The thoughts of massive fines and reputation-destroying data breaches certainly focus the mind and make you think about reprioritising penetration testing now when GDPR is fully implemented.
Nothing refocuses business priorities like the possibility of a twenty million euro fine.
And, even though maximum fines lie at the very end of the legal enforcement path, they are there.
Each month, the UK Information Commissioner’s Office releases details of all successful prosecutions. Recent fines include; £80,000 for Gloucestershire Police, $35,000 for Bayswater Medical Centre, and £120,000 for the University of Greenwich. These fines pre-date the implementation of GDPR, which has tightened the regulatory environment. The Information Commissioner’s Office has a cupboard full of big sticks and uses them all the time.
Does GDPR affect companies outside the EU? This Analytics Insight article shows a few ways it does.
What Data Do You Hold?
Most companies hold far more data than they realise. Customer names and addresses in your office are just the starts of it. Email addresses, bank details, questionnaire answers, phone numbers, best times to ring, and dates of purchases are just a few examples of the client data somewhere in the depths of your hard drive.
Then there is the problem of employees storing data on their phones and tablets; a problem made worse if those devices belong to employees rather than to your business.
How Legal is Your Data?
Your data was legal when you gathered it, but GDPR changes the rules, and the changes apply retroactively. Every piece of data you have going back to the year dot must now meet the new standards of privacy GDPR has ushered in.
Your data is illegally held unless you have definite proof that a customer gave you permission to hold their data, that you told them why you have kept it, and how long you plan to keep it on file.
If you allow comments on your website, you could be in breach of GDPR if you enable user avatars, or ask for email addresses of those commenting.
If you keep data forever, you are breaching GDPR guidelines because ‘forever’ is unreasonable.
If your customer data is stored unencrypted on any office computer, you would be judged as storing it insecurely.
How Vulnerable Is Your Data?
Another aspect of GDPR is that you must protect any data you hold and notify customers and the Information Commissioner’s Office if you suffer a data breach. This requirement provides an extra incentive to do the right thing because your customers will be less than happy to be told their data has been lost or stolen.
Your data is vulnerable in a few different scenarios:
• Devices containing unencrypted data are lost or stolen
• Your data storage network is hacked
• An employee sells their password or otherwise acts maliciously
1. Lost Devices
RIP Bring Your Own Device (BYOD).
You can only control phones or tablets if your organisation owns them. In a BYOD scenario, a phone with customer names and addresses could be used by a family member on an open wifi network, where any other network user could access the data. You would only find out about a data breach when it hits the newspapers.
Office computers can be stolen, too. You can make computers harder to take by chaining them to desks and using secure rooms for office servers, but these precautions can only make it harder for thieves. There is no ‘Total Protection’ for any computer hard drive.
The only answer is not to store client or company data locally, but to use cloud storage. Cloud storage means out-of-office staff members have no proprietary information on their company devices, so their theft does not necessitate a letter to customers and the Information Commissioner.
2. Network Hacks
You can reduce the chance of a network hack by insisting on secure passwords and changing them at frequent intervals.
3. Malicious Employees
When security experts examine data breaches, 58% blamed a malicious insider. What can you do to prevent unhappy workers selling company-owned data?
Active security monitoring is the best way to monitor the unusual access patterns that are often seen before any data theft. This web page lists a variety of low-cost steps you can take to minimise the risk and harmful effects of malicious actions by employees. These include requiring remote employees to use a VPN to access customer or other data and never taking printouts out of the office.
How Can You Ensure GDPR Compliance?
Compliance is much more than being able to tick boxes on a data security sheet; it comes down to you insisting on an awareness of data security in every employee.
Your first step should be a remote vulnerability scan of your computer systems. This will scan for unpatched software and known vulnerabilities. If this comes up as clear, don’t let down your guard because all it means is that you have electronic doors on your network.
The second step comes at a significant cost because it needs an onsite visit and meetings between the security expert and senior executives. Companies like Bulletproof.co.uk specialise in high-level penetration testing where they study all security risks, both physical and virtual. Only this level of security will allow you to sleep at night.
The Short Version
You can put DIY precautions in place and should do so immediately, but those will only prevent the most inexperienced hackers. For total security, you need to bring in a professional, UK-based penetration testing company.