The GDPR countdown clock is well and truly ticking. In less than one year, GDPR will come into force and it will have its eyes set on any company that has failed to prepare.
The security world will be on high alert for the first major company that is sanctioned for failing to adhere to the regulation. And there is no doubt about it; the first company will be made an example of. While the exact sanctions are yet to be witnessed in action, any company that falls foul of the rules can expect fines of up to 4% of total global annual turnover or €20m, reputational damage and significant media coverage. No organisation wants to fall first. And once the first firm does, it will be panic stations for every other company that hasn’t fully comprehended the significance of GDPR compliance.
Fortunately, while the sands of time have started to count down – it’ll be nearly one year until they stop. The process of starting your compliance work from scratch is a long one, but with a year to go, a lot can be accomplished.
So where do you start and what should you do to achieve compliance in such a small time frame? Below outlines how to secure your technology and your workers to help you reach compliance by 2018. Because, whilst it’s a tough ask, companies that act now will be thankful when their competitors are scrambling in the wake of GDPR.
Educate your workforce
GDPR regulators will not take kindly to data breaches, regardless of their source. And, when it comes to protecting your data, your greatest security risk is your workers. Of course, some elements of human error are hard to avoid, for example a laptop left on a train – but you should educate your workforce ahead of GDPR to close every single security hole you can.
The most prevalent data risk for your workers comes in the form of ransomware. If an employee sees an email supposedly from their CEO marked urgent, they will more often than not open it and download any attachments. It’s an age old weakness that has worked for hackers time and time again.
In order to minimise this risk, organisations should provide informative materials and awareness courses on how to spot various threats and social engineering, who to contact when something is received and ultimately how to avoid playing in to the hands of a criminal. This way, if an employee does find a suspect email or any other threat; they are equipped to recognise and deal with the situation – and a company’s data stays firmly within the walls of the organisation.
Be strict with what can and can’t be accessed
In many organisations, access is granted across the board and even the most confidential information is available to everyone, from CEO to intern. This is another serious security blackhole, one that could come back to bite you in the shape of GDPR.
In order to plug this, companies should look to implement a technology system that is both automated and context aware. This means, a system that is aware of employees using different devices, working from home or various locations and their roles within the company. And not just knowing, but governing what resources can be accessed for each person, based on the immediate working contexts, raising or diminishing access levels based on these factors. The last thing a company needs is a malicious insider stealing masses of data from your e-mail marketing lists or an employee downloading client details on an insecure WI-FI connection – but if they have access they shouldn’t then it’s a real possibility.
The same rules should also apply to a company’s onboarding and offboarding process. When GDPR comes into force, it’ll be your responsibility to ensure that all data is protected. It’s worrying to think that more than 13 per cent of workers can still access a previous employer’s systems using their old credentials. This means ex-employees can view, and steal, data whenever they decide to or their credentials could be stolen and used by a hacker. And a company will probably be none the wiser.
Therefore, you should automate the onboarding and offboarding process so that workers that join and leave can have their access granted and revoked automatically, preventing former employees from exposing the organisation’s data and systems to extremely high risk.
Ring fence your network
Being the victim of a cyber-attack will not get you out of GDPR punishment. The regulators consider cyber security as your concern – and will punish victims of major attacks accordingly.
Of course, firms should look at investing in comprehensive cyber-security solutions. But, as a starting point, companies should be employing automated whitelisting and blacklisting, so that files are unable to execute or download if unknown, and threats are blocked immediately. Large-scale cyber-attacks are often launched from rogue emails or documents and this provides a good initial technological barrier, meaning that the majority of threats that arrive in your network are defused immediately.
The GDPR rat race
Ultimately, there isn’t a magical solution to GDPR compliance. It’s a combination of technology and culture – and making sure you can at the very minimum show that you have the processes in place to prevent a breach. A huge one in four companies in the UK have mistakenly cancelled their GDPR preparations in the face of Brexit – so companies that act now have a year head start in the race to GDPR compliance.
Jason Allaway, VP UK and Ireland, RES
Originally published on GDPR.Report