Small and middle-sized enterprises (SMEs) have a responsibility for the protection of the data that they store of their employees and clients. This is the same across all sectors and industries; schools store data of their pupils, hospitals have extensive patient health records and law offices store client records and legal cases. This data needs to be stored systematically and protected from theft and misuse. Essentially, no company or organisation is “off the hook” from the fast-approaching changes in data protection laws and all companies run a high risk if they don’t become GDPR compliant by May 2018.
With the General Data Protection Regulations (GDPR) set to come into effect on the 25th May 2018, two approaches seem to be developing among businesses.
There is one camp which tends to consist of large organisations who are doing all they can to meet GDPR requirements. They are cognisant of the implications if their data is breached, such as reputational damage and penalties that reach an upper limit of €20 million or 4 per cent of annual turnover, whichever is greater.
Wait and see
The other camp generally consists of some smaller and medium-sized organisations who are adopting a ‘wait and see' attitude. A lot of business owners – and their lawyers – believe that GDPR mainly addresses and affects big corporations that collect and deal with huge amounts of personal and important private data, such as social networks, cloud providers or search engines. However, the regulations do apply to all companies – no matter how big they are or how much turnover they make. This thinking follows the view that they will learn from organisations that unwittingly breach GDPR mandates. In short, they want to see what happens when a peer company falls foul of the legislation.
It's potentially a dangerous game; many businesses understand that the threat of insolvency or even closure as a result of GDPR penalties is very real.
Under the GDPR mandate, companies have to ensure they approach data protection by ‘design and default'. This means that companies must secure their systems and processes to ensure data does not leak out or is easily hacked.
Back-up and storage
The steps to GDPR compliance are many and are largely informed by the type and size of the organisation and the sensitivity of the data they hold.
For lots of small and medium-sized organisations, securing data storage and back-up functions is a common foundational step and one that many are making a priority.
This is understandable. Within the context of GDPR, businesses are required to perform an impact assessment to see if the loss or theft of data they are dealing with has serious implications.
Given that data storage and backup by definition involves important data, businesses need to be sure they are taking the appropriate steps to protect these processes, which typically involves securing and locking down network attached storage (NAS).
Depending on who you talk to, different approaches will be emphasised, but I believe for the SME sector the following are absolutely fundamental:
· Locking down the storage root directory – the root directory is like the main trunk of a tree from which all the other branches spring out of. Hackers are big on rootkit tools to hack the directory; there's a thriving cyber underground market for rootkit tools accessed largely via the dark web. Rootkits allow hackers to hide viruses and malware in plain sight by disguising malicious code as important files that antivirus software will overlook. As such, NAS operating systems need to be closed so even the system administrator can't gain access. This firmly shuts down loopholes that are typically exploited by rootkits and sophisticated hackers.
· Secure setup – often when a company is configuring a NAS system an internet connection is required to set up the account and enable remote access. For some NAS systems this is standard practice, however, it is also a process that hackers exploit, stealing usernames and passwords as data travels outside of the company network and across the internet.
· Tough encryption – data that is stored on hard drives can be plundered. Encrypting the hard drive with 256 AES encryption, which is theoretically unbreakable, means the data cannot be read even when the drives are removed.
These are critical points that go a long way in meeting GDPR mandates. Of course, other security elements can also be deployed such as enabling HTTPS and SFTP encrypted data transfer if data storage and back up is carried out remotely.
It's even better if the NAS has an antivirus function that detects if files on the storage are infected and stops them automatically from being shared with other systems on the network. This stops malware from penetrating the storage system. Another useful feature is robust password management, so only authorised personnel can access data storage and back-up functions.
Taken together these steps create a powerfully potent, layered approach to data storage security.
GDPR is very clear in its aims; to put an end to the seemingly endless streams of damaging sensitive data leaks, by ensuring companies take security and the protection of sensitive information much more seriously. However, with any piece of new legislation, there is always the initial period between the principles it enshrines and the practical reality of how these are enforced.
It's clear that some companies are viewing this period of change as a testing ground. That said, it's also clear that companies hit by data loss which haven't taken sufficient steps to protect data, are likely to pay a significant price: not just from their pockets, but also in the reputation stakes. No one wants to entrust their data to a company that can’t look after it.
The means are available to build strong data protection defences and given that potentially so much is at stake, GDPR compliance is not something that should be left to chance.
Raj Patel, UK & Ireland B2B manager, Buffalo Europe
Image Credit: Pitney Bowes Software