seen a number of computers and networks that suffered at the hands of employees children (quote: “I let her install the game to keep her quiet”).
• Ensure that not only do you have established IT policies covering security, access controls, password standards, operating procedures and accessibilities in place; but that your staff are informed of them. It is useless creating a policy, and then implementing it without informing those who are supposed to implement and abide by it.

The role of the DPA is not only to ensure the security and protection of personal information, but also to promote access to it. Under the DPA, any person can formally request an applicable organisation (the normal exceptions of the Government, Military, Police etc apply) to disclose what information it holds about then, and the organisation is obliged to do so. To cover the cost of providing this information, the organisation can charge a small administrative fee, but it cannot refuse to provide the details requested.

Reports are reaching us today that the Pentagon’s email service has been forced to close after an attack by a hacker. Although staying fairly close-lipped about whether any sensitive data was able to be read, the Pentagon admitted that they have around 100 attempts to unlawfully access their systems every day and this particular one “managed to get through”.

It just goes to show that even the most secure networks in the world can still be compromised, so, as we always say, please make sure that you have anti-virus software on all machines, that it is up to date, that you have a firewall in place, that you run regular spyware checks and that your staff know and abide by a suitable internet/PC use policy …. and always, always, have an up-to-date remote backup of any data that your company could not survive losing !

Darren