Main Navigation

GDPR: 5 things you need to ask your IT Manager about security

Home > Insight > Blogs > GDPR: 5 things you need to ask your IT Manager about security >

26th August 2016

Data protection is about to become a more serious issue for businesses and any individuals working for them. What does the most important change to data privacy laws for twenty years mean for you and where you work?

 

GDPR: could bad data protection put you out of work?

Whatever your role, from admin support to CEO, it’s time to become very familiar with the kind of security threats the business you work for is facing, how to spot them and what to do if you experience a data breach.

From 2018, new regulations governing data protection will come into force across Europe. Protecting any personally identifiable information (PII) that passes through and is stored on corporate networks is going to become the responsibility of that business.

This means that if any data is lost or stolen that could be used maliciously to identify third parties related to the business you rely on for income, that business will be fined. The penalties are heavy: up to €20million or 4% of total worldwide annual turnover.

Additionally, regulators may be able to impose a ban on processing or suspend data transfers. There is also the risk of class actions, criminal sanctions and reputational damage, all of which can impact the entire business, its finances and therefore, your livelihood.

Under these new regulations, a single data breach could lead to redundancies as a result of financial losses due to fines. On the plus side, it means that you, as an employee, must be offered GDPR-compliant levels of data protection for your personal data stored for payroll or other purposes.

 

GDPR, Brexit and why businesses are being slow to prepare

We will still be a part of the EU when the General Data Protection Regulation (GDPR) kicks off, as the whole Brexit process will take two years to implement and it has not yet begun.

Even once the process is complete, if we are to remain competitive in Europe and continue to deal with the EU states, we will have to comply with EU laws and regulations.

The GDPR aims to offer far greater protection for consumer data, placing the responsibility for that protection onto any businesses that store it. It brings into alignment the data laws across all EU states, making compliance easier and more straight forward for all businesses operating in the EU zone.

It’s a good thing, by all accounts. So why are so many businesses failing to prepare?

One of the biggest problems is that many firms still don’t see cyber security breaches as a real threat. A recent survey revealed that only 30% of companies are including cyber in their risk top ten lists. A surprising 25% of firms who responded didn’t have cyber on their agenda at all.

This all-too relaxed attitude to security seems crazy when reports of serious data breaches are becoming increasingly common, such as the recent one at Sage, where employee data across 280 UK businesses is feared compromised. This coming only months after 157,000 TalkTalk customers’ personal details were hacked.

Cyber attacks might now be an inevitability but data loss or catastrophic fines for non-compliance with the new laws are not.

 

Here are 5 key questions you could ask your IT Manager now, to understand how ready you are for GDPR:

 

1. What is the company cyber security policy and what do I do if I spot a potential breach?

Not only should all businesses have a security policy in place, many should also have a data protection officer (DPO) whose sole job it is to monitor compliance with that policy.

Public authorities and business that handle personal data on a large scale or of certain ‘special categories’ will all be legally required to have a DPO. These individuals are required to have ‘expert knowledge of data protection law and practices.’

For all other businesses, there should be a policy in place that is regularly assessed, updated as necessary at least annually and shared prominently across the entire business.

All breaches will have to be reported within 72 hours under the GDPR so protocol for this process must be clear.

 

GDPR compliance 2018, avoid GDPR fines, data protection, new EU data protection laws

 

2. What password protocols are in place?

It is amazing how many businesses don’t understand the importance of secure password generation and management. Passwords should never be generated by employees themselves based on personal information and they should expire and have to be reset every few months.

There is also danger in this, however, if password changes are requested too often. The temptation will always be to create a password that is easy to remember, and when the time comes to change it, only an S is changed to a $, for example.

Password management automation is a good solution for this, so ask your IT manager about the possibility of implementing one, if it’s not in place already.

Check too, how many points of verification are required to access the networks. Even free services, such as Gmail, require two points: an email address and password.

When JP Morgan Chase was hacked in 2014 it had already spent $250,000 on cyber security but, in what proved to be an incredibly embarrassing oversight, they only had a one-step verification process in place.

This breach publicly revealed contact information of 76 million US households, an event that would trigger massive fines under GDPR.

3. Are mobile devices included in the security policy?

The benefits to the Bring Your Own Devices (BYOD) movement are numerous. The workforce has never been more flexible, mobile and responsive, which of course has improved productivity and convenience for us all.

But as the number of devices on a corporate network increases, so does the risk of breach. Under GDPR, data controllers must find out:

  • What type of data is held on all BYODs
  • Whether that data is encrypted
  • Where such data may be stored
  • How such data is transferred
  • What the risk is for the data leakage as a result of BYOD
  • How the company plans to ensure that personal and business use of BYOD is maintained separately
  • How the company plans to separate personal and business internet access
  • The security capabilities and vulnerabilities for every BYOD used by employees
  • The policy for when an employee who owns a BYOD leaves the business, having had access to personal and confidential information about the company’s customers/suppliers
  • How to deal with the loss, theft, misuse or failure of an employee’s BYOD
  • What support is offered by the company to help maintain BYOD security compliance

 

4. What kind of cyber liability insurance is in place?

Many businesses have opted out of cyber liability insurance because it is notoriously expensive. The threats are so broad and varied that insurance companies tend to charge for blanket cyber threat coverage whether they apply in every case or not.

This is no longer necessary. New cyber defence tools can now be used to accurately measure risk, ensuring all businesses of every size can get the level of cover they need.

If your IT manager doesn’t know about these tools, they could be missing a really important level of protection unnecessarily.

 

5. An IT firewall is one thing but how is the business strengthening its human firewall?

Any firewall is only as secure as those people with authority to access the network behind it. IBM has said that 95% of all cyber attacks it experiences are due to human error. So what is your IT manager doing to make sure you and your colleagues are knowledgeable about threats and ready to deal with them?

Ideally, there will be regular security workshops and other briefings, keeping you and your colleagues up to date regarding all security threats and how to act if you spot something suspicious.

 

Common sense and the golden rules

Ultimately, the golden rule is: If you smell a rat, it’s probably a rat. Always treat unusual emails cautiously, regardless of how entertaining, alarming or urgent they appear.

Hackers gain access to networks every day by appealing to our natural curiosity. Emails that people don’t recognise are clicked purely because we wonder whether something interesting lies behind them. Viruses enter networks on USB sticks or other mobile storage devices because they weren’t checked first.

Knowledge is power in the fight against cyber crime. Report anything you spot. It’s far better to be over vigilant than let something slip past that could put your company out of business and you out of a job. 

 

 

 

 

Back to Insights

You may also like

14th June 2018

Sovereign - delivering IT services & support

Technology is continually advancing and transforming the way you work. Businesses need IT to react quickly to change and help drive opportunity. Sovereign can help make it happen.

Read More

Categories

Tags