The introduction of GDPR in May last year caused many headaches in the run up to the deadline and as it came and went, businesses struggled to ensure they were compliant with the new laws. The threat of penalisation has prompted organisations to invest significant resources in strengthening encryption practices, the adaption and anonymisation of customer, data as well as other strategies that reduce the risk of a serious breach.
SME’s and sole traders especially, without the technical expertise to design their own solutions, have been affected most; and even though the Telecoms industry is full of IT wizards, being a player in the market does not necessarily ensure a company would have the expertise to be able to comprehend the requirements and action the necessary solutions to ensure GDPR compliance.
GDPR for SaaS providers
The popularity of Software as a Service (SaaS) products, like Office 365 or Salesforce, has prompted the providers of these services to ensure their products are GDPR compliant. Not only for their own protection, but as a selling point to businesses that now require compliance. Tekton’s ZOEY platform is no different, our infrastructure supplier is IASME GDPR certified and the data centres they host the infrastructure in are ISO27001 and IL2 certified too. This has allowed smaller businesses to use these services with a certain peace of mind, though just because you use specific programs or services that are GDPR compliant, does not necessarily mean that the entire business is within the law.
The five P’s of GDPR compliance
Thankfully, in September 2018, the National Cyber Security Centre released a guide designed to instigate Board members to discuss the challenges of Cyber Security in the post-GDPR world, with five questions that can be easily remembered as “The 5 P’s”. Answering these questions in full for you would be cheating your board out of what is an important conversation, so we’ll only lightly touch on possible solutions:
1. Phishing – How do we defend our organisation against phishing attacks?
Training staff is a popular way to reduce the risk. Educate them with examples and teach best practices but bear in mind that humans are fallible and stressing out your staff too much could become counterproductive. AI and machine learning may well develop an infallible solution, though the future is yet to be written.
2. Privileged users – How does our organisation control the use of privileged IT accounts?
As the old Russian proverb goes ‘Trust but verify’. Obviously, those with privileged access are trusted employees but ensuring there is a verification process behind those logins is vital. If you want to explore a worst-case-scenario, watch Tom Scott’s hypothetical illustration using Google as the example here.
3. Patching – How do we ensure that our software and devices are up to date?
Again, training staff to perform updates when prompted would be beneficial. We all know a colleague who refuses to update their devices but there are usually security updates worth the effort. Central device management tools could also be used to help take the responsibility out of individual’s hands by pushing updates out to all devices at once.
4. Providers / processors / partners – How do we make sure our partners and suppliers protect the information we share with them?
Do they have any certification to prove their safeguarding of data? Is the partnership of high enough value/importance to perform an audit before finalising the collaboration? Do you include penalty clauses in contracts to prompt partners to up their game?
5. Passwords – What authentication methods are used to control access to systems and data?
2-factor authentication could certainly help, although the move away from alphanumeric authentication has already started. Remembering all those passwords can be an uphill struggle therefore finding authentication methods that require no thought are preferable. Thumbprint scanners, Windows Hello and Apple’s Face ID are great examples of biometric authorisation that is becoming increasingly hard to spoof.
Encryption continues to be the go-to convention to protect businesses from data breaches. Whilst not mandatory, it would be unwise to leave any data (personal information protected under GDPR or even business-focused confidential documents) unencrypted.
If a hacker does manage to gain access to your data, then ensuring the information is unusable through encryption is the next best strategy to preventing the hack in the first place. Without a decryption key, even the most advanced computers could take centuries to decode it, depending on the type of encryption used.
End-users now have their ‘right to be forgotten’ set in stone, and businesses are required to anonymise personal information. Therefore, many businesses have been forced to adapt their CRM systems to include the ability to delete or export a specific customer’s information, if requested. This entails more training for staff around how to deal with the requests and may require extra resource allocation to re-develop the CRM system used.
With so many hoops to jump through and angles to consider, it’s no wonder that businesses have struggled to become compliant and some still may not be. The employment of Managed Security Services, to outsource this responsibility, and the inclusion of GDPR compliance within SaaS applications has seen a sharp rise in promotion since last May. As the techniques used to gain access into systems continues to advance, the necessity of these cyber-security experts to stay ahead of technological developments to secure their clients’ data shows no signs of waning.