CS1907
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
GDPR<br />
clearly means business." Interestingly, these<br />
firms' attacks were by no means the largest, in<br />
terms of numbers for 2018. "This could, in<br />
fact, be the tip of the iceberg of what is to<br />
come," he warns, "but let's hope others are<br />
taking copious amounts of notes as to how to<br />
handle a breach or, better still, evade the<br />
attacks as best they can in the first place."<br />
ENSURING CONSENT<br />
As Rob Allen, director marketing & technical<br />
services at Kingston Technology Europe, rightly<br />
points out, the only noticeable effect of the<br />
EU's General Data Protection Regulation<br />
(GDPR) legislation for most people has been<br />
having to click through tedious popups about<br />
data sharing and cookies on just about every<br />
website. "There's a good reason why they're<br />
appearing," he says.<br />
"One aspect of GDPR is that it compels<br />
organisations to notify users about how their<br />
personal data is handled, which very much<br />
includes all the information that modern web<br />
browsers hoover up. Consent is required for<br />
that data to be shared externally, and all<br />
possible technical measures must be otherwise<br />
taken to safeguard personal information<br />
stored on the organisation's network - or<br />
there's the potential for extremely strong<br />
financial penalties."<br />
So, the news that British Airways was hit by<br />
a potential £183 million fine by the ICO<br />
comes as a sharp reminder that GDPR will be<br />
enforced and failure to comply does have<br />
consequences. "So far, this is the largest GDPR<br />
fine that a UK company has faced. But<br />
although the fine is bad news for BA,<br />
the managers and bosses of other UK<br />
organisations that have been scrambling to<br />
meet the requirements of the legislation may<br />
breathe a little easier, knowing that the time,<br />
effort and cost they have invested into data<br />
security has been done for a good reason," he<br />
states. "And, let's face it, before the changes to<br />
GDPR, many of us had acquired some dreadful<br />
habits when it came to handling data, and<br />
tightening things up wasn't exactly a priority<br />
for many firms."<br />
If you're not paying attention, it's all too easy<br />
for data to end up in the wrong hands,<br />
perhaps because a device is lost or a third<br />
party gets unrestricted access to it, Allen<br />
adds. "Any improvement requires both<br />
organisational and technical changes to keep<br />
data secure. Improving company mindset by<br />
educating a workforce, better information<br />
management and risk management play as<br />
much of a part in secure handling of data as<br />
technological solutions. Ultimately, though,<br />
the use of strong encryption is the foundation<br />
that ensures data is always protected, whether<br />
it's stored on the firm's own devices or<br />
otherwise. That applies to business networks,<br />
company servers, removable devices, and all<br />
internal storage on company laptops."<br />
For an IT manager to sleep well at night,<br />
suggests Allen, they need to be certain that<br />
the next time a company laptop is inevitably<br />
left in a hotel, or a USB stick is misplaced,<br />
it's near impossible that mission-critical<br />
information can be prised from it. "They need<br />
to know that no passwords are stored<br />
anywhere in plain text. They need to know<br />
that employees understand not to email<br />
company documents back home using<br />
personal email accounts, store them on an<br />
unencrypted laptop or rely on unsanctioned<br />
third-party cloud services.<br />
"These examples of changes to business<br />
behaviour aren't necessarily complicated, so<br />
complying with GDPR doesn't have to require<br />
moving heaven and earth. Arguably, the<br />
examples we've suggested are merely good<br />
practice anyway and GDPR is rewarding<br />
organisations that already had solid data<br />
management measures in place, before it<br />
became law to do so," he concludes.<br />
BREACHES RACKING UP<br />
"Hefty fines and reputational damage haunted<br />
businesses in the build-up to the passing of<br />
the General Data Protection Regulation,"<br />
recalls Martin Warren, cloud solutions<br />
manager, EMEA at NetApp. "We all know by<br />
now that data security and privacy are, in fact,<br />
two different, complementary issues and, with<br />
the number of data breaches racking up this<br />
year, we are facing the evolving reality of data<br />
security in a world where we essentially live<br />
digital-first lives.<br />
"In a world in which our data and its privacy<br />
are paramount, data security ensures the front<br />
door is bolted shut; data privacy, meanwhile,<br />
requires data management processes with<br />
privacy-by-design at its core." While data<br />
security is certainly important for businesses,<br />
encryption and data masking will not help a<br />
business become GDPR compliant, he adds.<br />
CULTURE CHANGE<br />
"GDPR has succeeded in increasing the profile of data protection within most organisations," says Robert O'Brien,<br />
CEO MetaCompliance. "Changing the culture of privacy by design and privacy by default will take organisations<br />
a significant time to deploy. There is still a long way to go for most companies.<br />
"It's still early to comment on the impact of GDPR in delivering enforcement. There has not yet been the flurry of<br />
financial sanctions that many people feared. The ability of the regulator to stop an organisation processing data might<br />
become a more powerful and effective tool than fines in the future." However, he does see GDPR as the gold standard<br />
for privacy worldwide. "This can be seen in the construction of the Brazilian and the Californian privacy directives."<br />
12<br />
computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk