TransPennine Express is a British train operating company, running intercity services which link some of the biggest cities and towns across the North of England and (parts of) Scotland.
In recent months, many articles have been written about the increase of cyber attacks and the difficulties of maintaining network and data security during lockdown as many employees work from home. In a keynote speech, the CEO of the National Cyber Security Centre recently warned of the increased threat of cyber attacks. Not all organisations have been able to supply equipment to support secure homeworking and holes may be opening up as a result of having home equipment - often shared with other family members - accessing company systems. It's also reported that ransomware attacks are being targeted where there is most impact on the public, (See this article on the BBC News website.) so that the attackers can ask for higher payouts. See this article for recent examples. Should IT professionals be concerned about potential risks ? Of course : cyber attacks can render systems useless and at best will cause significant disruption, downtime while the system is investigated and restored, and potentially cost a significant amount of money even if you don't choose to pay the ransom. A UK Council was hard hit earlier this year. It's worth remembering that a typical ransomware attack may infect your network weeks or months before actually encrypting your data : possibly rendering your backups useless too, as they may already be infected.
Whether you host your own data on premise, or utilise our hosting services, having a disaster recovery system that is not part of your own network, but is kept synchronised in near real time, could be the answer. Only raw data is transferred during synchronisation meaning that no files or executables, that may have been infected on your network, will reach the Disaster Recovery system. All the data is encrypted in transit, and is virus checked once it reaches the DR server. The transfer of data between the live system and the DR system utilises an API that is proprietary to Team Technologies and does not rely on, for example, Windows-like protocols, meaning that it is more difficult for a perpetrator to gain access.
The disaster recovery system is a near real time copy of the data, taking updates from your main database every few minutes. While your live system is working, there is no incoming connection allowed from the DR system : all the data transfer is achieved by the Live system "pushing" data over a virtual private network link. If the worst should happen, you can redirect your ticket issuing systems to the DR instance in much less time than it would take to check your network, decide on a course of action and restore from backup (if you have a useable backup).
OK so that's a 'worst case' scenario - but what about human error ? How often are your backups checked to make sure that you can restore from them in the event of a hard disk failure or other catastrophe on your live server ? The peace of mind that a disaster recovery system can bring could mean that if you aren't able to use your most recent backup, you don't need to lose days worth of data - you can switch to a database that is virtually at the same level as when your catastrophe occurred.
Here at Team Technologies we take security very seriously. Access to our hosted systems, and transmission of data to and from them, adheres to best practice principles of security.
1. Data in transit
When passing data between your network and your hosted system, we strongly recommend use of Virtual Private Network technology. If this is not possible for some types of user, "client certificates" will be implemented on the user's devices - on top of the internet's standard https: protocols. In addition, our GoldSTAR Mobile (GSM) app uses both Client and Server certificates to ensure secure links between the devices and the server.
2. Asset protection and resilience
Our hosting centre is physically protected from unauthorised access. Access to the data can only be obtained through the user interfaces, and database access is only via administrator level login, which is restricted to our own senior staff members.
3. Separation between users
Your system is always hosted on separate virtual machines and virtual networks, and protected by passwords that are unique to it. Different customer systems and Team Technologies own systems are totally separated.
4. Governance Framework
Team Technologies have robust security policies and processes defined in our information security management system (ISMS), which is regularly reviewed, updated and audited. Employees are regularly reminded of their information security and data protection (GDPR) responsibilities, trained, and tested to ensure compliance. All this is underpinned by our ISO27001 certification, independently audited each year.
5. Operational security
Our operational staff are only given the lowest level of access required to do their jobs. We encourage our customers to ensure that their own user lists are regularly reviewed, and access rescinded for people no longer requiring it. We have simple, streamlined, processes that all our staff are aware of, for reporting security concerns, which are always investigated promptly.
6. Personnel security
All staff are vetted before being employed. Access to customer systems is not granted until the employee has completed a formal induction and demonstrated an understanding of our security processes.
7. Secure development;
All our software development specifications take information security and data protection into account. Role based access to data is integral to our products. Within the hosted environment, our systems are designed to have no interaction with any servers or devices that are not part of our services to you.
8. Supply Chain security
We keep our supply chain as short as possible. Our data centre partner is committed to the highest levels of security, and we audit their processes on an annual basis.
9. Secure User Management
Passwords for access to any systems are held securely on a system totally within Team Technologies' control. Management authorise any requested changes to authorisation levels, which are only granted on an 'as needed' basis. We train, advise and provide support for your administrator level users who have complete control over which users and devices are granted access to the system. All access and activity is recorded in our applications' logs.
10. Identity and authentication
Access to the application is password protected, even for unattended devices such as TVMs, or automatic interfaces like a web ticket issuing system. Each user is granted one or more 'roles' which restrict what elements of the system they can access, and what they may see, edit or delete within the system.
11. External interface protection
Automated interfaces that exchange data with your authorised devices and systems must use the correct credentials and passwords. Where it is not possible to create the communications link through a VPN with your own network, we utilise secure internet protocols alongside client certificates (and where appropriate, server certificates) to protect the data. All our hosted servers are protected by automated intrusion detection and vulnerability scanning.
12. Secure service administration
Access to the administration portal for our data centre is limited to a few senior administrators and additional authorisation is required to make changes to any customer's hosted systems.
13. Audit information for users
A full history is maintained of changes to any customer data made by the system's users and administrators, and an audit is kept of administrative access to the servers.
14. Secure use of the service
We actively encourage users to maintain their own passwords, not share login credentials, and regularly review who is granted access to their system. Where mobile devices are involved, we go to significant lengths to help you keep your data secure. Nevertheless there remains some obligation on you to help us enforce good practice, and to make sure that the right people have the right levels of access to protect your system and data.