When it comes to thinking about data security, many company executives who are unfamiliar with the concept think that a high fence, cameras and a security guard at the entrance will do the job.
Unfortunately, as the most recent ransomware attacks have shown, this is definitely not the answer. Not having a bullet-proof data security process in effect is now riskier than ever! The reason is the General Data Protection Regulation (GDPR).
Since it came into full effect at the end of May, much has been written about the effects of GDPR on companies. Especially the need to securely erase personal data of partners, clients or other individuals that are not needed by the business or if the person demands its deletion.
But GDPR is a lot more than just the right to be forgotten; it also applies to the prevention of data leaks by all enterprises that either do business within the European Union or from outside with an EU company.
In Article 32 of the GDPR regulations, it states that companies must have “introduced a procedure to maintain regular reviews and evaluations of the effectiveness of technical and organisational measures to ensure the safety of processing of personal data within the company.”
Ensuring you have implemented a proper procedure is not only valid for data processing but also for the selection and procurement process of the IT solutions (both software and hardware) in use.
What should have been done?
Every company IT representative should, therefore, have taken all necessary measures to ensure that no personal data can leak outside the company. Some of the measures that should have been taken according to the GDPR regulations are:
- Pseudonymization and encryption of personal data,
- the ability to ensure the confidentiality, integrity, availability, and resilience of the systems and services related to the processing on a permanent basis;
- the ability to rapidly restore the availability of and access to personal data in the event of a physical or technical incident;
- a process for periodically reviewing and evaluating the effectiveness of technical and organisational measures to ensure the safety of processing.
Another very important point that was implemented by Article 32 was:
“In particular, the risks associated with the processing – in particular destruction, loss or alteration, whether inadvertent or unlawful or unauthorized disclosure of or unauthorized access to personal data transmitted, stored or otherwise – must be taken into account when assessing the appropriate level of protection.”
In short, Article 32 demands a proper analysis of the risks that a special procedure with a certain technology holds for personal data. The responsible employee has to make a data protection impact assessment before and make sure that a certain procedure – especially when using a new technology – poses a small or big risk to the (data) rights of individuals.
Any data leaks that occur in a company, now have to be reported within 72 hours of the leak occurring. If not, the fines are severe and the same as with an unauthorised use of personal data: either fines of up to €20 million or 4% of global annual turnover (whichever is greater).
Don’t overlook small devices!
Ensuring that you are GDPR compliant means that every IT administrators could have taken all measures necessary to ensure that a data leak will not occur. But this is easier said than done. Data security has been an issue for a long time, even before GDPR came into effect.
What some people may have forgotten about is those small devices, such as printers can also contain or distribute personal data. It is, therefore, a perfect piece of hardware for hackers to attack and to obtain sensitive or business related data.
A Hollywood example
One of the best videos to explain such an attack was produced by HP and is starring Hollywood actor Christian Slater. In this scenario, he shows how a possible attack by a hacker can lead to a breach of millions of medical files from a hospital group. While in this story Slater had to steal and change the identity of a high ranking manager of the company twice and almost poisons him, the main fact is that he was able to intrude the network by just using a USB interface of a modern network printer.
While this scenario is very much Hollywood-like, the idea of hacking a company through a printer or any other periphery hardware device that can be connected to your network is highly plausible. Besides that even when your printer is not connected to the whole company it still can hold various sensitive information.
What many people still do not know, is that a business printer or copier might have a hard disk inside that keeps documents until the disk is full. This poses a severe security and data breach challenge.
So, when such a device has been leased or rented, it is essential that the disk is securely erased to ensure sensitive personal information cannot leak out of the company. As, in this case, the company that has rented/leased the device would be responsible for for the leak as set in the GDPR regulations.
Got any questions about getting your data secure? Tweet as @OntrackUKIE