Mark Thomas looks at some of the solutions that are key to ensure compliance with GDPR.
As the EU General Data Protection Regulation (GDPR) gathers momentum ahead of the official start date on 25th May 2018, more and more providers are seeking to offer their own solutions to protect business network across the country.
Of course, it is relevant to remember that this applies to EU Citizen data, not all data.
It is also relevant to recall that a business’s data is, in most cases, the business itself. The IT industry has been advising of the importance to secure and backup data for years, so what more is required to follow the GDPR Directive?
Other than a raft of software and hardware providers, the main source of information should come from the Information Commissioners Office (ICO) who have provided their interpretation of the EU’s directive to protect EU citizen’s data in the electronic age.
However, the ICO does not provide specific solutions or recommendations on which products are required to achieve the GDPR compliance. This does confuse matters where, however, by following the steps Lauren discussed in her article you can start to a grip of your data and its location and protect against the loss and potential exposure of EU citizen’s data from your network.
Awareness
The critical factor if to understand what data your business holds on EU citizens, and where that data resides on the network, who has access to it and what devices have access to it.
This can be determined by asking your IT Partner to work with you on reviewing the IT and Infrastructure and discussing the systems, applications and data locations. Depending on the scale of your business this can be an eye opener and the amount of unsecure location and mobile devices with your business data roaming around the countryside can be a real risk, although this carries a number of solutions to overcome.
Common Sense
As discussed data is your business, no IT system can perform without a process based on data and where EU citizen data is concerned the importance of reviewing this system is heightened. Reviewing your current policies, permissions and security may lead a business to already be prepared, and of course it is sensible to have a protected network so data cannot fall in to the wrong hands – in short businesses ‘should’ already have processes in place to support GDPR. The issues is that data has not been structured in this way before and the importance of protecting the asset of EU citizens data has not been on the agenda until now.
Protection
Internet Security should be a given for all businesses. Protection from viruses, malware and ransomware are all required to ensure the business does not get impacted and lose operational time. The additional layer of protection required is to reduce the opportunist and direct ‘hackers’, or more specifically password guessers. Protecting the perimeter of your data network is now imperative as attacks on business networks to cause disruption, as well as attempts to locate and steal data which could lead to GDPR fines.
This can be achieved through security appliances (managed firewalls) or through two factor authentication – a double layer of logging in to the network with an alternative to passwords, most commonly used where a message is sent via SMS to a phone, or Google Authenticator is used. These are methods to prove you are who you say you are, unless of course you lose your phone and the attacker has access to both your passwords and SMS/authenticator app.
With regards to Firewalls, the dependency on these devices to protect from intruders has become a little complacent as the vast majority of businesses use free or low cost broadband routers with built in firewalls which are never managed or checked for configuration issues. Reviewing the ports open, the password and the WIFI management is an important task for any business.
Data Flow
Once the data has been discovered on the network and devices it is important to monitor the flow of this data and where the risks lie.
The most obvious flow of data out of the organisation would be via email.
Email encryption will be key to those businesses required to advise external providers of customer’s information, where those customers are EU Citizens. A number of Personally Identifiable Information (PII) may be transmitted over email, including of course the information of your employees with Payroll.
Email encryption is available from Sophos, Symantec, Microsoft and also Fusemail early next year, which will authenticate the receiver of the email to deem them safe and provide instructions on how to read the email and its contents.
Motive
Whatever a hacker (attacker, password guesser) has as a motive – whether simply port scanning as a ‘hobby’, or specifically targeting an organisation, the threat is increasing and is becoming a persistent irritant. And that is before the official start of GDPR.
Common sense should prevail and data should be seen as the same as a physical resource – under lock and key.