Karl McDermott from Three cites the three key vulnerabilities that must be addressed ahead of GDPR: technology, processes and people.
The General Data Protection Regulation (GDPR) comes into effect in less than a year and a significant number of Irish businesses still have no plans in place to deal with data breaches.
A network security perimeter is no longer a guarantee of data security. There is simply too much data being accessed, worked on and shared outside the protective confines of the network.
‘Now, the challenge for every business is to enable mobile communications that are not only seamless but also flawlessly secure – from anywhere and on any device’
Many of the data security issues challenging businesses today arise from the fact that fewer employees now spend their time in the same way as the phishers, hackers and spammers: sitting in front of a screen at a desk. Instead they are out on the road, working from home, at a customer’s premises or in a coffee shop, using one of any number of mobile devices available to them.
This means that, just like the perimeter itself, earlier investments in security to protect your business’s network perimeter now need to be enhanced. Now, the challenge for every business is to enable mobile communications that are not only seamless but also flawlessly secure – from anywhere and on any device.
Data security for a business is still possible to achieve, as long as you are aware of your three key vulnerabilities and how to address them.
In light of the impending GDPR, it is vital that Irish businesses address these vulnerabilities, which are the technology you use, the processes you work to and the people involved with both.
One way to minimise the risk posed by your mobile employees is to use a sandbox. This technology separates business apps from personal apps on devices. Business apps and company data can remain within the sandbox, where it can be worked on and shared via secure business networks.
The separation from non-business apps offers some protection. For example, if an employee wanted to share company data to Dropbox, or to attach it to an email from their personal Gmail account, they simply won’t be able to. Similarly, they won’t be able to import data from outside the sandbox, where it could have been corrupted or infected, to inside the sandbox.
‘How can you ensure that the communications are only accessible by the people they are intended for?’
Employees will, however, need to communicate and share data both internally within the business and externally with customers and business partners, and these communications will need to be secure. Customers will also want to communicate securely with your business – whether to make enquiries, place orders or make payments. How can you ensure that the communications are only accessible by the people they are intended for? As more applications now reside in the cloud rather than within the corporate network, there’s also the challenge of maintaining security as employees or customers connect to them.
In the past, the answer has been to establish a virtual private network (VPN), providing security equivalent to the organisation’s private network even when outside it. This is a tried and tested solution, but also a time-consuming and cumbersome one, as a new VPN has to be established for every instance of communication.
Now there’s an equally secure but much more convenient solution in the form of the micro-VPN, which has the same function but is established automatically and instantaneously with every communication.
One such critical process is to regularly back up all data offsite. This will enable your business to continue to function in the event of a ransomware attack, which would otherwise make your business’s own data inaccessible until you pay a ransom.
Regular and frequent software updates are also essential to keep your data secure. One reason the NHS suffered so badly in the WannaCry attack was the widespread use of software that hadn’t been updated.
Out-of-date software tends to have numerous known vulnerabilities that attackers can exploit. Research has shown that instigating regular updates is more likely to ensure people adhere to the schedule, makes the updates smaller and quicker, and means a smaller window of opportunity for attack.
Unfortunately, even if you take all the above steps to secure your data, there still remains the data security risk that’s the most vulnerable and unpredictable of all: people.
Phishing attacks exploit this vulnerability by tempting people to click on a link without first checking its source. More sophisticated attacks spoof regular emails. They may use an email address which looks legitimate or the email may even be disguised as coming from another department or colleague within the business.
Employees must be trained to be alert to such possibilities at all times, and to never click a link in an email that is not from a trusted source. Advise them to, at best, ignore the email completely or forward it to the IT team to check. At worst, copy and paste the link into a browser rather than clicking on it.
Be ready to share
While sharing business data needs to be strictly regulated and should only take place when correct processes have been followed, sharing information on security breaches needs to be encouraged and become the norm.
From May 2018, GDPR will put data protection practices at the forefront of agendas for companies worldwide – make sure you’re ready for it.
Karl McDermott is head of 3Connected Solutions at Three. He has been leading the development of Three’s ICT solutions for business customers since 2010, playing a key role in Three’s evolution from mobile operator to end-to-end ICT partner. In all, McDermott has more than 20 years’ experience in ICT and holds a master’s degree in engineering.