No data security is ever foolproof. There is always a weak link in the security chain, and all too often that link is a human. In this blog, we look at some of these human factors and suggest ways you can help to reduce these risks.
Even the best security in the world can be broken if a human does something foolish. We humans are prone to making silly errors, and it is hard to combat this. As Douglas Adams once said:
A common mistake that people make when trying to design something completely foolproof is to underestimate the ingenuity of complete fools.
The consequences of this sort of security breach can be significant. In the worst cases, it can put all your data at risk.
To err is human...
There are many ways in which humans manage to circumvent or weaken your data security.
Probably, the most common mistake is leaving a device (laptop, phone or USB disk) in a public space. This also applies to leaving a laptop unsecured in a vehicle. If that device isn’t password protected and encrypted this makes it even worse. Related to this is leaving data on a device you have disposed of. You must make sure all data is properly destroyed before selling on or throwing out a device. Ideally, you should be physically destroying the drive (though nowadays that can be hard without destroying the device).
MAYBE ADD AN IMAGE SHOWING A LOST PHONE OR LAPTOP LEFT IN TRAIN?
Left to themselves, users usually create weak passwords. If you try to enforce a strong password policy you end up with the user writing the password down so they can remember it. This is particularly true when you insist on frequent password changes with no reuse.
Depressingly often you read about paper records being left unsecured in disused buildings. Likewise, physical security in your office and data centre is important. Remember, GDPR applies equally to paper records as electronic ones!
Developers like to make life easy for themselves. While they are developing an application they often put any necessary credentials in plain text as a comment. Unfortunately, they are also human, so they often forget and leave said comments there. I have heard of at least one case where a major corporation’s web pages included the admin credentials in a plaintext comment on the login page.
Malice and curiosity
Not every human is a saint. And not every employee is on the side of the angels. Sad to say, employees often access data they are not allowed to. Sometimes, this can be for malicious purposes. For instance, wanting to snoop on an ex-lover. Sometimes, it can be just curiosity.
Data protection and security has been likened to an arms race. Each time a new security feature is developed, hackers seek to circumvent it. As a result, things that were secure a few years ago may no longer be secure. Article 32 of the GDPR starts:
Taking into account the state of the art, ... the controller and the processor shall implement appropriate technical and organisational measures.
In other words, you are obliged to make sure your solution reflects the current state of the art.
How can I avoid these mistakes?
There are a few things you can do to avoid falling into these traps.
Better device security
As a minimum all devices should be locked/password protected. Ideally, all data on the device should be encrypted. Even better is to encrypt at a fine granularity. Many modern laptops and phones implement biometric security which might be worth enforcing.
There are two good pieces of advice that will improve password security. One is to tell users to choose 4 random words and combine them to create their password. The reason this is so secure is shown in the following XKCD comic (and check out the XKPasswd generator):
The other thing is to implement 2 factor authentication. This is increasingly easy, with most solutions using the user’s mobile as their second factor (e.g. by sending an SMS).
Before you release code, especially HTML, check that it doesn’t include any credentials or other secrets. Equally, make sure your backends are secured with strong passwords, or better yet with truly random (very) long keys.
While you can’t always stop malicious access by authorised people, you can reduce the chances if you implement full access logging. This is also recommended best practice under GDPR. Every time a given piece of data is accessed that should be logged in some immutable fashion. This should be done openly, so that you can benefit from the deterrent effect.
Proper quality management
It is important to make sure you constantly reassess your application’s security. This includes implementing all updates and patches, checking for the latest GDPR guidance and ensuring you record all this in case of a future GDPR audit.
How can Chino.io help?
Here at Chino.io we can’t solve every issue for you. But we can make some things very easy. Our API automatically records all data accesses in an immutable audit log. All data is encrypted at record level. We offer OAuth as a service which makes secure user management a doddle. We are ISO 13485 certified for quality management. This means we can guarantee that our systems are always up to date and compliant.
If you want to find out more, speak to us about our free assessment. We will look at your specific use case and offer you expert advice on how to design your application to minimise the risks outlined above.