As GDPR Fines Hit Home, it's Time for Firms to Embrace Cyber Best Practices
In analysis / By Phil Muncaster / 05 April 2019
Almost a year has gone by since the biggest change to Europe’s privacy laws in a generation came into force. The GDPR turns one in May, and according to the latest figures it is already having a positive impact on organisations in terms of transparency and accountability. But being open and honest will only get you so far. For those in professional services, it’s particularly important to use this opportunity to improve corporate cybersecurity.
Not only will it help to avoid the GDPR fines that are landing with increased regularity, but in so doing, can also protect your hard-won corporate reputation.
The GDPR Gloves Are Off
Ever since the starting pistol was fired on 25 May 2018, commentators had been waiting for regulators to levy the first major fine. After all, this was the law that introduced potentially astronomical fines of up to 4% of global annual turnover (or £17m, whichever is higher) for non-compliance. In the end it came, perhaps unsurprisingly, at the expense of a US tech giant. Google was hit with a €50m (£44m) fine by a French regulator in January for failing to properly inform customers on how it personalised its ads.
However, it’s not alone. Although there have been no more fines quite that size, regulators have been increasingly willing to penalise those seen to be failing on compliance. Most recently, the Polish regulator (UODO) slapped a £187,000 fine on a firm for its failure to notify consumers about using their personal info. As of February, DLA Piper claimed there had been 91 fines issued — most of which related to breaches of personal data — and over 59,000 breach incidents reported to regulators.
This is particularly important for businesses operating in the professional services sector. Why? Because the sensitive data they handle and trusted links to client organisations make them a lucrative target for hackers.
According to a study published by the National Cyber Security Centre (NCSC) in 2018, £11m of client money was stolen over the preceding year and 60% of law firms reported an information security incident — a 20% year-on-year increase.
An attached report highlights the top four threats facing the sector as: phishing, data breaches, supply chain and ransomware attacks.
While the link between data breaches and GDPR is well understood, the potential impact of ransomware on compliance may be less so. Ransomware attacks typically make an organisation’s data unavailable, rather than steal that data for sale on the dark web. However, according to Article 32 of the GDPR, IT teams must put in place the “appropriate technical and organisational measures” not only to secure the data, but also “to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.”
This makes backing up an essential requirement for any business, if the worst-case scenario happens and they fall victim to a ransomware attack. But the devil is in the detail. As World Backup Day on Sunday 31st March reminded IT leaders, best practices require following the 3-2-1 model: three copies, on two different media, with one off-site (e.g. in the cloud). Otherwise, ransomware may find its way into the backup data stores.
It’s these details which make the difference between cyber protection that works, and a strategy which may actually give the organisation a dangerous false sense of security. You may nominally have disaster recovery and incident response plans, for example, but when was the last time they were tested effectively?
Similarly, you might have watertight server and network security in place, but if your employees are still using password-only logins for accounts; it’s the equivalent of locking the front door to the house and leaving the windows open. As I revealed last year, researchers found over one million email addresses and passwords linked to the UK’s top 500 law firms, up for sale on the dark web. They’d been used by employees to log-in to third party sites like LinkedIn which were subsequently breached. Such troves of corporate log-in data are increasingly common on the cybercrime underground.
Time For Action
It’s not easy being an IT security leader. Along with the growing risk from hackers, there’s new digital infrastructure to protect, including cloud deployments which have expanded the corporate attack surface significantly. That’s not to mention persistent industry skills shortages which can leave IT security teams stretched to breaking point.
However, by following best practices it is possible to reduce cyber risk and improve GDPR compliance efforts. It’s all about convincing the regulators you have the best interests of customers and employees at heart. This doesn’t require spending millions on flashy technology, but nor does it mean doing the minimum you believe is necessary to stay under the radar.
Consider the following as a start:
- Endpoint, network, server and web/email gateway protection, ideally from a single reputable provider
- Tight access controls (least privilege) and multi-factor authentication (MFA)
- Continuous networking monitoring for threats
- End-user education (i.e. phishing simulations)
- Keep all devices and software up to date
- Follow best practice standards and frameworks. Start with Cyber Essentials. BS 10012:2017 personal information management system (PIMS) and ISO 27001:2013 information security management system (ISMS) could also help
- Consider outsourcing some or all security functions to a managed security services provider
Above all, remember that GDPR compliance is not a single process that you can tick off and move on. It will require constant attention and a close eye on what regulators are demanding, as requirements may change over time. Follow the ICO for updates.