On May 25, 2018, compliance enforcement is set to begin for the General Data Protection Regulation (GDPR). The GDPR is a set of rules that mandate tougher data protection for European Union (EU) citizens and companies. But compliance doesn’t stop with EU-based companies; any company doing business there could face heavy fines if it violates the legislation.
The GDPR represents a true shift in security. The good news is that complying with the GDPR will make your business more secure. At its core, the GDPR protects personal data. So what exactly is that? “Personal data is any information that relates to an identified or identifiable living individual. Different pieces of information, which collected together can lead to the identification of a particular person, also constitute personal data,” said Jim Sneddon, a GDPR specialist and founder of Assuredata.
The security breaches the GDPR aims to block, Sneddon says, can lead to four data problems: destruction, loss, alteration and unauthorized disclosure of, or access to, personal data. All point to the fact that a breach is far more than just losing personal data.
The GDPR also demands that companies notify customers of data breaches quickly and in detail. Doing so requires deep visibility into systems, end points and the network, creating a need for certain technology solutions.
According to the Top Corporate Data Protection Challenges survey, only 6 percent of 132 compliance officers said their business is compliant with the upcoming regulation. Fortunately, the right technology choices can streamline this journey to compliance. Here are the top actions companies can take to minimize risk, and in some cases introduce opportunities.
1. Start With a Gap Analysis and Compliance Assessment
A gap analysis will show where the business is already compliant and what steps are necessary to ensure complete adherence. According to financial-services firm Deloitte, the analysis “should reveal existing compliance program trends within the business, including program strengths and opportunities for improvement. In addition, the assessor should make recommendations to the business based on best practices observed in leading organizations that are of a similar size and structure to the one being assessed.”
Gap analysis can help drive a compliance assessment and, ultimately, a compliance plan. This plan should be codified in a final report that defines what’s acceptable and that recommends specific improvements.
Many businesses think they are set with compliance after they’ve completed a general security risk assessment. But compliance and risk, although related, require different processes. “Businesses conduct assessments to identify different types of organizational risk. For example, they may conduct enterprise risk assessments to identify the strategic, operational, financial and compliance risks to which the business is exposed. In most cases, the enterprise risk assessment process is focused on the identification of ‘bet the company’ risks—those that could impact the business’ ability to achieve its strategic objectives,” Deloitte notes.
The compliance risk assessment will help the business understand the full range of its risk exposure, including the likelihood that a risk event may occur, the reasons why it may occur and the potential severity of its impact. An effectively designed compliance risk assessment also helps businesses prioritize risks, map them to the applicable parties and effectively allocate risk-mitigation resources.
2. The Ramifications of Shadow IT
Shadow IT is defined as hardware and software that is unsupported or unsanctioned by IT and that poses a compliance risk to the business. Common shadow-IT applications include Skype, Evernote and Dropbox.
If someone is using a system to store important data, it falls under the GDPR. Not knowing that it’s in use and what’s in it could put the business at risk of noncompliance. If data leaks from that system, how will you know so you can comply by reporting it?
The company should clearly communicate an internal policy to staff. Equally important is a record of doing so, and that all are aware they are to forgo using systems without IT or business approval.
3. The Role of Automation
Manually performing all the IT tasks necessary for full compliance can be difficult—and in some cases impossible. IT automation is critical to making sure these tasks are complete, applied to all devices, tracked and reported. It’s the only efficient way to perform crucial, repeatable processes.
The best protection often comes in the form of automating mundane tasks that busy technical professionals easily overlook. Many of the technical actions necessary to secure data are basic best practices, but they’re often neglected; hence, most breaches occur from common vulnerabilities.
4. Use an RMM Solution
A critical compliance tool is remote monitoring and management (RMM). This software enables admins to monitor and remediate applications, servers, workstations and remote computers. Given the right RMM solution, IT professionals receive notification when problems arise or when a change in system status indicates a potential breach. A good RMM solution not only monitors your end points, but also automatically performs common IT tasks vital to security and compliance—such as OS and software patching. It can additionally report that tasks are complete.
5. Employ Patch Management
Preventing data breaches and cyberattacks, as well as proving compliance, requires patch management. The ideal solution should automatically update servers, workstations and remote computers with patches (including OS fixes) and software updates. Patching is essential yet extremely challenging for a business that relies on end-user vigilance or manual IT. The answer is an automated patching solution so patches are installed when they become available—on all end points and servers.
The simpler, more complete route is to automate all steps in the patch process. The first step in patch management is to inventory all of your machines, including mobile devices. This asset-management audit should include information on operating system and status, as well as all applications—with their patch and update status.
Next, the tool should gather all necessary patches and automatically install them on the basis of defined policies and priorities. These policies should automate software maintenance across platforms and easily address the complexities of patch deployment to ensure all systems are appropriately patched.
6. Deploy an Antivirus/Antimalware Solution
To comply with the GDPR, you need to protect all of your end points and make sure that protection against malicious software is always up to date. With proper security protection against malicious software across all your systems, you’ll be able to spot, block and purge incursions that lead to data breaches and compliance infractions. Like patching, an automated solution that installs and updates security across all of your systems is essential.
7. Increase Protection Through 2FA/MFA
Controlling who has access to data can go a long way toward compliance. Single sign-on (SSO) and two-factor/multifactor (2FA/MFA) authentication are crucial tools in keeping a lid on access to confidential information. With MFA, end users validate their identity in multiple ways, often through a piece of information only they know. This type of access management and control is essential to keep IT systems compliant.
Identity and access management (IAM) goes beyond 2FA/MFA and includes central credential management, policy-based rules and SSO for end users, including partners, to keep internal systems and customer systems protected and compliant.
8. Lock Down Security on Mobile Devices
Mobile devices need to be as compliant as their desktop and laptop counterparts. That means reviewing apps, both shadow and sanctioned. “It is easy to store data through cloud shares or through apps that extend the use of cloud services such as Salesforce.com. If the app has an offline use function, it has to store the data on the device,” Sneddon explains. “Businesses should have a communicated policy regarding this and consider looking at the apps they want to use and asking the provider: Does it store data locally on the device? If, so is it encrypted inside the app? And if so, does the app ask for a login by the user each time?”
9. Be Vigilant About Decommissioning Devices
Lost or stolen mobile devices require decommissioning, and the same goes with PCs when an employee leaves the company—particularly if terminated. Statistically, admins enable more users than they disable. Although outside attacks lead the list of breaches, ensuring you have a way to quickly and completely deprovision a user from all your systems is prudent, regardless of whether that user is an employee, sys admin, customer or partner.
Besides removing end-user privileges, a large part of decommissioning is data destruction. When you decommission a device, how do you do it? How do you ensure the data is unrecoverable? For example, just wiping a PC disk using normal methods is insufficient to make the data unrecoverable; therefore, passing that machine to a staff member, selling it, donating it to a charity or local school, or just dumping it is then a breach of the GDPR. You must either employ software that destroys the data or hire a data-destruction company.
About the Author
Mike Puglia brings over 20 years of technology, strategy, sales and marketing experience to his role as chief strategy officer at Kaseya. He’s responsible for overall product strategy, management and development across Kaseya’s solutions. Before his current position, Mike served as Kaseya’s chief product officer and before that, CIO.