It has been a while now since the EU Parliament adopted the new General Data Protection Regulation, or EU GDPR for short, on April 14, 2016. This now comes into force on May 25, 2018, so companies have had just under two years to prepare for the new regulation. In the meantime, there has been a lot of reading about this, as U.S. companies are also required to comply with the General Data Protection Regulation (GDPR).
In this article, we would like to show how Sophos can help you comply with the new General Data Protection Regulation. We do not go into detail about what is in the 11 chapters, divided into 99 articles, of the General Data Protection Regulation. In any case, much of the current wording is still rather vague and it is difficult to define the texts precisely. The lobbyists did a good job there, because larger companies can afford years of litigation to still negotiate the wording. However, this is not so great for SMEs, because we would rather have it clearly defined. The first processes will show how to understand some articles.
Right at the beginning, since we as Avanet are at home in Switzerland: Yes, Swiss companies with EU customers are also affected by the EU General Data Protection Regulation.
Many companies therefore do nothing at the moment and accept the risk of being sued. Some states have also already announced that they do not even have the resources to investigate the complaints.
So what is this new basic regulation all about?
Here are a few examples to get a feel for what is involved and how IT security can help:
- EU citizens have the right to request their personal data from companies.
→ Some companies already have a problem here. It may take a worker hours to compile this data.
- EU citizens can request the deletion of their data.
→ Again, a bit of a challenge for IT, because it also means backups. Not all software can delete individual records from backups. Especially since this also conflicts with data retention.
- If data is stolen from a company, there is a reporting obligation unless the data has been encrypted.
→ This example brings us to the topic at hand, because IT security suddenly plays an important role here.
IT security must be taken seriously
Personally, of course, we like the fact that the General Data Protection Regulation provides further arguments that the topic of IT security simply has to be taken seriously. Those who ignore it and still feel they don’t need a clean solution for their business will sooner or later be punished for gross negligence. Too often, even today, we see PCs, servers or other systems connected directly to the Internet without any protection! In the process, the latest updates and patches are repeatedly ignored.
Even if Windows XP does not get any more patches, it does not mean that the system is now safe. Some may laugh now, but there really are people who believe that!
We also very often see people surfing the Internet with browsers that have not received any updates for a very long time. Uses a modern browser that is up to date in terms of security.
Ransomware industry rethinks
We live in a time when ransomware and exploits are among the more successful attack methods. Of course, this industry is also preparing for May 25. New ransomware has already been spotted that no longer encrypts data and demands bitcoins for decryption, but instead downloads company data to the Internet in the background for weeks and then displays the following message:
We have your data! Transfer XXX Bitcoins to us or we will publish them.
Now even the backup, which many had as a solution against the encryption of the previous ransomware, does not help anymore. If the data is published, there is on the one hand the damage to the company’s image and on the other hand a fine from the EU, which can amount to up to 20 million euros or 4% of the annual turnover.
Protection: Simple and relatively cheap
There are a few simple ground rules to follow:
- Uses a current operating system (PC, server, smartphone, IoT devices)
- Makes regular software updates
- Installs a professional antivirus
→ In our opinion, Avira, Avast, Windows Defender and the like fall short here, considering their technology. I write technology on purpose, because the marketing or website copywriter of these solutions does his job really well. If you believe the descriptions, these free products also protect against everything. Additionally I would always recommend Sophos Intercept X recommend. For servers, there is Sophos Server Protection.
- Encrypt your data media (hard disks, USB sticks, etc.)
→ Helps in case of loss of a device. Bitlocker for Windows and FileVault for macOS is a good solution here. You can enable this manually on a few computers or manage it centrally on many devices using Sophos Device Encryption.
- Encrypt your files
→ Here there is software, such as VeraCrypt (also free successor of Truecrypt) or Cryptomator. The disadvantage I see with the first is that everything is stored in a container, which is cumbersome for many reasons and not very secure (e.g. only one password for all data). This is better solved with Cryptomator (free). Each file is encrypted with its own key (even the file name) and the files remain individual, which is also better for a backup than the container solution. What is available here from Sophos? From our point of view, nothing really useful for smaller companies yet. Unless you want to run a Windows server with DB and AD connection. In this case, Sophos SafeGuard would be a good solution. No matter which product you use, a good encryption stands and falls with a secure password! However, do not use the same “secure” password everywhere.
The GDPR explicitly mentions encryption as a suitable method for protecting data in the event of a data breach (Article 34).
- Train user
→ It is always the same with protective mechanisms: they should be present, but in the best case they should never be needed. This is exactly what happens with a backup, for example. However, some users do not know any better and click on any link and respond positively to phishing emails, which in turn can have a negative impact on IT security. For this reason, there is Sophos Phish Threat, for example. This can be used to create phishing campaigns and test employees. In the follow-up, these are then trained. This method is intended to raise awareness that an email is not always genuine, even if it has been copied almost perfectly.
- Secure mobile devices
→ Company emails, contacts and calendars are very often on mobile devices. Nowadays, people also carry company data around with them as a matter of course. Therefore, notebooks, smartphones or tablets should be protected and uniform policies should be defined or, if necessary, deleted. Sophos Central Mobile helps with this.
- Secure networks
→ If you now meet at least 50% of the above points, you can turn your attention to network security. A properly configured firewall can do a lot, and it can also be used to secure wireless networks. Sophos XG Firewall.
- Encrypt emails
→ How long have people been talking about encrypting email? Very long! But only in certain industries has this caught on, as it is still not very convenient. Sophos also has a few solutions, but I have to be honest and say that in my opinion, they are neither suitable for SMEs nor mature.
These are roughly the points we would like to suggest to you, so that you are not among the first to unexpectedly violate the GDPR 😉