ITProPortal asks Bridgeworks CEO David Trossell to share advice on how to get GDPR compliant.
August 17, 2017
GDPR: Protect your data, recover more quickly
On 25th May 2018 the European Union’s General Data Protection Regulations (GDPR) come into force. Despite the Brexit negotiations UK companies will have to comply with them, and Article 5 of the regulations requires companies to take particular care of personal, sensitive data. It obligates that data must be “processed in a manner that ensure appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical measures.”
Organisations therefore need to ensure that compliance is upheld by conducting regular audits and by being aware of the biggest threats to their businesses. Nigel Wright, Managing Director of Legal Futures Associates, highlights just some of them in his blog, ‘The Five Biggest IT Threats To Your Firm’s GDPR compliance’.
The first is an overly relaxed attitude towards security – particularly when you’re opening new offices, merging or acquiring another firm. The process of merging and securing all of the IT systems based in various locations across a geographical area is arduous and very challenging. Quite often there is the assumption that all the necessary security guidelines are followed, but this needs to be tested rather than taken for granted. Forethought, precautions and hard will pay off.
Wright points out that a data breach can be caused by a failure to update or upgrade software or operating systems. You would then have to prove that you have done all you can to comply with GDPR, and if you can’t you could be penalised with an enormous fine. Audits should therefore take a broad view of your IT estate to ensure that everything is covered, so that if a disaster does strike you can go back to show that you took all the necessary steps to protect the personal and sensitive data that you hold on your customers, suppliers and employees.
Held to ransom
Wright details the second threat to be a lack of protection against cyber-attacks. With the frequency of cyber-attacks increasing, organisations need to invest in solutions to protect their systems and data. Alex Hern, reported in The Guardian newspaper on 15th June 2017 that even the ‘University College London [Was] Hit by [A] Ransomware Attack.’ It brought down UCL’s shared drives and student management system. “The attack has also led to a number of hospital trusts suspending their email servers as a precautionary measure, in an attempt to prevent the repetition of last month’s damaging WannaCry epidemic”, he wrote.
The first line of defence is to train employees, so that they become aware of what ransomware is and its potential impact on an organisation. They also need to learn what to do and what to avoid doing to ensure that their own company doesn’t find its servers locked down with a ransom demand attached to the attack. To prevent this from happening they need to be able to spot what’s a legitimate email and what’s a phishing email, or a download that may well contain malicious coding that enables an attacker to gain access to their firm’s systems.
The third point is that your organisation needs have a password policy to ensure that passwords are strong. Traditionally, organisations often force their employees to change their passwords on a frequent basis. While that can offer a degree of security, people have a tendency to forget their new passwords – and it gets worse the more times they’re told to change them. This leads to the temptation of creating a password that is too short and too weak, and so your organisation should have a password policy that guides authorised users about how to create a strong and secure password that is also memorable. An appropriate password policy should also, hopefully, reduce the calls to IT Helpdesk, allowing IT to focus on more strategic projects and day-to-day operations.
I mentioned his fourth point earlier in this article. That being the risks associated with out-of-date operating systems and software generally. The recent attacks on organisations that still run Windows XP and Windows 7 machines have shown that once they have reached their end of life, they become vulnerable to the newly emerging threats that are appearing every day. Consequently, they will no longer be receiving the latest security patches to ensure that they remain secure. This allows hackers to exploit them unabated, and so you need to audit all the hardware and software you are using to keep them updated – including anti-malware and anti-virus software. Without the latter, you’re castle with an open door to enter too easily.
The fifth threat mentioned by Wright occurs when an organisation has a weak back-up, business continuity and disaster recovery plan. I will add a sixth one to this, and that’s about the need to have the right data acceleration solutions in place – such as PORTrockiT – to ensure that you are able to mitigate data and network latency in a way that beats the hackers. A solution like this will also enable you to encrypt your data at source or before it leaves the server (which WAN optimisation can’t currently optimise), and use machine learning to permit secure and efficient back-ups – as well as the fast recovery of the data in compliance with the General Data Protection Regulations.
Backing up your data is crucial. “Data is, without doubt, one of the greatest assets to any business enterprise, especially with GDPR coming into force next year. A commitment to backing up your data is therefore a crucial component of ensuring continued business success”, writes Clare Hopping in her article for IT Pro – ‘Data Recovery – Why Is It So Important?’ on 23rd June 2017….and she’s right, your data requires your attention because it’s what makes your business profitable. So it’s an imperative to invest in the right solutions.
She says the problem is that “Research by StollzNow, reveals that a staggering 49 per cent of businesses have reported data loss in the last 2 years. With half of all businesses surveyed experiencing data loss, it’s clear that this is an extremely widespread and serious issue with potentially diabolical consequences.” The study also found that more than 50 per cent of SMEs don’t back up their data. Yet failing to back up their data could put their business at risk of failing. Even more worrying is that 85 per cent of these SMEs have no offsite backup capability.
So, the audits need to consider all the potential consequences. Without them your own organisation may find that it’s leaving itself open to either an attack or a complete disaster due to having failed to back up regularly. You should also carry out failover testing quite regularly to ensure that if one system or datacentre goes down, you can continue to operate from another – something BA should have been practising!
The quickest way to do this is with a data acceleration solution – one which provides high performing recovery time objectives (RTOs) and recovery point objectives (RPOs). You will then be able to protect your data, and recover or maintain your business operations effectively and efficiently whenever disaster happens to try to strike you down.
The good news is that you don’t necessarily have to go out to buy new network, storage and IT infrastructure generally to achieve compliance with GDPR. What you already have is often sufficient. However, you need to invest today to ensure that your data is safe well into the future. This requires you to act to protect your organisation now as there is no cost-savings in complacency.
Disaster can strike anytime, and so it’s best to work on ensuring that you are compliant with GDPR before it comes into force. Complacency could leave you vulnerable to attack, or at risk of losing data through other means, and subsequently you could be at risk of failing to meet the requirements of the legislation. Prevention is better than a cure.