Skip to content
Avanet
EU General Data Protection Regulation – How Sophos Can Help

EU General Data Protection Regulation – How Sophos Can Help

29. MARCH 2018

It’s been quite a while since the EU Parliament adopted the new General Data Protection Regulation – the GDPR – on 14 April 2016. It comes into force on 25 May 2018, which means companies have had almost two years to prepare for the new rules. In the meantime, a lot has been written about it, not least because US companies are also obliged to comply with the General Data Protection Regulation.

In this article, we want to show how Sophos can help you meet the requirements of the new regulation. We won’t go into detail about everything that is written in the 11 chapters and 99 articles. Much of the wording is still rather vague and open to interpretation. Lobbyists have clearly done a good job here, because large enterprises can afford to fight for years in court over details in the wording. For SMEs this is less than ideal – clear and simple rules would have been preferable. The first cases will show how certain articles are to be interpreted.

To get one thing out of the way right at the start: we’re based in Switzerland – and yes, Swiss companies with EU customers are also affected by the GDPR.

Many companies are therefore currently doing nothing and are simply accepting the risk of being sued. Some EU member states have already indicated that they don’t even have the resources to investigate every complaint.

So what is this new regulation really about?

Here are a few examples to give you a feel for what is at stake – and where IT security can help:

  • EU citizens have the right to request a copy of their personal data from companies.For some companies this is already a problem. In the worst case, an employee has to spend hours collecting all the relevant information.
  • EU citizens can request that their data be deleted.Again, this is a challenge for IT – backups are included here as well. Not every backup solution is able to remove individual records, and this requirement can also clash with legal retention obligations.
  • If a company suffers a data breach, it must notify the authorities – unless the data was encrypted.This example takes us straight to our main topic, because this is where IT security becomes very important very quickly.

IT security needs to be taken seriously

From our point of view, it’s actually a good thing that the GDPR provides additional arguments for taking IT security seriously. Anyone who ignores it and still believes they don’t need a robust solution for their business will, sooner or later, be punished for gross negligence. We still see far too many PCs, servers and other systems connected directly to the internet without any protection at all – often with critical updates and patches simply ignored.

Even though Windows XP no longer receives patches, that doesn’t mean the system is suddenly secure. Some people might laugh, but there really are users who believe this.

We also often see people surfing the web with browsers that haven’t received updates for a very long time. Always use a modern browser that is up to date from a security perspective.

The ransomware industry is adapting

We live in a time when ransomware and exploits are among the most successful attack methods. This “industry” is of course also preparing for 25 May. New ransomware variants have already been seen that no longer encrypt data and demand Bitcoins for the decryption key, but instead quietly exfiltrate company data over a period of weeks and then show a message like this:

We have your data! Transfer XXX Bitcoins or we will publish it.

In this case, backups – which many saw as the perfect solution to classic encryption ransomware – are no longer enough. If the stolen data is published, there are two consequences: reputational damage and a fine from the EU, which can be up to €20 million or 4% of annual turnover.

Protection: simple and relatively inexpensive

There are a few basic rules you should always follow:

  • Use a current operating system (PC, server, smartphone, IoT devices).
  • Apply software updates regularly.
  • Install a professional antivirus solution. → In our opinion, solutions such as Avira, Avast, Windows Defender & co. are not sufficient if you look at the underlying technology. I’m deliberately saying technology here, because the marketing and website copy for these products is often excellent. If you believe the descriptions, these free products also protect you against everything. In addition, we would always recommend Sophos Intercept X. For servers there is Sophos Server Protection.
  • Encrypt your storage media (hard drives, USB sticks, etc.). → This helps in case a device is lost. BitLocker for Windows and FileVault for macOS are good options here. You can enable them manually on a few devices or manage large numbers of endpoints centrally using Sophos Device Encryption.
  • Encrypt your files. → There are software tools such as VeraCrypt (the free successor to TrueCrypt) or Cryptomator. With VeraCrypt all data is placed in a single container, which is awkward and not ideal from a security perspective (for example, a single password for all data). Cryptomator (also free) does this better: each file is encrypted with its own key (including the file name), and the files remain separate, which is also better for backups than a single container. What does Sophos offer here? For smaller companies, in our view, there is currently no really suitable solution – unless you’re prepared to run a Windows server with a database and AD integration, in which case Sophos SafeGuard is a good fit. Whatever product you choose: strong encryption stands and falls with a strong password – and you shouldn’t use the same “strong” password everywhere.

The GDPR explicitly names encryption as an appropriate method for protecting data in the event of a breach (Article 34).

  • Train your users. → Ideally, protection mechanisms are in place but never needed – the same is true for backups. Unfortunately, some users don’t know any better and click on every link, or react to phishing emails in ways that have a very negative impact on IT security. That’s where tools like Sophos Phish Threat come in: you can build phishing campaigns and test your users, then train them afterwards. The goal is to raise awareness that an email isn’t always genuine, even if it looks almost perfect.
  • Secure mobile devices. → Company email, contacts and calendars are often stored on mobile devices, and business data is routinely carried around. Laptops, smartphones and tablets should therefore be protected, governed by consistent policies and – if necessary – remotely wiped. Sophos Central Mobile helps here.
  • Secure your networks. → Once you have at least 50% of the above covered, you can turn to network security. A properly configured firewall can make a real difference, and your wireless networks can also be secured through it. See the Sophos XG Firewall.
  • Encrypt email. → We’ve all been talking about encrypting email for a long time, but outside of certain industries it still hasn’t really taken off, mainly because it’s not particularly convenient. Sophos does have a few solutions in this area, but to be honest we don’t yet consider them fully mature or particularly well suited for SMEs.

These are the key points we recommend you focus on so you’re not among the first to accidentally fall foul of the GDPR. 😉

Patrizio

Patrizio

Patrizio is an experienced network specialist focused on Sophos firewalls, switches, and access points. He supports customers and IT teams with configuration, migration, and clean network segmentation.