This document discusses security issues related to data protection and retention. It addresses three main topics: 1) Appropriate security measures should be proportionate to risk and include access controls, data protection, and a security policy. 2) Common security threats include network intrusions, malware, and ransomware attacks. Basic mitigation techniques include firewalls, antivirus software, training, and multifactor authentication. 3) When a security breach occurs, organizations should contain the issue, assess ongoing risks, notify relevant parties, and evaluate responses to prevent future incidents. Regular reviews of data retention and processing practices are also important to comply with privacy regulations.

1. David Watson
Managing Director
Hosted Accountants Ltd

2. Three Topics
How secure is your
system?
What are you storing
and for how long?
What to do when
things go wrong?

3. What is Appropriate
Security?
• An appropriate measure is one that is proportionate to the
risks it safeguards against. You can take into account the state
of technological development and the cost of implementing
the measure.
• Regulation 5(1A) says these measures must at least:
• “(a) ensure that personal data can be accessed only by
authorised personnel for legally authorised purposes;
• (b) protect personal data stored or transmitted against
accidental or unlawful destruction, accidental loss or alteration,
and unauthorised or unlawful storage, processing, access or
disclosure; and
• (c) ensure the implementation of a security policy with respect
to the processing of personal data.”

5. What are the
Threats?
545,000 Network Intrusion Attempts
per minute
140,000 Malware Programs blocked
per minute
170,000 Malicious website blocked
per minute
310,000 Botnet attacks blocked
312 Zero Day exploits blocked

8. In Real Life
Deloitte – Email Hack Sept 2017
ICAEW – Firms at High Risk
FCA – 24 Attacks in 2015, 38 in 2016, 69 in 2017
National Cyber Security Centre 1100 Reported
Attacks, 590 Significant, 30 Requiring Action from
Government bodies, 10 Significant attacks each week.
4000 ransomware attacks a day 2016

9. Mitigation
• Can’t stop it happening
• Firewalls
• Anti Virus
• Training
• Office 365
• Dual Factor

10. GDPR Retention and Processing
• Give Data Proper Respect
• What are you storing and what are you processing?
• What best practice “Privacy Policy” looks like

11. How long
should I keep
data?
• This is the fifth data protection principle. In
practice, it means that you will need to:
• review the length of time you keep personal
data;
• consider the purpose or purposes you hold the
information for in deciding whether (and for
how long) to retain it;
• securely delete information that is no longer
needed for this purpose or these purposes; and
• update, archive or securely delete information if
it goes out of date.

12. What data do you actually have?
Data Retention Period Legitimate Reason
Physical Files 7 Years Business Reason
Client Correspondence 7 Years Business Reasons
Payroll Data 7 Years Business Reasons
Permanent Files ? ?
Email ? ?
Backups ? ?
Archive Storage ? ?
ICloud ? ?
Dropbox ? ?

13. What should
you be
collecting?
• In practice, the second data protection principle
means that you must:
• Be clear from the outset about why you are
collecting personal data and what you intend to
do with it;
• Comply with the Act’s fair processing
requirements – including the duty to give
privacy notices to individuals when collecting
their personal data;
• Ensure that if you wish to use or disclose the
personal data for any purpose that is additional
to or different from the originally specified
purpose, the new use or disclosure is fair.

14. Summary
Retention and
Processing
• Collect the minimum you need to do your job
• Don’t use data for other purposes
• Tell clients as soon as you can what you are
collecting and why
• Deal with the legacy of data that you have
physical and electronic
• Only keep what you need and or have consent
for

15. The Anatomy
of a Hack
On Average 99 Days before
detected
3,301,824,415 Usernames
and Passwords stolen in 2016
Costs of Data breaches is
increasing up 29% from 2013
Short Term / Long Term
Impacts

16. Phase 1. The
break in
• Phishing Emails
• Password Laziness
• Password spraying
• Ignored software
updates
• Software Vulnerability
• Theft
• Merging Networks
• Malware
• Server
Misconfigurations
• Watering holes
• Blagging

17. Phase 2. The
inside man
• Starts with a network
scan
• Then target
• Employees with
Higher Access than
they need
• Out of Date
systems
• Companies with no
security procedures
• 24 – 48 Hours to full
control
• User accounts with
Admin
• Software running
under Admin
Account
• Same Account used
across the firm
• Local accounts
setup to solve a
problem then not
removed

18. Phase 3. The
Long Con
• Assume Breach
• Sudden Download of
terabytes of Data
• Large numbers of files
being moved
• Simultaneous logins
from different IPs
• Multiple Failed login
attempts
• Backdoor
• Smash and Grab
• Living off the land
• Advanced Persistent
Threat

19. It is going to
happen, what
are you going
to do?
• There are four important elements to any
breach plan
• Containment and Recovery
• Assessment of ongoing risk
• Notification of Breach
• Evaluation and Response

20. Containment
& Recovery
Who is going to take the lead?
Who needs to be made aware?
What might need to be done?
How do you recover?
How do you limit the damage?

21. Assessment
of ongoing
Risk
What Data is involved?
Are their protections in place?
What has happened to the
data stolen / lost?
Who are the individuals whose
data has been breached?

22. Notification
Notification should have a clear purpose
Are their legal or contractual arrangements?
Notification should be appropriate
Consider the dangers of over notifying
Notify the appropriate regulatory body

23. Evaluation
and Response
Build a team of technical and non
technical peopleBuild
Identify your weak pointsIdentify
Discuss “What If “ scenariosDiscuss
Develop a plan for dealing with Security
IncidentsDevelop

24. Questions?
David Watson
Managing Director
Hosted Accountants