It is estimated that cybercrime costs UK businesses £27 million per year. And that 86% of UK organisations have experienced some form of cyber-attack. What these worrying statistics show, is that your business could be next. That’s why it’s important to ensure that you are protecting your employees and training candidates’ data. Here, working with the right accrediting body for workplace transport training is key.
When you are delivering workplace transport training, you will be sharing your employees’ or customers’ training data with your accrediting body. Your business may have robust cyber security measures in place. But as soon as this information is passed to your accrediting body, the safety of the data is effectively out of your hands.
Therefore, it is important to carry out due diligence when selecting an accrediting body. Though no entity can guarantee 100% data security, you can reduce the risk of a breach by ensuring that any business that stores data you have given them has the right systems in place.
Cyber security is not ‘business as usual’ for many of us in the training industry. However, you do not need to be an expert to identify whether your accrediting body is taking the right steps to keep your data safe.
Here are 8 questions to ask when selecting an accrediting body. (Or to check with your current accreditation partner.)
- Do you have a Privacy Policy that is regularly reviewed and covers:
- What information is collected
- Why the information is collected
- How long the information is stored
- Who might they share the information with
- How data is stored and kept secure
- What data subjects’ (trainees) rights are?
You will have almost certainly encountered a Privacy Policy before. Probably where a website will ask you to tick a box confirming that you’ve read one. A Privacy Policy is a document that tells users what types of information you collect from them, and why. It also includes a variety of other information, such as the exact methods you use to collect any personal data (such as cookies on a website). Some laws, such as GDPR, require a Privacy Policy to be in place.
As an accrediting body, a detailed Privacy Policy is something we have in place at RTITB. It is regularly reviewed and is also freely available to view on the RTITB website.
- Are data subjects (trainees) shown a Fair Processing Notice at the start of a course making them aware of who their personal data is being shared with? And how this data will be used?
A Fair Processing Notice (FPN) is a notice given to individuals when you gather their personal data. It explains exactly how their data will be used. Also, how they can exercise their legal rights over their data. It should typically also provide a link to a full privacy policy.
We supply this notice to all our RTITB accredited organisations. Every time our accredited partners register a training candidate with us, they must also confirm that the person has seen this Fair Processing Notice.
- Do you hold Cyber Essentials accreditation or equivalent?
The Cyber Essentials scheme is designed to help guard against common cyber threats and demonstrates an organisations commitment to cyber security. RTITB received its Cyber Essentials certificate in 2020, following an assessment to recognise the secure systems and processes that we have put in place. You can find out more about that here.
- Is regular penetration testing done on your registration database and servers? (At least annually)
Penetration testing is one way to assure the securing of an IT system. It involves attempting to breach some or all of that system’s security, just like a cyber attacker might. One way that RTITB keeps our accredited partners’ training data safe is by conducting penetration testing annually. We do this on both the MyRTITB portal, and the main registration database (for MDRS and NORS).
- How and where do you store the training data? Is it on the public cloud, private cloud, an onsite server, or somewhere else? And how do you keep it secure?
Accrediting bodies receive large amounts of training data. Once this is submitted (in the case of RTITB via our online registration website), this then must be stored somewhere.
Both cloud-based and server-based solutions are frequently used by businesses to store this level of data. However, no method is secure by default. It is worth checking what data security measures are in place to protect where the information is stored.
For instance, all data stored by RTITB is securely stored in the cloud, supported by servers in ISO27001 accredited data centres. ISO27001 is the international standard for information security. It includes a specification for an effective ISMS (information security management system).
- What perimeter security is in place to protect the registration database server?
Perimeter security is how a network is defended from hackers or intruders. The perimeter acts as a secure wall between networks, to prevent hacking, malware, or other security threats. You’re likely familiar with the term ‘firewall’. This is part of your network perimeter, but this also includes other vital components to detect and prevent issues.
It is also important to consider the rules that determine what the firewall will and will not permit to pass – for example, addresses that are considered safe, acceptable traffic types. It’s also important to consider an intrusion detection system, which is used to interrogate traffic once it has passed the firewall.
There is an increasing focus on what is happening on devices inside the protected perimeter, on the devices that access the network where the server sits. This could be mobile phones, tablets, laptops etc. All of these devices present opportunities for attackers to exploit vulnerabilities and find their way onto the server from the inside.
RTITB has considered all these areas around perimeter security. Our database sits behind an encrypted firewall and is monitored by intrusion detection systems.
- What Security Information and Event Management system is used to detect, analyse, and respond to security threats at server/data centre level?
Defence of a server is a multi-layered initiative that depends on a variety of systems, from traditional network firewalls to sophisticated, intelligence-driven analysis software.
Security information and event management (SIEM) is a type of technology that supports threat detection, compliance, and security incident management. It works by collecting and analysing security events and other relevant data sources, both in real time and historically. This information helps facilitate a quicker response to security threats before they harm operations.
Our RTITB database is monitored by SIEM to ensure that threats are detected and analysed. In the event that an incident occurs, we are able to control the risk around the data breach.
- Are user account passwords encrypted? And if so, by what method?
As well as background defences used to protect data on a server, you must also consider the front-end security. For example, when it comes to a registration database, this would be the web page or app that you use to register or search for data. It is important to protect the data of the users accessing the system, and that begins with protecting passwords.
It is important that passwords are unreadable by hackers if there is a data breach. If passwords are stored without encryption, this means that they are potentially readable by hackers. They could then use this information to conduct further security breaches.
Encryption is used to ‘scramble’ a password so it’s unreadable and/or unusable by hackers. Passwords are passed through an algorithm, which turns text passwords into numbers, letters, and then random characters are added. This is called ‘hashing and salting’ and increases security of password data while it is being stored on a server.
To help strengthen security around password data, all passwords for the RTITB Extranet (which gives access to register training candidates, among other things) are hashed and salted.
Make training data security a priority
RTITB takes cyber security and keeping your data safe very seriously. A proportion of the RTITB Accreditation fees from our partners is invested in continuous improvements to the protection of the training data that we store and have access to.
We understand that data security breaches can have far reaching consequences for our accredited partners. If your training data was compromised, this could result in loss of revenue. And damage to your company’s reputation. So, when you’re considering accrediting bodies, make sure you consider how well your data will be protected.
The chances are, that if the cost of accreditation is very low and seems too good to be true, it probably is. You may not be covered when it comes to data security. With RTITB, you can be confident that you’re investing in an accrediting body that prioritises protecting the data of your employees, trainees, or customers.
If you have any questions about our data security methods and systems, please don’t hesitate to contact our friendly team for advice or support.
You can also find out more about RTITB Accreditation here.