When securing systems and software one aims to protect against (1) unauthorised or unlawful access & processing (2) accidental loss, destruction or damage. At the same time we want to stress that security to be effective requires a comprehensive approach and can not be effective without given the human factor the attention it deserves.
Security for systems and software – Principles:
Unauthorised or unlawful access & processing
For the first category one firstly need to ensure that physical access to the system and software is controlled and limited to only those parties that strictly require access. Examples vary from controlling access to the office with a badge system, only the department head having the keys to the filing cupboards, to only allowing specific personnel to access the server room. Consider access control as the first line of defence in protecting against unauthorised or unlawful access & processing.
The second line of defence is to limit and control access once physical access to the system or software has been obtained. In other words limiting & controlling access on the computer system or in the software by employing user authentication (e.g. user names and passwords, two-factor authentication) and restricting user privileges (e.g. user can only view a dossier, not make any changes or print from the dossier).
Both lines of defence are equally important and fines have been issued already due to insufficient access control even without any data breaches!
Accidental loss, destruction or damage
Personal data is a precious good and should be handled with great care and guarded carefully. This means one should also protect it against accidental loss, destruction or damage. These events could occur through system, software or operational malfunction (e.g. losing a laptop, dropping a phone, hard disk crash etc.) as well as through a security breach by a malicious actor (e.g. ransomware attack).
One can protect systems and software against loss, destruction or damage by ensuring one has backups of information and that any systems that are lost have adequate access control while personal data within is encrypted to avoid unauthorised access by those finding the item.
Protection against malicious actors i.e. hackers is a complex topic. Ensuring you enforce strong passwords, have virus scanning software and any remote access goes through a VPN are a great start, but you will need to go beyond the obvious to reduce the risk with a high degree of confidence. To be successful a holistic and comprehensive approach to security across all its categories is needed; your defence is only as strong as its weakest link.
Comprehensive approach & the human factor
Your best bet to running secure operations is to have a holistic and comprehensive approach to system and software security. In other words you can not just do a little bit of security, you will have to dedicate enough resources to it to cover all aspects and cover them well. This does include training staff as the human is often the weakest link. In this day and age where most systems are connected to the internet having all staff go through regular security awareness and data privacy trainings is critical. It is recommended that you implement a code of conduct that includes security & privacy as well as other ethical business practices.
The appropriate security measures on systems & software should be combined with specific measures to secure the data within those. We have summarised those in Data Security – What to consider.
Check our GDPR Knowledge Base covering Data Security.