As we celebrate Data Privacy Day 2020, it is worth thinking about the role businesses play in protecting client data and the consequences of non-compliance. Failing to protect customer data puts businesses at risk of reputational damage, a loss of customers and even hefty fines.
In 2020, hackers are likely to use more sophisticated attacks leveraging AI, however if you get the basics right, you can reduce or mitigate the risks.
Here, we offer our five most important tips and suggest actions that will help improve your Data Privacy practices. However, you may want to consider using the ISO / IEC 27001 Information Security Management standard for a more comprehensive view.
Know your data and its location
It is important to understand the type of data you currently hold, the classification of that data in accordance to GDPR and where it is stored. Without this, you will not be able to provide adequate security.
Knowing where your data is stored will allow you to put in the relevant security needed, instead of assuming a one size fits all strategy that may miss pockets of data. For example, some clients decide to host customer data in their data centre, while others choose a hybrid cloud mix or a completely cloud-first approach. Once you know where all of it is, only then are you able to understand the best practices for your approach.
Suggested action: Download and review the ICO template for Data Protection Impact Assessment. Set up a call with relevant teams to identify current gaps and ask the questions that will allow you to gain visibility on the location of your data.
Secure the human element by training your staff
Your security is only as strong as your weakest link, which in most cases is the human element. According to Kaspersky labs' research, 90% of cloud breaches occur due to human errors. IBM research claims 70% of compromised records are due to cloud misconfiguration, with a 424% increase in records breached through cloud server misconfigurations. According to the ICO, mis-addressed emails were the biggest form of data loss in 2017.
This is an indication that having policies is not enough; you must be proactive with your approach. This could take the form of training, social engineering assessment, or technology that warns and prevents the sending of sensitive data via email (or encrypts it automatically).
Suggested action: Organise a recurring quarterly interactive security session that raises awareness on current cyber threats.
Vulnerability and patch management
The NHS WannaCry Ransomware attack on May 2017 was a result of the use of outdated Windows XP systems, which were no longer supported by Microsoft. It cost the NHS about £92m. On 14th January 2020, Microsoft ended support for Windows 7, which could leave many unpatched systems vulnerable to similar attacks. For end-user devices, it is advisable to block non-compliant devices from accessing your network.
Implement a solution to make sure unsupported devices do not have access to your network. If you still need to run an obsolete software, follow the NCSC guidelines.
Automate patching and force updates where possible, using tools such as Microsoft Intune and Symantec patch management tools. It is important that outdated systems are not connected to the internet where possible and be on an isolated network to reduce impact should they be compromised.
Monitoring and event management
Set up security information and event management (SIEM) to collect detailed logs on all hardware and software within your environment, automating alerts and reports for real-time analysis. This will help you track security events and incidents such as failed or multiple login attempts, potentially helping you identify attacks before they happen. A proactive approach is preferable to a simply a reactive one and it could also help you meet regulatory or compliance obligations. This function can be internal or outsourced to a specialist organisation based on your needs.
Suggested action: Invest in a SIEM or Log Management system if you aren't already. If you are running in the cloud, AWS GuardDuty or Azure Advanced Threat Protection could get you started quickly and easily. More advanced enterprises could invest in tools such as Splunk Enterprise Security (if they have the expertise in house). For end-user management, tools such as Microsoft Advanced Threat Analytics could help identify threats and flag them for the relevant teams to action.
Business Continuity and Disaster Recovery Management
Natural disasters often have an unforeseen effect on business if there is no recovery plan in place. Plus, hardware failures, human error and ransomware attacks all have a serious impact on your business (as recently experienced by Travelex). Therefore, you need to have a data redundancy strategy to protect critical data in addition to making sure your providers have the right protection in place to avoid data leakage.
Suggested action: Clearly define a recovery point objective and recovery time objective for your organisation and set up a strategy based on those needs. If you already have these, it is worth testing your recovery to make sure they meet your defined objectives (as this is usually missed). Aim to test your disaster recovery at least once a year and make notes on what could be improved as part of your BAU.
Interested in data? Read our recent case study on data enablement: