Information security and cyber security

What is information security?

Information security (also known as ‘InfoSec’) refers to the practice of protecting information held by a business. Specifically, it involves the protection of:

• confidential information (eg trade secrets)

• personal data (eg names and addresses of staff or customers) 

• sensitive personal data (eg information about political opinions and mental or physical health)

• business information (ie business-related information that isn’t personal data)

Information security aims to protect a business’ information against unauthorised activities (eg unauthorised modification, deletion and access). Moreover, under the UK General Data Protection Regulation (GDPR) and Data Protection Act 2018, a data controller (ie a party that says how and why personal data is processed - eg collected or stored) can only process personal data in a way that ensures appropriate security of the data. This means that businesses must implement appropriate security measures to protect against:

• any unauthorised or unlawful processing

• accidental loss, destruction or damage of the data

How to ensure information security

Businesses must take active steps to ensure information security, including:

Identifying, assessing and managing risks

To determine the relevant level of security needed for a business, you need to review the information being held and assess the risks to that information. Particular care must be given to any personal data. To do this, you should consider: 

• all processes involved in the collection, storage, use, sharing and disposal of the information

• how sensitive or confidential the information is

• the damage or distress that would be caused by a security breach (this is especially important with regards to personal and sensitive personal data)

• the reputational damage your business would suffer in the event of a data breach

Once you have identified and assessed your security risks, you can decide on what security measures to adopt. For more information, read Data protection principles.

To comply with data protection laws, you may also need to conduct a Data protection impact assessment (DPIA) if your personal data processing is likely to result in a high risk. For more information, read Data protection impact assessments.

Adopting relevant policies and documents

To address and consistently manage security risks, you should consider adopting an Information security policy. This policy sets out a business’ rules and procedures on information security, including how any security measures are implemented and how compliance is monitored. 

Additional policies and documents you should consider adopting include:

• a Data protection and security policy to set out your procedures and responsibilities for protecting personal data

• a Data retention policy to set out how long data will be kept for and how data will be disposed of when it's no longer needed

• an Employee privacy notice and/or a Consultant privacy notice to inform staff and consultants respectively about how you collect, use, retain and share their personal data

• a Communications and use of equipment policy to set out the rules and procedures for accessing communications and IT equipment and resources and for monitoring of staff in the workplace

• a  Data processing agreement (DPA), whenever you outsource any of your data processing to a third-party service provider (eg a business offering cloud storage services), to ensure compliance with the GDPR and to ensure that the processor (ie the third-party service provider that process personal data on your behalf) complies with the GDPR. For more information, read Data processing agreements

Physical security

You need to ensure the physical security of the business and any information it holds. This includes:

• controlling and restricting the access to your business premises and relevant equipment to prevent unauthorised access, damage and interference with information (eg by installing CCTV)

• securely storing records and equipment to prevent loss, damage, theft or compromise of information (eg locking computers when not using them)

• securely disposing of records and equipment when they are no longer needed (eg by shredding)

For more information, read Data protection principles.

Computer and network security

You need to ensure that your hardware and software assets are kept secure, by:

• managing hardware and software assets - identify and document any IT equipment (eg computers, servers, mobile phones) that is on your business premises or kept at home by staff, and systems and applications used to process or store information. You should use an inventory or register for this. You also need to assign ownership of each asset, implement rules on how to use hardware or software to process or store information and regularly review your hardware/software inventories to ensure their accuracy

• adopting clear home or mobile working procedures - mobile devices (eg laptops, tablets and smartphones) are vulnerable to theft and loss. As a result, there is a confidentiality risk when they are being used in public places (eg in a cafe or on a train) or at home (eg when laptop screens are visible and accessible to a staff member’s family). Ensure that any information (especially personal data) processed outside of your business premises is kept secure by adopting a clear mobile working policy and/or Working from home policy setting out when and how staff may work away from the business premises

• configuring hardware to reduce vulnerabilities - remove any unnecessary accounts (eg guest or administrative accounts), change default passwords and uninstall any pre-installed software that is unnecessary for your business

• managing removable media - removable media (eg flash drives, CDs and smartphones) are very vulnerable to theft or loss. If you need to store information on removable media, consider implementing software solutions to set permissions/restrictions for individual devices and classes of devices. You should also minimise and encrypt the information stored on any removable media 

• implementing user access controls - user accounts should only be given to authorised individuals and user permissions should be restricted to the minimum (ie ‘least privilege’). To ensure accountability, each user should have their own user access credentials (eg username and password)

• implementing system password security - encourage staff to use strong passwords and not to write them down. Consider implementing a dual-factor authentication system. You should also monitor user activity to detect any abnormal use and disable staff access credentials as soon as they leave the business

• establishing anti-malware defences - install (and regularly update) malware protection software to prevent computers from being infected by malware (eg viruses or spyware) and educate staff about common malware threats

• regularly backing up information - regular backups can help restore information in the event of a hardware failure or disaster. You should base the extent and frequency of your backups on the sensitivity and confidentiality of the information and how critical it is for your business operations

• monitoring user and system activity - this can help you identify and prevent any external threats, inappropriate use of information by staff or data breaches. In- and outbound network traffic should be continuously monitored to detect any unusual activity (eg large transfers of personal data) or potential indications of an attack. Any monitoring you undertake must comply with the relevant laws (eg you must make staff aware of any workplace monitoring)

• installing a firewall - a firewall acts as a protective boundary between your computer network and the internet. Instal a firewall to monitor and restrict network traffic to prevent others from gaining unauthorised access to your information

Management of personal data breaches

Under the GDPR, you must report certain types of personal data breaches to the Information Commissioner’s Office (ICO) and, in some cases, to the affected individual(s). A data breach is a security breach that causes the accidental or unlawful destruction, alteration, loss, or unauthorised disclosure of, or access to, personal data.

You need to have clear breach reporting procedures in place to ensure staff understand:

• what a personal data breach is

• when and about what the ICO needs to be informed

• when and about what affected individuals need to be informed

• how to document a data breach

You should also: 

• have a process in place to investigate and implement recovery plans after a breach

• monitor the type, volume and cost of any data breaches to identify trends and prevent them from happening again

For more information, read Data breach reporting.

Training

All staff members should be trained (eg online or through workshops) on information security, including: 

• their security responsibilities and the appropriate use of the business’ systems and IT equipment

• how to recognise threats (eg malware or phishing)

• how to identify breaches of personal data 

Special training should be provided to any staff members with specific security responsibilities or with access to privileged information.

Training should be provided to staff members when they first join the business and at regular intervals afterwards. You should also make all relevant policies easily available (eg in a policy handbook or on the business’ intranet). 

What is cyber security?

While the terms ‘information security’ and ‘cyber security’ are sometimes used interchangeably, they are different. Information security is a broad field that covers many areas of security (eg physical security, network security and data encryption). Cyber security predominantly deals with technology-related threats and how to mitigate and prevent them. In other words, cyber security is a subcategory of information security that seeks to protect information from threats to computers and computer networks. For more information, see the National Cyber Security Centre’s guidance.

For more information on information security, see the ICO’s guidance or Ask a lawyer if you have any questions. If you need to assess your business’ compliance with information security, use the ICO’s checklist.