Mark Thomas reviews some of the solutions available to businesses that can help protect them against data breaches and comply with General Data Protection Regulation (GDPR).
How to protect your business against data breaches?
Whilst the EU General Data Protection Regulation (GDPR) is a sensible level of protection in the digital age, it does highlight the lack of knowledge of some business owners, managers and data users have of their own company data.
Do we know where customer data is held on our network? Do we know how secure that data is? Do we know if we have had any data breaches?
We will all now need to be aware of these factors to ensure compliance with the GDPR and to avoid the significant fines that can be placed on our businesses for non-compliant data breaches.
Anecdotally it is known that businesses lose data regularly, the media only latch on to the large breaches such as utility companies or central government. However, laptops, hard drives, emails and even entire systems are breached and the data could be used against the individual – most notably identify theft.
According to Computer Weekly (March 2017) 74% of UK SMEs had a security breach in 2016. This is not a data breach, however, it proves that ¾ of the UK’s small businesses are not accessing data securely especially when working from home or away from the office with no proper attention paid to remote connectivity.
The first piece of the puzzle for any business is to identify the types of data and processes your business carries out and where the data is stored.
When all of our lives are held electronically it is only right that the systems are protected against a breach – how is this done?
For many businesses, getting IT security right is difficult but it’s key to ensuring your compliancy. It is a great opportunity for businesses to seriously analyse their existing security solutions against a set of criteria to help minise the risk of a major data breach. Planning and implementing this can take time so its a good idea to start looking at your IT security and budget for investment in suitable technology sooner rather than later.
Encryption will be the number one solution to ensure that any data held by a business is only accessible by the business.
Whilst this will not protect against a data breach, it will mean that the data is secure should it fall into the wrong hands. Data encryption is specifically mentioned in the EU directive.
There are a number of encryption tools available from the likes of Sophos – Central Device Encryption and SafeGuard; from Microsoft – Bitlocker; ESET – DESlock Encryption; and from Symantec – Full Disk Encryption.
The highest level of encryption is FIP-140-2 compliance available with DESlock and the enterprise versions of Sophos SafeGuard, however, any encryption from a multitude of providers will assist in ensuring any data breaches are nonaccessible by the data breacher and therefore the EU citizens data is not accessed and considered secure.
DEVICES – MOBILE SECURITY
Whilst a fixed location PC in an office can be managed and secured, a mobile device has many more complications.
Mobility has seen incredible growth over the last 10 years with a high degree of flexibility from the workplace. Laptops, smart phones, portable hard drives, thumb drives etc may all contact EU Citizen data which, if lost or stolen, would provide an easy access point for the unauthorised access and potential use of this data against the EU citizen.
Encryption will again be key for mobile devices as well as Mobile Device Management (MDM). One of the features of MDM is to have a remote ‘kill switch’ for lost or stolen devices. This will remove all data from the smartphone or tablet and this reduces the possibility of the data being breached.
Sophos Central Mobile is a comprehensive suite of products to manage iOS, Android and Windows 10 mobiles devices and Windows 10 laptops and tablets. This product will provide a secure environment for workers to use any device by creating encrypted containers on the device alongside protection from web threats and anti-phishing technology.
Laptops should also be encrypted and should have a double layer of authentication for the user to access the laptop, which will deter any data thief and potentially block any access to any company data.
One of the easiest methods of hackers stealing data is to load malicious software on a device which will then find and send data to the hacker, without the user knowing. Simple EndPoint protection is often not enough as the threats are revised on a very frequent basis so the Anti-Virus software will need to be purchased from a reputable supplier with regular patches.
In addition, the latest addition to Sophos’ platform, Intercept X, should be considered to specifically defend against Ransomware attacks by detecting and blocking any datastealing Malware activities.
Regular Windows Updates are key to PCs and laptops whilst management of the IT estate is vital to ensure any loopholes are blocked from malicious code and attacks.
Email is the most common communication tool in business. Most of us have work email on multiple devices, often on our own personal mobiles. This is clearly a risk to the business as email can contain specific EU citizen data and be easily lost.
Sophos Secure Email will secure your work email in a container separate from the personal email applications you use, meaning any attachments are securely encrypted on the device and restrict their movement out of the container.
The next level of securing communications will be the need to encrypt email from source. This can be either be done for example with a Sophos Email Appliance, or Symantec Desktop Email Encryption or Encryption Management Server. The need to move data outside of the business will continue to be relevant and therefore the email encryption will be required (should EU citizen data be contained in the email).
Businesses have been able to rely on their broadband router for running their firewall rules to date. However, these simple devices will only provide simple security and can be configured incorrectly, which will allow port scanner and other hacking tools to penetrate the business network. Penetration testing will be a key criteria to know how secure the business network is from the outside.
Knowing the risks will be the first measure to obtaining a compliant network.
In some circumstances, a dedicated firewall appliance will be required. In the main this device will also be able to manage the data-stealing attacks at the edge of the network and provide solid reporting to the business – visibility will be provided and this is a powerful tool to manage any data breaches.
Sophos XG firewall is the market leader and will integrate with a number of other security products on the desktop and network.
This firewall will provide complete network protection, identify any risks and isolate them from the rest of the network whilst manage multiple policies to protect the devices and data from any breach.
Encryption of personal data in transit should also be encrypted, this can be achieved through purchasing an Secure Sockets Layer certificate or SSL certificate as it is well known.
The SSL certificate authenticates the indentity of a website and encrypts information sent to the server using SSL technology, essentially serving as an electronic passport. A certificate can be purchased through your IT partner.
First of all any business will need to understand GDPR and the relevance to their own business as well as knowing the processes and data locations.
Your IT partner will be able to discuss your network and commence a security audit and penetration test.
From there the solution will be determined upon the processes your business operates and then discuss the causes of data loss and how to avoid, or protect against this loss – all before May 2018.
If you have any queries or questions surrounding GDPR please do not hesitate to get in touch.