Security details for protection of data
We take security seriously and regularly review our processes to ensure we are doing everything we can to ensure reliability of service and protection of data.
When you transfer data to a hosted system, security responsibilities become shared between you and your service provider. Typically when you host your data with us, Worthers and it’s providers are responsible for securing the underlying infrastructure that supports the hosted environment, and you are responsible for anything you put into that environment and your connection to it.
We have provided information below that may be useful to you in undertaking a DPIA (Data Protection Impact Assessment)
Cyber EssentiAls Accredited
Worthers are accredited in relation to the UK Government’s Cyber Essentials security standards which the NCSC claim can help eliminate the risk of 80% of cyber attacks. The steps included in the Cyber Essentials certification are:
Step 1: Boundary Firewalls and internet gateways
Step 2: Secure Configuration
Step 3: Control who has access to your data and services.
Step 4: Protect yourself from viruses and other malware
Step 5: Keep your devices and software up to date
Data Centre and SERVER PROVIDERS
Worthers have carefully selected data centre and server providers who provide the highest quality infrastructure and an excellent reputation in this field. Worthers have over 10 years experience and history with our main providers so can provide reassurance of the security provisions and quality of service. Our hosting servers are provided through 'Webhosting UK COM LTD' with whom we are an enterprise level client and are ISO27001 accredited. They own all their own infrastructure including routers, firewalls and switching. As well as providing network services their highly skilled engineers provide 24x7 server support to us when our team require additional support. Whilst they do not directly process any data for us they do play a role in the security of data in regards to access to servers. We have service level agreements and contracts in place with them and as they are ISO27001 accredited you can be assured that they have the highest security standards in place.
Our hosting servers are located in high standard UK data centres owned by Iomart. These are also ISO09001 and ISO27001 accredited with industry-leading infrastructure, N+ design with strict physical access control providing a safe and secure environment. More details about the physical data centres can be found at https://www.iomart.com/about-iomart/uk-data-centres/
All servers are for our clients use and we do not share these with other third parties. All our managed servers are security hardened and protected by advanced stateful packet inspection firewalls and anti intrusion software that monitors and blocks threats. We also use the popular 'mod security' web application software with specific rule sets to look for and block threats aimed at popular software such as Wordpress. Servers have 24x7 monitoring and administrators are automatically notified of issues.
Our managed servers are remotely backed up nightly for disaster recovery purposes. Backups are managed through industry leading secure backup software (R1Soft or Veeam) and are stored within the UK for a maximum of 30 days.
We provide a range of dedicated, virtual and shared hosting servers dependent on clients requirements. Whilst we endeavour to provide a high level of security across all our servers, dedicated and virtual servers provide increased levels of security as they are not shared with other clients and can be tuned for their specific use.
Supply of server only
In some cases we are asked to supply a server without our management. In these cases, the client has full access and are responsible for OS and software updates, security, monitoring and backups. Our responsibility is limited to the hardware and network connectivity.
There are lots of steps involved in security hardening a server but generally includes:
- Locking down all non essential ports (points of access)
- Disabling potentially vulnerable or non essential software
- Restricting user access within the server
- Installing various protection software
- Ensuring strict and complex administration passwords
SSL encryption encrypts all the data between the client and server so that it can’t be read or understood. We provide SSL encryption to connect to server services (e.g. IMAP, HTTPS and SFTP) and provide free basic SSL certificates for all websites. Certificates with higher levels of security, customer reassurance and insurance can be purchased through us if required.
Firewall and anti intrusion software
We use advanced stateful packet inspection firewalls and anti intrusion software that constantly monitors and protects against various threats. Rules are maintained and regularly updated.
We use software on our servers to enforce secure passwords for all client access to hosting control panels, FTP and mail accounts.
Administration access to servers is limited to designated staff within Worthers and our server provider when requiring additional services from them.
Where possible we use secure key based authentication access to servers and lock high level access to our office location.
When storing passwords Worthers use a secure password storage manager that requires multifactor authentication. This enables us to specify tight policies on who within Worthers has access to what, keeps passwords hidden and enables easy removal of access to staff members if they leave Worthers employment or their role changes.
In the event of any data breach we have a policy and procedures in place to deal with this. Further details can be found in our Data Breach Policy.
If any further details on security are required then please contact our support team
Last updated: 21st April 2021