Why our personal data isn't any more secure under GDPR

A leading security magazine recently asked whether GDPR has made our personal data more secure. In my opinion, the answer is a resounding no. Here’s why, along with five practical steps your organisation can take to help keep data secure.

We all received a deluge of emails in May telling us how companies have changed their privacy policies under GDPR. All this means is that they’ve identified where they hold Personally Identifiable Information (PII) and have put controls in place for how they store, use and delete that data, with appropriate processes to ensure compliance. However, that’s nothing to do with security – it’s a business issue.

Let me state it clearly - GDPR does not address the actual security of an organisation’s networks and the devices on which they store and access PII. If your perimeter is breached, GDPR is meaningless. And with data increasingly going outside an organisation as employees and partners tunnel through network perimeters or even bypass them altogether, continual good cyber security discipline is even more vital.

If you want to create an effective data security policy, you need to take a holistic look at your organisation’s entire infrastructure. It’s not just information you create; you need to include data coming in from customers, partners and suppliers and data going out, such as invoices and proposals.

The key to data security, however, is people. No technology or regulation will be effective unless all your employees adhere to your security procedures. This means defining a clear security policy, educating all employees (including directors) on why it matters and getting their buy-in and commitment.

A good place to start is achieving recognised security compliance standards, such as Cyber Essentials, ISO27001 and ISO20000. These don’t make your organisation immune from cyber-attacks, but they’ll ensure that all the core security systems are in place and give you valuable insight on your organisation’s data assets and their impact.

As you work towards those standards, or review your security policy, here are five tips to help keep your data secure.

1. It only needs one back door for security to be compromised. Regularly assess risk through vulnerability management and continuous monitoring, with independent third party reviews such as penetration testing. However, a penetration test is a point-in-time assessment, so it’s crucial to keep assessing risk throughout the year.
2. Ensure you have an enabled host firewall, web filtering and up to date antivirus and anti-spam email protection, including the ability to block and detect internal and external malicious mail. Any member of staff could bring in a virus from their home computer, but it can quickly be quarantined by local antivirus software.
3. Ensure an appropriate level of security monitoring. Where are your business critical assets and sensitive data (not just PII) and would you know if they have been breached? As a minimum, monitor and analyse internet traffic flowing out of the organisation to help identify any potential compromises on internal systems and monitor for ‘shadow IT’.
4. Aim to use two-factor authentication, rather than relying solely on passwords, and educate users regarding good password practice - CESG provides useful guidance.
5. Finally, adopt the mentality that one day you will be breached and as a minimum ensure you have a cyber security incident response procedure in place, a back-up of all business critical systems and a disaster recovery plan.