Customer data is a high value commodity for fraudsters and firms have a responsibility for securing it.
What is customer data?
Customer data is any personal information held in any format. It includes National Insurance records, addresses, dates of birth, family circumstances, bank details and medical records. This information must be kept secure because fraudsters can use it to commit crimes, such as identify theft.
There is a misconception that the compromise of customer data is purely an IT issue. Customer data can, in fact, be compromised in a number of ways.
Ensuring physical security over customer data
Physical security should be appropriate to prevent unauthorised access to customer data.
Many firms are responsible for their own office security. Firms should assess the risk of unauthorised access to their premises and to ensure there is a commensurate level of security to protect your customer data.
Firms may wish to consider:
- Installing alarms or CCTV;
- Restricting access to the office with use of door buzzers or keypad entry;
- Monitoring visitors to your office by recording access and departure with a signing in
- book and supervising visitors to your premises at all times;
- Discussing with local businesses or your local police force the key security risks in your area;
- Raising staff awareness of the risks of poor physical security;
- Maintaining a clear desk or secure desk policy to reduce the risk of customer data
- being lost, stolen or accessible to unauthorised persons; and
- Keeping filing cabinets locked whilst not in use.
Governance
Senior management should assess data security and put in place appropriate policies, procedures and controls to reduce the risks relating to it.
Data security is often not considered as a specific risk and can mean that nobody is assigned responsibility for it. In addition, many firms treat data security as purely an IT issue and therefore, do not involve other key staff from across the business, such as those responsible for recruitment, security and countering financial crime.
The FCA do not expect small firms to spend as much money or resource on data security as larger firms. However, they do expect firms to assess the risks and to have written data security policies or procedures. These do need to be appropriate to the size of the business and the risk posed and often a simple set of “dos” and “don’ts” would suffice.
You should also consider whether the culture within the firm is such that staff would be encouraged to report data security issues or concerns, whether staff understand why it is important and the steps they need to take to keep customer data safe.
Staff Recruitment
Firms recruitment processes should ensure that the staff you recruit are not susceptible to stealing data or committing fraud.
In most firms it is the staff in the more junior roles, such as “contact centre” staff or administrators who tend to have access to most customer data and therefore, present a higher risk in terms of potential data loss or theft. There are also a number of cases where junior staff have been bribed or threatened by criminals who wish to obtain customer data. Firms should be applying a risk-based approach to reducing financial crime and enhancing recruitment checks where appropriate. Firms should consider whether it would be appropriate to:
- Undertake credit or criminal record checks on staff with access to large amounts of customer data;
- Repeat credit checks periodically to ensure that staff in financial difficulties whom may be more susceptible to bribery or committing fraud are managed appropriately; and
- Hold regular meetings with staff where firms can identify any changes in circumstances that might make an employee more susceptible to financial crime.
Training
Firms need to ensure that staff understand the importance and relevance of data security policies and procedures. It is not sufficient for firms to place reliance on staff stating that they have read policies and procedures. They should be confirming that they understand.
There are many simple and effective means of raising staff awareness, such as: group discussions, awareness raising emails, intranet sites and poster campaigns. In addition, firms should ensure that they regularly test their staff’s understanding of data security.
Systems and Controls
There are many systems and controls which can minimise risks to customer data. Examples follow:
Access rights to IT systems Firms should consider:
- whether staff have access rights to customer data that they do not require;
- whether unnecessary access rights are removed if staff change roles; and
- carrying out risk based proactive monitoring of staff to ensure that they are accessing or amending data for genuine business reasons.
Passwords and User accounts
Firms should consider:
- Whether all staff have their own username and password;
- Whether passwords meet the standards recommended by Get Safe Online www.getsafeonline.org
- Whether staff understand the importance of strong passwords; and
- Whether passwords are written down or shared.
Taking Customer Data Offsite
If firms have staff who work from home, use laptops and other portable devices such as memory sticks and CDs to store or transfer data, then they should be considering the risks to customer data that could arise from these situations and in particular, the loss or theft of a laptop or portable device.
Firms should consider:
- Where customer data taken offsite, is it or the device encrypted?;
- Maintaining records of which staff have laptops, memory sticks or CDs to ensure that should one go missing, the firm would be aware;
- Random checks of laptops to ensure that only staff authorised to hold customer data on laptops are doing so;
- That if staff use home computers for business purposes, how securely is customer data held?; and
- Ensuring they are aware of the increasingly sophisticated and evolving mobile technology.
Backing up customer data
Firms should consider reviewing their back procedures and consider threats to customer data throughout the whole back up process, from production of the tape or disk through the transit process to the ultimate place of storage.
Firms should consider:
- Whether there are agreed and consistent procedures for back up of customer data;
- Whether the storage facilities are sufficiently secure to minimise risks to customer data;
- Encrypting backed up data;
- Carrying out due diligence on any third party entrusted with storage of back up data; and
- If a member of staff holds backed up data overnight, how secure is the storage?
Internet and Email Availability
There is an increased risk to data security if internet and external email are used in an uncontrolled fashion and especially where staff have access to web-based communication facilities, such as: web-based email (hotmail), social networking sites, instant messaging and file sharing software.
There firms should consider:
- Providing access to the internet and external email only where it is genuinely required; and
- Removing access to web-based communication facilities and file sharing software.
Disposal of Data
Customer data can be held in paper and electronic forms and firms should ensure that all customer data is disposed of in a secure manner.
Firms should consider:
- Shredding paper based customer data and reminding staff of the importance of this;
- Ensuring that if you use a third party to dispose of customer data, that you are aware of how they destroy data and that they have a rigorous vetting process when recruiting staff;
- Computer disks and CDs should be destroyed or shredded prior to disposal; and
- When disposing of computers, ensuring that hard drives are destroyed and/or specialist software is employed to wipe the data.
Third Party suppliers
Many firms employ third-party suppliers to carry out IT support or office cleaning and security. This can lead to people outside the firm having access to customer data.
Firms should:
- Undertake good due diligence on third party suppliers to assess their policies and procedures, including recruitment, security and levels of service, to ensure that firms understand their obligations with respect to how they treat your customer data;
- Monitor and supervise access to offices and customer data;
- Operate a clear desk or secure desk policy;
- Lock filing cabinets when not in use; and
- Use secure internet links, encryption and registered/recorded mail when transferring data.
Compliance and Monitoring
Firms should ensure that data security policies and procedures are reviewed on a regular basis.