Increased risk of data attacks - how to prepare
Has the company an updated overview of current processing in 2022?
The companies must have an overview of their processing activities, and it is important that this is up to date. Has the company engaged new service providers, are personal data transferred to third countries, do you have subcontractors affected by the conflict in Ukraine? Based on an updated overview, the company should also assess the need for a privacy impact assessment (DPIA) or update privacy documentation such as privacy statements and routines.
Is the company prepared for an attack?
In 2021 Cyber Attacks was proved to hit anyone. Ransomware viruses, sharing and resale of personal information on the dark web («Dark Web») occur frequently, at the same time as the company can suffer heavy losses because personal information is encrypted by criminals, and cannot be recovered.
Thus, it’s important that the companies have an overview of critical functions and services and have updated contingency plans to secure data in the event of loss of services.
Two recent cases from the Norwegian Data Protection Authority illustrate how relevant this risk is, and what companies should do to protect themselves against computer attacks.
The Norwegian Parliament (Stortinget) has been notified an infringement fee of NOK 2 million for failure to secure personal information in the event of computer attacks on email accounts to Stortinget’s representatives and administrative staff. Østre Toten municipality has been fined four million kroner for extensive breaches of data security. The computer attack on the municipality led to more than 300,000 documents being affected, more information being resold on the dark web and a large number of personal information being lost because the municipality did not have sufficient back up or log.
We have taken a closer look at the cases here:
Has the business enabled two-factor authentication?
In both cases, the Norwegian Data Protection Authority emphasized the lack of two-factor authentication, even though it is a well-known, recommended and effective measure. The management is also responsible to ensure that the risks were managed, and measures implemented. Therefore, companies should investigate whether this is in place especially for digital services that are available over the internet where the risk is greatest. If not, the measure should be implemented as soon as possible.
Does the company have in-house training and regular inspections?
Email abuse is a common practice for criminal hackers. Organizational measures such as training, internal compulsory courses, awareness raising, etc. is important in dealing with this risk. Information security is not reserved for a few with technical expertise, this applies to everyone who uses the company’s network and digital equipment.
Does the company have a good contingency plan?
Digital security requires that strategic and administrative leadership have a common focus and targeted strategies. This can be challenging to achieve, as it often concerns IT technical concepts.
Scenarios are then useful. Through targeted questions about how critical services are affected by computer attacks, one can prepare an accurate overview and routines. In this way, the company can ensure that everyone knows what to do if the accident occurs, recover documents, have back up, be able to log the activity both internally and externally and report and cooperate with the Norwegian Data Protection Authority.
The annual report is a golden opportunity to ensure focus on data security and targeted management goals, and that administrative management, the professional environment and the IT service have sufficient knowledge. For municipalities, data security should also be included in the municipal director’s report on internal control.
The article is an adapted version of a published article in Kommunal Rapport 17. 03.2022: