Information security controls are a critical aspect to protect data privacy. In recent weeks, with so many organisations shifting the way they operate, they may also be increasing the chances for an accidental, unauthorised sharing of data, or creating a new vulnerability that the hackneyed hoodied-hacker-in-basement may exploit. With this in mind the Cybersecurity Governance Board, of which the Privacy Commissioner is a participant, developed recommendations:
“Alert staff of the potential for increased phishing attempts and other cyber-attacks.
“Instruct staff to verify by phone or an alternative channel any messages or emails that appear to be from a colleague but make an unusual request.
“Advise staff to obtain their information from trusted official sources.
“Ensure users are only granted the minimum access to information and systems required to do their jobs.
“Require staff and contractors to maintain up to date security patches and anti-malware on personal systems used to access organizational resources.
“Always require strong passwords and preferably multi-factor authentication whenever possible.
“Ensure employees have signed an Acceptable Use Policy and remind them of their responsibilities to protect sensitive company and customer information [i.e. from being accessed or viewed by others] and to only use that information according to company policies [i.e. do not save convenience copies on personal devices or accounts].
“Ensure that physical premises and data assets are adequately secured while offices are unoccupied.
"Further: Managers and business owners should also ensure Systems Administrators:
“Maintain secure and reliable backups of information and systems.
“Maintain up to date security patches and anti-malware protections on systems.
“Encrypt remote connections.
“Prevent storage of sensitive information on unencrypted devices.
“Restrict network access to systems and information to the minimum required to meet business needs.
“Perform enhanced monitoring for security issues and of network/system performance levels."
For the full Government of Bermuda statement, see "Consider the Increasing Cybersecurity Risks" on Bernews.