The General Data Protection Regulation (GDPR) took effect on the 25th May 2018. This is a set of rules created for individuals to take more control of personal data which is held by third parties. It seems that lately, everyone wants a slice of our data. Whether it’s our social networks or retailers , a lot of third parties hold a collection of our personal data. And these same organisations also have the responsibility of assuring that it is protected. This is where GDPR comes into play.
CYBER SECURITY & GDPR
GDPR ensures any personal data is collected legally, under strict conditions & that those responsible for collecting & managing our personal data are to protect it from any misuse or exploitation. The unauthorised use of systems for the processing or storing of data is what the NCSC (National Cyber Security Centre) define to be a cyber incident.
There are no specific rules when it comes to cyber security, but appropriate action should be taken & security measures put in place to assure that any possible breaches are managed & avoided. If your organisation fails to comply with these rules, then you could face a fine.
There are two tiers of fine that can be issued under GDPR depending on the nature of the incident. The lower bracket is either £7.9m or 2% of the company’s global turnover, whichever is higher. The second, higher tier
is for more severe incidents & this is £17m or 4% of annual global turnover. These fines can be cumulative if there is deemed to be more than one incident of breached data, so the cost of non-compliance can be a hefty one.
Reporting Incidents involving personal data: ICO
Under GDPR compliances, ALL businesses should be registered with the ICO (Information Commissioners Office). The ICO is the UK’s supervisory authority for GDPR, responsible for promoting & enforcing the legislation. As well as providing you with advice & guidance on the process. And, under the new GDPR rules, if you experience a cyber security incident you are required to report this to the ICO.
The NCSC have worked with the ICO to develop a set of GDPR security outcomes. This is for all organisations & acts as guidance to ensure appropriate technical & organisational measures are put in place. This also ensures a level of security that complies with the requirements of GDPR. If you are unsure of how to do this, the ICO website provides you with in–depth guidance of what to do as well as how to prepare & respond to breaches.
An example of a company that has faced serious fines by the ICO due to a cyber attack was Yahoo! UK Services Ltd. It was found that personal data such as names, email addresses & passwords from customers of Yahoo was leaked. This affected over 8 million accounts associated with Yahoo in the UK. The ICO believed that Yahoo failed to take appropriate technical & organisational measures to protect customers data. And due to this, Yahoo ended up facing a fine of £250,000.
How to avoid Cyber breaches & Comply with GDPR
Criminals are always looking for the easiest route to get data. Implementing cyber security software from best of breed vendors like Sophos & Cisco stands a better chance of protecting your data whilst giving you more control. The better control over your IT infrastructure, the less chance criminals have of getting in.
You need to ensure a multi-layered security stack which will help protect your business from the fast evolving internet threat landscape whilst providing evidence of your efforts to adhere to the GDPR. Here’s some technology you could implement to help you with this.
Cisco Umbrella can provide first line of defence against threats on the internet using DNS (Domain Name System) layer security. It helps to improve security visibility, detect compromised systems & protect your users on & off the network by stopping threats over any port or protocol before they ever reach your network or endpoints.
Powered & constantly monitored by Cisco Talos intelligence, their global infrastructure deals with 175 billion internet requests a day, allowing them to recognise patterns in cyber attacks so they can prevent them before they are launched.
Sophos Intercept X
A second form of protection against cyber threats is stopping criminals accessing data on your endpoints. A great way of doing this is by investing in Sophos Intercept X. This software can help detect & block attacks before they become a problem. This advanced software continues to be rated as the industry’s best malware protection.
As the demand for flexible working conditions & securing desktop endpoints increases by the day, SME businesses are finding it even more difficult to comply with GDPR regulations when it comes to cyber security. One way to solve this is to introduce Virtual Desktop Infrastructure (VDI) to your organisational set-up.
VDI is a technology that enables you to cater for multi-device workforces while managing organisational security risks & proving compliance. Plus, in the event an employee’s laptop or tablet is stolen, sensitive data is less likely to be compromised. As long as authentication controls are in place, data stays protected in the cloud. Meanwhile, the employee can get back to work using another machine.
CISCO MERAKI MDM
Cisco Meraki Mobile Device Management is an innovative security solution that allows you to enforce security policies across mobile devices administered by your organisation. Protect devices & their data, control their usage with fine-grained password policies & stay compliant with GDPR regulations. By adding MDM to your network, you get more visibility, security & control over devices
It may seem like common sense, but many still underestimate the power of passwords. Passwords act as a simple & effective way to protect data & IT systems from unauthorised access. By using a strong, non-predictable password you stand a better chance of defending against criminals.
It is recommended that a strong, non–predictable password is used on all sites. This typically includes at least 10 characters & a combination of upper-case & lower-case letters, symbols & numbers. This has increased in recent years because the time it takes professional hackers to crack a 7 character password is less than half a second. Yet, increasing your password by a few characters, you extend that to 4 months. Make it even longer & you increase that to over 2 centuries!
It is also recommended that instead of using a password, you should now use a passphrase to increase the length & complexity. A passphrase is a collection of common words combined together randomly into a phrase. Passphrases make the best passwords because they use real words that you can remember & they are very long, making them much harder to crack.
3. Staff training
It’s vital to ensure your staff are fully equipped to understand & identify what constitutes as a data breach. Employee error is one of the biggest causes of security threats in SMEs & they can be the weakest link in your security. By implementing staff training you educate your staff to recognise cyberattacks & help to protect your business from attacks.
Cybsafe is a staff training platform constantly tests staff in line with the threat landscape to assure staff are up to date with the latest threats & cyber trends. The Cybsafe platform trains staff by giving them the knowledge, ability & confidence to counteract any cyber threats that organisations may come into contact with.
4. Back Up, Disaster Recovery & Business Continuity
A process for regularly testing, accessing & evaluating the effectiveness of security measures for data processing is essential. You need to ensure that data protection safeguards are in place to make sure the data you hold is secured & encrypted wherever you go.
Sophos SafeGuard is one way you can ensure data is protected wherever the location. It automatically & invisibly encrypts data as it’s uploaded to the cloud storage service. And you can manage it through a central dashboard —minimising the administrative overhead. It also ensures that unauthorised access to data is prevented, even in the case of accidental loss or theft.
Datto offers business continuity & disaster recovery to support with network & business management, as well as file backup & sync solutions. With features that enable granular data recovery from multiple points in time with virtualization, Datto protects both physical & virtual infrastructure in a unified console. Plus your systems will be fully monitored 24/7 & your data backed up & recoverable.
5. Partner with IT experts
Building a relationship with an IT partner can also help you in the GDPR process & can take the weight & pressure of IT compliance off your shoulders. Obligations within the GDPR legislation can be outsourced to an IT provider, including data encryption & backup, data processing & breach notification to name just a few.
How we can help
Our Pure Cloud experts can help you to build an IT security policy, develop a data protection plan, put the right technology in place & help you to educate your employees to ensure the security of data. If you need support or advice with GDPR compliance, we’re here to help.