by Lucinda de Jong
The months leading up to May 25 were frantic for businesses all around the world. No, they weren't getting ready for the royal wedding. They were busy preparing for the dreaded deadline of the European Union’s General Data Protection Regulation (GDPR).
Now, the big moment has well and truly come and gone, and all that’s left to do is wait for non-compliant companies to be exposed and thrust into the spotlight, ready to be made an example of.
Even though businesses had two years to ensure their processes and procedures were in line with the GDPR, many still worry they’ll become that company. So, why the feeling of unease? They know it’s the small, undetected and easily-over-looked breaches that can be the catalysts, often snowballing into big business problems.
How do these business’ weak spots rupture, creating cracks for data to spill out? We explore the five most common data breaches that make victims of even the largest companies and government bodies. Take note.
Caching, as the name suggests, means creating a temporary storage area (a cache), that a browser can use to access files, instead of having to re-access a company’s backend server.
Caches are often used to improve performance, load times and scalability, and might include the default browser cache, local or session storage, cookies or a new browser cache API. While some web caches have a level of coded security, they aren’t always 100% secure – making them a common point of vulnerability for businesses.
How vulnerable? Well, within the first half of 2017, more than 10 million personal records were compromised or exposed every day. This included medical records, credit card details, financial data and personal information.
It may sound simple, but the first step in ensuring your treasure chest stays buried is to, where possible, not cache sensitive information. Do this and you’ll instantly reduce the risk of your data being exposed.
If you’re after a more serious level of security, the next step is to use an encryption key. However, the problem with encryption is the loss of efficiency. If the browser needs to keep re-accessing the back-end to decrypt cached data, you may lose any performance advantages you may have gained from the cache.
This is vital when ensuring your supply chain adheres to the GDPR. You need to know your supplier’s compliance, and vice versa, because you’re just as liable as they are if they break the rules with your data.
In this relationship, there are two main roles: data controller – the person/s who make the decision on how any personal data is processed; and the data processor – who processes the data for the controller.
The data controller (most likely you) are responsible for doing due diligence on your suppliers if you share data with them. Make sure you have a data processing agreement in place covering a range of areas, including the requirement that your supplier has a data protection officer to enforce relevant security standards.
One thing to remember is the data processor must only handle your data according to the processes outlined by you – the data controller.
All technology has suffered from the same Achilles Heel: the possibility of human error. While it’s highly unlikely that your staff are deliberately out to get you, QinetiQ’s latest whitepaper found that 81 per cent of large organisations that were hacked in the last year found the actions of their own staff had aided the attacker.
81 per cent. The large proportion raises some eyebrows, and it begs the question: are staff being properly educated on the impact of their behaviors?
According to the 2015 Information Security Breaches Survey, “people are the main vulnerabilities to a secure enterprise. Respondents believe that inadvertent human error, lack of staff awareness and weaknesses in vetting individuals were all contributing factors in causing the single worst breach that organisations suffered”.
Plus, with 45 per cent of employees having mistakenly shared emails containing key data with unintended recipients, it becomes clear how important staff training – and engagement in training – is.
But, let’s be honest. When that inevitable email pings into your inbox, reminding you it’s time to complete your security training, you don’t leap out of your chair with excitement. We’re all a little bit guilty of ‘deprioritising’ until we absolutely can no longer put it off.
Keeping it simple can help. After all, 20 pages of top level security reporting hardly screams ‘read me!’. Instead, be aware of your employee’s busy schedules, and try to keep training bite-sized, engaging and relatable.
The ability to safe guard data internally is one thing, but what happens when that data is walked out of your office?
Research firm, Global Industry Analysts, predicts the global USB flash drive market will exceed 555 million units by 2020. That’s a lot of USBs – each, potentially, storing a lot of sensitive data.
So, where do all these walking security breaches go? One study suggested that 22,000 of them are left at the dry cleaners each year. Even worse, research by American universities suggests that 75 per cent of USBs are likely to be picked up and plugged into a computer. What does this mean for business’ private information? Well, for one, it means there might be 16,500 dry cleaners out there looking at files they probably shouldn’t be.
You’re probably thinking ‘this will never happen to me’. That’s what the UK’s Ministry of Defense thought too, until it became public knowledge that they’d lost 328 CDs, DVDs, and USB drives – seriously, if you want to become a spy, just open a dry cleaning business.
The solution? Where possible, businesses should work with established security vendors to strengthen their security processes. You can also look for devices that are FIPS 140-2 certified and/or Common Criteria Certified – this will give you the peace of mind that they have been evacuated, approved and meet GDPR requirements. That way, even if a portable device is lost, the data can’t be read by anybody except the authorised user.
When storing data locally, operating systems don’t completely delete data by default. Instead, they simply mark files and folders to be deleted. That means all devices should be securely wiped using secured data erasure, before recycling or discarding.
Erasure involves overwriting and completely destroying all electronic data living on a hard disk drive or other digital media.
It’s also important to audit the systems, databases and software your business uses, to make sure they’ll allow you to delete data at an individual record level. Deleting personal data is usually tricky, because no piece of data is isolated – each data entry is linked across multiple entities and systems.
Consider an e-commerce store, for example. Personal data can be linked to every order a person makes, which is then linked to the sales reporting, shipping suppliers and so on. That’s why, pseudonymisation and anonymisation are highly recommended by the GDPR. Once your processes are in place, make sure your suppliers also implement the same procedures to ensure correct erasure.
Creating a security strategy for your business – that complies with the GDPR – can be challenging. But when it means keeping you and your customer’s data safe, it’s well worth the effort.