Conquering The Real Challenges Of GDPR Compliance
The General Data Protection Regulation became enforceable on May 25th, 2018, and since then, the risk of a cyber breach has become considerably more concerning for those hosting and processing the information of EU citizens. From massive fines (think €20 million!) to damaged reputations, the consequences of complacency on the subject of data protection and transparency have gone next level. And as a result, the ability to find and mitigate cyber threat has become more important than ever.
While identifying threats on the horizon is easier said than done, the process known as penetration (pen) testing has become an invaluable tool in this effort. By critically evaluating a system or network through the eyes of a cybercriminal, ethical hackers can more readily locate existing vulnerabilities and nip them in the bud. During this process, the weak points of a system—like unsecured networks, poor configuration, or development errors—can be exploited through a simulated attack, thereby securing important data from outsiders, hardening defensive postures, and finding new methods of protection.
The GDPR recommends pen testing and other types of vulnerability assessment as ways to meet their new guidelines. In fact, the process would be pretty tough (if not impossible) without such tools. Almost half of all cyber breaches or attacks occurring in the past year were the result of an unpatched system or other vulnerability that could easily have been identified by a pen test. This reality has once again emphasized the value of controlled hacking and will likely become increasingly useful as the effects of GDPR begin to set in.
Each month, the UK Information Commissioner’s Office releases the details of all prosecutions resulting from negligence. To get a sense of the magnitude, recent fines include $35,000 for the Bayswater Medical Centre, £80,000 for Gloucestershire Police, and £120,000 for the University of Greenwich. These fines have tightened the regulatory environment and struck fear into the wallets of big business.
The question is, does GDPR affect companies outside the EU? This Analytics Insight article shows a few ways it does.
The Depth of Your Data
From customer information to office addresses to bank details, most companies have way, way more data than people realize. And all of this data is being stored somewhere in the depth of a hard drive, capable of migrating to personal devices such as smartphones, tablets, and laptops. This issue can muddy the waters of who holds what data where, and it can lead to serious problems with compliance. The first step in controlling data is understanding precisely where it lives and how it can be protected. Without that, no real protection can be achieved.
The Legality of Your Data
With the arrival of GDPR, the way data is viewed has changed completely. No longer is data just a byproduct of doing business—it is now a valuable asset protected by legal obligation. Every bit of information on a system now has its own set of rights, and just like all rights, they demand adherence.
Any data being held by a company comes with inherent responsibility. The authorization to have the data in the first place must go hand in hand with informed and consented customer knowledge. Businesses must indicate the length of time they plan to hold the data and how they plan to use it.
Staying in possession of an individual’s personal information indefinitely is now a strict no no and a clear violation of GDPR guidelines. Further, any data stored in an unsecured environment, both real and virtual, is subject to legal scrutiny and possible penalty.
The Vulnerability of Your Data
GDPR also stipulates that businesses must protect their held data using best practices and must notify customers and the Information Commissioner’s Office if they lose control of said data. This requirement seeks to incentivize companies to act respectably in notifying customers of a breach and empowering them to monitor subsequent activity on their end. An individual’s data can be vulnerable in a few different ways:
- Your data storage network has been compromised.
- Devices containing unencrypted data are lost or stolen.
- An employee sells their password or otherwise acts maliciously.
In company settings where BYOD is allowed, the number of people who essentially “own” this data through mere accessibility goes up exponentially and can create all sorts of vulnerabilities. Something as simple as an employee smartphone tapping into an open network at a Starbucks can be enough to compromise company information—or a zip drive accidentally dropped in the street. And most of the time, no one is the wiser until it’s too late.
Aside from just smaller mobile devices, larger items like PCs, laptops, and hard drives can also be stolen from company premises. While this type of breach occurs in a non-virtual environment, it is still incumbent upon the company to take measures against it. Any device, big or small, should be physically secured and offered the same measure of protection as online data and privacy.
Of course, storing customer and organizational data in the cloud provides a new level of protection, but even that platform has its pitfalls. Yes, it removes the need for local storage, but it can become equally as vulnerable if not properly protected by the cloud service.
When security specialists inspect data breaches, they sometimes discover the culprit to be a devious employee with malicious intent. This introduces a whole new set of problems, mostly because it does not fall into the normal parameters of threat. After all, how can you control the criminal inclinations of an individual? The answer is, you can’t But businesses can take measures to deter this kind of behavior and successfully monitor the general activity of those who work on the premises and remotely.
Dynamic security monitoring provides an ideal way to screen strange activity, like unusual access or requests for access. Although it is impossible to thwart all deviant employees, this kind of pre-emptive measure can achieve a greater effect by curbing behavior and cultivating a mood of caution among workers. Some strategies include requiring remote employees to use a VPN while working, especially away from home, and never taking written materials out of the office.
Ensuring GDPR Compliance
True security comes from more than just ticking off boxes on a data security sheet—it comes from consistent, careful attention to the many aspects at hand. It comes down to demanding awareness from everyone involved and testing their knowledge and response time on a regular basis.
There are two clear steps companies can take to ensure GDPR compliance. A remote vulnerability scan can easily ensure computers are safe by filtering for unpatched programming of known vulnerabilities. If the scan finds a problem, there is work to do. And even if the scan comes up clean, it is important to remember vigilance and the need for constant, unrelenting protection. Secondly, an onsite visit by a security professional who can implement cyber solutions is critical. Yes, there is some cost involved with this step, but with a €20million price tag attached to negligence, it’s a small price to pay.
Kevin Jones951 Posts
Kevin Jones, Ph.D., is a research associate and a Cyber Security Author with experience in Penetration Testing, Vulnerability Assessments, Monitoring solutions, Surveillance and Offensive technologies etc. Currently, he is a freelance writer on latest security news and other happenings. He has authored numerous articles and exploits which can be found on popular sites like hackercombat.com and others.