RICS draft professional statement - Data handling and prevention of cybercrime

4 Best practice in common use cases

4.1 USB flash drives

Memory sticks, flash drives and portable hard drives provide convenience at the cost of potential data loss. Not only can these devices be easily misplaced or stolen, they can also store large amounts of data, and are therefore the most common cause of data breaches. Therefore, encryption software should be employed while transferring or storing personal or client data using any external storage device. Many flash drives come with preinstalled software that enables a passcode to be configured; providing file access is not available without this password, such a device can be considered secure.

However, flash drives also provide a route for malware to enter an otherwise clean computer. Avoid using devices whose history is not fully known, as they may have been tampered with. USB drives should be set to prevent them from running automatically when inserted into a computer.

Files that are not immediately recognisable should not be opened, and USB devices of unknown origin should never be inserted into computers that contain, or are connected to any other PC that contains, data that should be protected.

4.2 Physical access

The best PC protection, software, policies and procedures can be rendered worthless if an intruder gains access to the unlocked physical machine. Access by third parties should be recorded to ensure traceability.

Personal and client data should always be protected, and where possible should be kept separate from the rest of the system. If third parties require access to this data, it should be anonymised where possible. If this is not possible, access by authorised third parties should be constantly monitored..

Care should be taken when accessing data outside of the office environment. Do not connect to public wireless hotspots with devices that contain or access private data, and be aware of the visibility of device screens in public locations. Data loss is not always in digital form - it is possible for data to be leaked through information that is visible to third parties observing the screen of a device.

4.3 Mobile devices

While some organisations have a 'bring your own device' policy at work, most recognise the difficulty of managing such a policy. If an employee must access data on their own device, it is important that this data is only stored temporarily on the device, or that the organisation's IT team has the ability to remotely delete it. Furthermore, such devices must be secure and access to the organisation's systems from them should be logged. It is important that these devices are securely wiped in the event of their sale or loss, or when the employee leaves the company.

4.4 Cloud storage

Cloud-based mass storage utilities such as OneDrive, DropBox and Google Drive are often used as a convenient option to centralise and share data across an organisation. It is important to understand the exact nature of their storage facility, such as where the data is stored, under what terms the data is made available and how data access is administered.

With data that is stored, digitally or otherwise, in a location that is not on the firm's premises and/or hardware, it is important to ensure that it is still only kept for as long as is required. Companies can minimise the scope and magnitude of potential data breaches by minimising the amount of data that is held and regularly reviewing stored data to assess whether it can be deleted. In order to do this in an efficient manner, either a content management system (CMS) should be employed or a file structure that simplifies this task should be utilised (for example by naming folders by clients and including sub-directories that reference the date by which the data should be removed).

4.5 Email

Many filetypes that are often considered safe to send as email attachments, such as PDFs, can contain viruses or malware. Therefore, it is important to treat such files with care, and avoid executing unknown files when opening attachments that are sent from unknown contacts.

Emails should be organised logically in subfolders, in order to simplify the process of reviewing and deleting them when no longer required by the company's data retention policy, and only stored for as long as the company's data retention policy dictates. For most organisations, 6 years should be sufficient.

Members should avoid sending private data by email. If this is required, public key cryptography or transport encryption provided by technology such as STARTTLS should be used.

To reduce the likelihood of successful email phishing scams against employees, organisations should consider running email safety awareness courses.

4.6 Passwords

Secure passwords are those that are not easy to guess, either heuristically or through brute force. A password may be discovered by an intruder through brute force by testing thousands of 'known' passwords ('password123', 'qwertyuiop', 's3cretpa55', etc.), or through heuristic methods such as combinations of birthdays and pet names.

In practice, this means using passwords that are more than seven characters in length and include both upper and lower case letters, numbers and symbols.

It is important to use different passwords for each different site or utility that requires one, so that if one account is compromised, other accounts are not affected. To help manage multiple passwords, a password management utility is recommended over other forms of password documentation. Where passwords are required for a shared service, such as the administration of a centralised server, a physical password vault can be utilised.