With the clock rapidly ticking down towards GDPR go-live, this week I was reading the newly published government survey, “Cyber Security Breaches Survey2018: Preparations for the new Data Protection Act” and I have to say I was amazed by some of the findings. The survey was looking at how aware businesses and charities are of the incoming GDPR legislation and how they are actively preparing for the change. Having been immersed in GDPR, both for my own organisation and for our clients, for well over a year now, I was particularly surprised to learn that overall only 38% of businesses had even heard of GDPR! And among those aware of GDPR, only just over a quarter of businesses had made changes to their operations in response to GDPR’s introduction.
However, of those who had made changes to how they operate, 49% said that some of the changes made related to cyber security practices. This doesn’t come as a surprise to me as we are currently in the throes of conducting an independent cyber security vulnerability scan, or a more in-depth cyber security check-up, to many organisations as part of their GDPR preparations, and we are finding, almost invariably, that cyber security is an area where there are some deficiencies that need to be corrected.
The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organisational measures are used.
Article 32 of the GDPR states that “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”.
It goes on to list some more specific measures which you may wish to consider, amongst others, which are:-
(a) the pseudonymisation and encryption of personal data;
(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
(c) the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.
By the nature of data security, it is impossible for the legislation to be prescriptive, because the security threat landscape is constantly evolving, and as such, what constitutes a secure network today almost certainly will not constitute a secure network tomorrow.
Whilst the ICO (the data protection regulatory body in the UK) have produced guidance documents on many sections of the GDPR, there is not yet updated guidance around IT security for small and medium size businesses, so I thought it would be useful today to try and explain some practical steps for securing your data, in-line with IT industry best practice.
1. Cyber Security Defences
It is important to realise that there is no single product that will provide a complete guarantee of security for your firm. The recommended approach is to use a set of security controls that complement each other but will require ongoing support in order to maintain an appropriate level of security. The type of products you should be considering are likely to include:-
- Virus protection
- Malware protection
- Ransomware protection
- Email filtering
- Web filtering
- Constantly updated firewall protection
- Encryption of data in transit
- Encryption of data at rest
- Mobile working policies
- Data loss/leakage prevention technology
- Strong passwords
- Two factor authentication
- The ability to remotely wipe data from any user device that is lost or stolen
- A system for securely wiping old servers and PCs prior to disposal
- Regular or continuous vulnerability scanning
- 24/7 monitoring against threats
I recently wrote a detailed article on this subject, so won’t repeat myself here, but the full article can be found at -> http://legalsectorit.blogspot.co.uk/2018/02/preparing-for-gdpr-key-considerations.html
3. Protect Data from Insider Threats
- Access control procedures (staff and third parties)
- Starters and leavers procedures
- Mobile working policies
- Data leakage prevention
- Ongoing staff education on cyber threats
- More on protecting data from insider threats can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-for-law-firms-how-to-protect-your.html
- A multi-layered approach to data backup to protect against different types of threats
- Actively monitored backups
- Backups tested regularly to ensure they are recoverable
- More on effective data backup can be found here -> http://legalsectorit.blogspot.co.uk/2017/12/gdpr-compliance-for-law-firms-data.html
- Up to date plans
- Regularly tested
- Deliver proven recovery times
- More on disaster recovery planning can be found here -> http://legalsectorit.blogspot.co.uk/2018/01/gdpr-compliance-for-law-firms-disaster.html
_________________________________________________________________________________
Established in 1994, Connexion Ltd provides IT consultancy, IT services and IT support to mid-size law firms, solicitors and legal services companies throughout the UK. Our focus is on delivering IT solutions that create real value to our clients' firms. Working closely with our customers’ in-house IT Managers, our structured and managed approach to delivering IT is paramount in ensuring our clients can maximise the business advantages technology can offer them, whilst minimising their risks. For more information about our services for law firms please visit our website http://www.connexion.co.uk/law/