News pages have been awash with fresh warnings of the impending General Data Protection Regulation (GDPR) which (finally) comes into force this week. You are unlikely to have missed the recent widespread media warnings about GDPR, but another directive which may have slipped under the radar is the Security of Network Information Systems Directive (NISD), which quietly rolled out last week.
The NISD is designed to ensure the security of industries that comprise the critical infrastructure and although the potential penalties of up to £17 million are rather imposing, the government will not automatically administer a fine in the event of a breach. As with GDPR, any potential punishment will be judged on whether the organisation made adequate cyber security provisions. It is likely that the judgement will be based on how well the organisation has implemented the NIS Directive top-level objective guidelines recently published by the National Cyber Security Centre.
The implementation of GDPR is particularly timely given the recent stream of reporting about data breaches and the amount of personal data which appears to have been leaked into the public domain. Whilst some companies will perceive GDPR as burdensome, the new regulation actually presents an opportunity for companies to cleanse and consolidate the data they hold, thereby enhancing control over a key area where cyber attacks are currently increasing.
So how do I prepare?
For anyone concerned over the GDPR deadline, PGI has information security and data protection experts who can advise on how to become GDPR compliant, starting with a gap analysis to identify your level of compliance. However, notwithstanding the direct actions companies must take to address compliance, there are also a number of steps to help mitigate the threat of a data breach and prevent cyber attacks from occurring in the first place.
One of the simplest and most cost-effective measures in helping prevent attacks is to ensure your staff have improved cyber security awareness. As technical defences improve, the notion that ‘humans are the weakest link’ is increasingly pertinent as cyber attackers know that the most direct route into a company is by luring unsuspecting staff to click on malicious links and attachments. PGI’s one day GCHQ Certified Cyber Security Awareness course can provide employees with a thorough understanding of cyber security as well as the associated threats, vulnerabilities and different mitigation strategies for managing relevant issues.
In addition, PGI are running a series of GDPR courses to train your staff on how to continue to be compliant with the new GDPR regulations. Unfortunately, it isn’t a quick fix and will need a continued review of data, opt-ins, policies, images and the way employees interact with company databases.
Another way to address the risk of phishing attacks against an organisation is to conduct an internal phishing campaign to test, and subsequently advise staff on their susceptibility to this type of attack. To help assess the current cyber awareness of your workforce, PGI has developed a phishing capability assessment which can deliver targeted training to reduce the organisation’s vulnerability to phishing campaigns.
What about technical solutions?
Whilst an informed workforce adopting positive cyber hygiene is critical to protection, ensuring corporate technical infrastructure is secure is also crucial particularly in the event of a breach under GDPR, as any potential fines will be assessed against whether adequate cyber security provisions were used. Even basic practices, such as ensuring operating systems and devices are regularly patched to the latest security updates, is often overlooked by both companies and individuals. The scale and impact of the WannaCry ransomware attacks in 2017 were exacerbated by the many businesses and organisations who had not updated their systems to Microsoft’s latest software which would have been protected against the malware.
Evaluating the security of a business’ system or network can be done by one of PGI’s Penetration Testers who will seek to identify any vulnerabilities that could lead to a business impact. Penetration tests can vastly reduce your risk profile and contribute greatly to the protection of your income, clients and reputation. Furthermore, with the imminent introduction of GDPR, regular penetration tests also are a good way of evidencing security considerations for personal data processed on IT networks.
What happens if I suffer a breach?
A number of clients we have spoken to have been proactive and carried out the necessary preparation work. New policies have been written and stored data has been cleaned and consolidated. However, something that seems to have been overlooked in a lot of businesses’ preparation plans is the ‘what if’ scenario. What do you do if you suffer an information security breach and your customer and client data is compromised?
It is important to have an included Incident Response Plan within the mountain of other privacy notices and legal policies that have to be rewritten. Who will be the spokesperson from your organisation? What will they say? Who do you report it to? What are the legalities around this? It is important to be structured and organised in the event of a breach as this can be the PR ‘make’ or ‘break’.
In addition, and more importantly, how are you going to recover the data, try to find out what has been done with it and patch up any weaknesses in your systems? That’s where we come in. PGI are Incident Response experts. Our team of cyber security specialists can deploy quickly and efficiently to begin the process of detecting and eliminating the threat. Our expertise means that we can limit any operational disruptions, financial losses and reputational damage that may result from incidents such as data breaches, network compromises, insider threats and malicious software (malware).
How PGI can help you meet GDPR compliance requirements
If you or your business would like more advice on GDPR/the Data Protection Act and how to implement it, please contact us for a confidential discussion: firstname.lastname@example.org or via phone +44 (0) 845 600 4403