As the dust begins to settle on the General Data Protection Regulation (GDPR) following it coming into force last month, thoughts begin to turn to the potential ramifications of a breach in these GDPR compliant times. Not least of which the heavy fines which are a staggering €20m or 4% of annual turnover – whichever is greater. But companies doing business in the E.U. should also be concerned with the fact that they must notify customers of a data breach as soon as it happens, which could lead to untold reputational damage.
In today’s climate a data breach can be crippling to businesses with data at the core of their operations. Rather than seeking a quick fix to become compliant, GDPR should be viewed as a continuous evolving journey for organisations, with elements of risk minimised on an ongoing basis to mitigate the threat of falling foul to a breach.
Much has already been written about GDPR, however the five key areas firms should concentrate on to address the GDPR challenge and ensure they are not taking unnecessary risks are:
- Conduct a gap analysis
Step back and consider what legacy measures are in place. Conducting a gap analysis will show where the organisation is already in compliance, and what steps must be taken to ensure complete adherence. The analysis should reveal existing compliance programme trends within the organisation, including programme strengths and opportunities for improvement. From this, a full compliance assessment can be generated and from this a compliance plan of action. This should be codified in a final report that defines what is good and recommends specific improvements.
- Understand the role of automation
Performing all the IT tasks needed for full compliance manually is difficult – in some cases impossible. IT automation is critical to make sure these tasks are completed and applied to all devices in the IT estate. It is the only efficient way to perform crucial, repeatable processes.
The best protection comes in the form of automating mundane tasks that busy technical professionals will otherwise overlook to ensure they don’t get neglected.
- Practice proper patch management
The impact of 2017’s most infamous cyber-attack, the WannaCry ransomware attack in May, could have been mitigated if patches released two months earlier had simply been installed.
Patching can be challenging for organisations that rely on end-user vigilance or manual IT means. The answer is to automate patching so they are installed as soon as they become available on all endpoints and servers.
- Secure mobile devices
It is imperative mobile devices are just as compliant as their desktop counterparts. Organisations should have a communicated policy regarding the use of mobile phones and consider looking at the apps (both shadow and sanctioned) users most access and ask the provider whether it stores data locally on the device and if so how it is encrypted and accessed.
- Decommission devices
Statistically, admins enable more users than they disable, yet it is prudent to make sure you have a way to quickly and completely de-provision a user – whether that be an employee, sys admin, customer or partner – from any and all systems under your care.
Besides removing end-user privileges, a big part of decommissioning is data destruction. However, remember that just wiping a PC disk using normal methods DOES NOT truly delete the data to be unrecoverable – passing that machine onto a member of staff, selling it, charity donating it to a local school or just dumping it is then a breach of GDPR as data is at risk.
Conclusion
GDPR represents a sea change in how security is approached. The onus is firmly on the organisation to ensure it has the sufficient technology in place so that it has deep visibility into its systems, endpoints, and network. Only then can it protect its data in transit, and at rest. The good news is that by making a few simple steps to update their technology estate, organisations can ensure they comply with the stringent GDPR regulations and make themselves more secure to the scourge of the increasing frequency of modern cyber-attacks.
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.