Fines of up to €20 million for breaches of personal data will be enabled by the General Data Protection Regulation (GDPR) which comes into force on 25 May 2018.
Limited to 4% of annual turnover, the penalty is nevertheless a sobering prospect – especially when you consider how easy it is to fall foul of the regulations. A breach could arise from something as simple as a misaddressed email, a poorly configured cloud application, or a misplaced USB stick. Or, perhaps someone makes a mistake in not wiping IT correctly before disposal.
The consequences for organisations that fail in their obligation to secure personal data extend far beyond the spectre of a swingeing fine. Loss of commercially sensitive data can result in devalued intellectual property, irreversible brand damage, and reduced shareholder confidence.
Given that data loss is often the result of poor behaviour by authorised users rather than a sophisticated hack or malware attack, what can an organisation do to protect itself?
Eight technical tactics to reduce risk
There are many technical ways to combat poor computer user behaviour and help prevent loss of data:
- Email systems can be extended with plug-ins to check that the security classification of attachments is compatible with the intended recipients of the email. If it isn’t, the program prevents the email from being sent and can alert users and management.
- Email systems can be configured to remove the ability to set up automatic forwarding to external addresses.
- Laptops and workstations can be configured to prevent the use of unauthorised removable media, such as USB sticks. Usage can be limited to approved encrypted secure devices only.
- Laptops and workstations can be configured with strong full disk encryption. This function is included in many professional/enterprise operating systems.
- Firewalls and web proxies can be configured to prevent access to unauthorised cloud file-sharing and email solutions.
- Wired and wireless networks can be configured to deny connections to unauthorised IT (network access control)
- Laptops and tablets can be configured to connect only to whitelisted Wi-Fi providers which meet minimum security standards while blocking access to unknown and insecure Wi-Fi hotspots.
- Preventative monitoring systems can immediately notify management of unusual activity in databases and storage networks such as large out-of-hours downloads of data while it is in progress.
What’s stopping you?
It doesn’t have to be difficult or expensive to put effective technical and procedural measures in place to prevent loss of personal data. The biggest hurdle tends to be complacency: an ‘it will never happen to us’ attitude. But even companies with good security awareness can be unlucky.
Security needs to support the business, not throttle it. Poorly thought through knee-jerk security controls can create difficult, even unworkable business processes, resulting in dangerous workarounds that increase risk of data loss. The aim should be to deliver great IT user experience with security measures that are sufficient to address actual risks.
The good news is that many technical measures to protect data are inexpensive and require only simple changes in the way employees work.
What to do – and what not to do
- Get rid of shared network drives: use modern document collaboration tools that tightly control access to specific project teams.
- Keep sensitive data in databases with credentialed and logged access controls rather than in spreadsheets.
- Give employees decent size limits for email attachments to discourage them from using file sharing sites or removable media for large files. With suitable technical controls, email is a perfectly good method for exchanging documents between organisations and many solutions are now capable of 100MB attachments.
- Go paperless. Paper copies get lost or left on the train – and you can’t encrypt paper.
- Restrict access to all information, allowing only specific people to access specific data.
Make this standard practice rather than restricting access only when there is a particular security consideration.
- Allow users to keep any unstructured data on workstations and laptops because this is difficult to manage and easy to attack through network connections.
- Let your IT department take responsibility for cybersecurity. Get independent penetration tests and health checks on websites and all internal and external systems and have someone from outside IT to manage this process.
- Tolerate shadow IT, particularly among the senior management team. That shiny new tablet picked up in duty-free might look great in meetings, but it won’t have full disk encryption or your corporate email protection. If it is stolen with your company data on it, the company is liable.
Author: Adrian Dain, Principal Consultant at Mason Advisory – published in Infosecurity Magazine.
A quick health check for the CEO…
How much thought do you give to data security? Do you think of it as someone else’s responsibility? Perhaps you should not expect your staff to be any more concerned with it than you are.
Look at your company mission statement and company values. Are the resources you give to information security, and your organisation’s level of independent IT testing and audit, consistent with these values?
Protecting your data is as important as protecting your people – and it’s up to you to make sure the organisation gets it right.