This document outlines Border Crossing Media Holdings Limited’s, (trading as Border Crossing UX), guidelines and provisions for preserving the security of our data and technology infrastructure.
The more we rely on technology to collect, store and manage information, the more vulnerable we become to severe security breaches. Human errors, hacker attacks and system malfunctions could cause great financial damage and may jeopardise our company’s reputation.
For this reason, we have implemented a number of security measures including achieving our Cyber Essentials certification. We have also prepared instructions that may help mitigate security risks in this policy.
Overall and final responsibility for ensuring this policy is adhered to is that of the Information Officer and Managing Director:
Telephone: 0131 467 9227
However, personal responsibility for the successful operation of this policy lies with every member of staff and contractor at Border Crossing Media Holdings Ltd.
Ensuring that the data that Border Crossing Media Ltd. collects is secure, protected and only used in the correct way is imperative to our company. Not only is it imperative for our reputation but also our legal obligations and responsibilities. That is why we have created this policy so that all our employees understand their responsibilities to protect the data that we collect and use.
This policy must be adhered to by all members of staff, suppliers, partners and anyone who uses our hardware or cloud-based systems and appropriate training will be provided.
Any breach of this policy, intended or otherwise, should be reported immediately to the Information Security Officer:
Telephone: 0131 467 9227
Confidential data is secret and valuable. Common examples of confidential data we hold are:
- Unpublished financial information.
- Data on our Clients, their customers, our partners and suppliers.
- Patents, formulas or new technologies.
- Customer lists (existing and prospective).
- Research participant data.
- Employee and prospective employee data.
All employees are obliged to protect this data. In this policy, we will give our employees instructions on how to avoid and report security breaches as part of on-boarding and their staff handbook.
Protect company devices
When employees use their digital devices to access company emails or accounts, they introduce security risk to our data. We advise our employees to keep their company-issued computer, tablet and cell phone secure at all times. They can do this if they:
- Keep all devices password protected.
- Choose and upgrade a complete antivirus software.
- Ensure they do not leave their devices exposed or unattended.
- Install security updates of browsers and systems monthly or as soon as updates are available.
- Log into company accounts and systems through secure and private networks only.
Employees must not access internal systems and accounts from their own personal devices and other people’s devices or lending their company devices to others.
When new hires receive company-issued equipment they will receive instructions for:
- Password setup
- Disk encryption setup
- Password management tool setup
- Installation of antivirus/ anti-malware software.
They should follow instructions to protect their devices and refer to their Line Manager if they have any questions.
If devices are used with Clients, their customers or research participants, they must be supervised and all confidential data must be either password protected or removed from the device.
Only company provided removable media (such as USB memory sticks and recordable CDs/DVDs) shall be used to store business data and its use shall be recorded (e.g. serial number, date, issued to, returned).
Removable media of all types that contain software or data from external sources, or that has been used on external equipment, require the approval of the Managing Director before they may be used on business systems. Such media must be scanned by anti-virus before being used.
Where indicated by the risk assessment, systems shall be prevented from using removable media.
Users breaching these requirements may be subject to disciplinary action.
- Where necessary, staff may use company-supplied mobile devices such as phones, tablets and laptops to meet their job role requirements
- Use of mobile devices for business purposes (whether business-owned or personal devices) requires the approval of the Managing Director .
- Such devices must have anti-malware software installed (if available for the device), must have PIN, password or other authentication configured, must be encrypted (if available for the device) and be capable of being remotely wiped. They must also comply with the software management requirements within this policy.
- Users must inform the Managing Director immediately if the device is lost or stolen and business information must then be remotely wiped from the device.
Personal devices / Bring Your Own Device (BYOD)
- No personal devices are to be used to access business information.
- Only company provided devices should be used by employees to access business information.
- Suppliers and Partners may use their own company registered devices to access limited business information for a limited period, if they have the necessary Cyber and Information Security measure in place. However, these devices require the approval of the Managing Director before they may be used on business systems or process personal data controlled by the company.
Keep emails safe
Emails often host scams and malicious software (e.g. worms.) To avoid virus infection or data theft, we instruct employees to:
- Avoid opening attachments and clicking on links when the content is not adequately explained (e.g. “watch this video, it’s amazing.”).
- Be suspicious of clickbait titles (e.g. offering prizes, advice.).
- Check email and names of people they received a message from to ensure they are legitimate.
- Look for inconsistencies or give-aways (e.g. grammar mistakes, capital letters, excessive number of exclamation marks.).
If an employee isn’t sure that an email is safe, they can refer to their Line Manager.
Manage passwords properly
Password leaks are dangerous since they can compromise our entire infrastructure. Not only should passwords be secure so they won’t be easily hacked, but they should also remain secret. For this reason, we advise our employees to:
- Choose passwords with at least eight characters (including capital and lower-case letters, numbers and symbols) and avoid information that can be easily guessed (e.g. birthdays.)
- Remember passwords instead of writing them down. If employees need to write their passwords, they are obliged to keep the paper or digital document confidential and destroy it when their work is done.
- Exchange credentials only when absolutely necessary. When exchanging them in-person isn’t possible, employees should prefer the phone instead of email, and only if they personally recognise the person they are talking to.
- Change their passwords every two months.
Remembering a large number of passwords can be difficult. Therefore, if an employee has to use a password management tool which generates and stores passwords, it must be fully compliant to current Scottish and UK legislation. Employees are obliged to create a secure password for the tool itself, as per above.
Transfer data securely
Transferring data introduces security risk. Employees must:
- Avoid transferring sensitive data (e.g. customer information, employee records) to other devices or accounts unless absolutely necessary. When mass transfer of such data is needed, we request employees to ask François Roshdy for help.
- Share confidential data over the company network/ system and not over public Wi-Fi or private connection.
- Ensure that the recipients of the data are properly authorised people or organisations and have adequate security policies.
- Only use company provided encrypted storage devices such as USB drives, external hard drives etc.
- Ensure any data transfer software used is fully compliant to current Scottish and UK legislation.
Report scams, privacy breaches and hacking attempts
Our management team need to know about scams, breaches and malware so they can better protect our infrastructure and take appropriate action. For this reason, we advise our employees to report perceived attacks, suspicious emails or phishing attempts as soon as possible to our management team. They must investigate promptly, resolve the issue and send a company-wide alert when necessary. They will also inform any required 3rd parties of the issue and the action taken.
Our management team are responsible for advising employees on how to detect scam emails. We encourage our employees to reach out to them with any questions or concerns.
To reduce the likelihood of security breaches, we also instruct our employees to:
- Turn off their screens and lock their devices when leaving their desks.
- Report stolen or damaged equipment as soon as possible to [HR/ IT Department].
- Change all account passwords at once when a device is stolen.
- Report a perceived threat or possible security weakness in company systems.
- Refrain from downloading suspicious, unauthorised or illegal software on their company equipment.
- Avoid accessing suspicious websites.
We also expect our employees to comply with our social media and internet usage policy.
Our management team should:
- Install firewalls, anti-malware software and access authentication systems.
- Arrange for security training to all employees.
- Inform employees regularly about new scam emails or viruses and ways to combat them.
- Investigate security breaches thoroughly.
- Follow this policies provisions as other employees do.
Our company will have all physical and digital shields to protect information.
Remote employees must follow this policy’s instructions too. Since they will be accessing our company’s accounts and systems from a distance, they are obliged to follow all data encryption, protection standards and settings, and ensure their private network is secure.
We encourage them to seek advice from our management team.
We expect all our employees to always follow this policy and those who cause security breaches may face disciplinary action:
- First-time, unintentional, small-scale security breach: We may issue a verbal warning and train the employee on security.
- Intentional, repeated or large-scale breaches (which cause severe financial or other damage): We will invoke more severe disciplinary action up to and including termination of employment.
We will examine each incident on a case-by-case basis.
Additionally, employees who are observed to disregard our security instructions will face progressive discipline, even if their behaviour hasn’t resulted in a security breach.
Take security seriously
Everyone, from our customers and partners to our employees and contractors, should feel that their data is safe. The only way to gain their trust is to proactively protect our systems and databases. We can all contribute to this by being vigilant and keeping cyber security as a key priority.
This policy was last updated on the 01/03/2021.