Almost two years after the GDPR came into effect, research published by Computer Disposals Limited still resonates with the current urgency engulfing companies across Europe, with regards to the severe consequences of non-compliance with EU data laws.
The study’s results show the number of, amount accrued and reasons for these fines, but along with the need to comply with GDPR. Today, it has never been more important to have the proper cybersecurity measures baked into all facets of organisational life, from processes to protocols and people.
It’s worth noting that it was the UK that racked up the highest fine amounts, mostly in part because of two highly-publicised incidents involving Marriott and British Airways last year.
The importance of these incidents, however, is two-fold. First, it shows that no company, even two large, nationally-known businesses, is exempt from the rules governed by GDPR. And secondly, it underlines the need to put in place, and then maintain, the highest standards of cybersecurity.
In the case of Marriott, its cyber-attack resulted in the exposure of personal information that affected 500 million customers. While for British Airways, customers were redirected to a fraudulent site, where their details including name, billing address, email address and payment information were all harvested. Had the right cybersecurity measures been in place, then both companies would’ve avoided the reputational damage and GDPR fines that came as a result of their negligence.
If this is an area that has been lacking within your business, then it’s imperative that you make it a priority now that 2020 is underway.
With that in mind, what exactly can businesses do to ramp up their cybersecurity offering? Vigilance is essential, and with the security landscape shifting, it’s imperative to keep up with things as they change.
Cybercriminals will always look for the easiest way to compromise security systems. The greater the control a business has over its IT infrastructure, the less likely they are to become the victim of a hack or breach. So, in terms of practical steps they can take, an annual external penetration test on IT systems should be conducted to identify weak points and, most importantly, address them going forward.
Ensuring your staff stay up-to-date by running internal awareness campaigns is also a good idea. Educating them on particular threats and practices, such as looking out for ‘phishing’ scams and frequently conducting their own internal systems testing can be small but beneficial measures that all employees should be aware of.
Additionally, a firewall can provide a source of protection, but on its own, the software is simply not adequate anymore. It’s far better to take a multi-layered approach to cybersecurity. To better improve your chances against threats, use technologies that encrypt unstructured data, automate all manual processing, condense the storage of data into one location and reinforce the safety of managed file transfers.
In the case of British Airways, personal data was exploited. Instances of this can be reduced by consolidating network access endpoints into one entry dashboard. Elsewhere, if data leakage is happening at certain stages of the supply chain, performing routine checks on all aspects of the framework, such as website traffic, social media interaction, emails and other online engagements can unearth what measures need to be taken.
With GDPR, data protection becomes more discrete, falling into two distinct tiers: the controller and the processor. To maintain the balance of power, it may be worth hiring a data protection officer to deal with data-processing activities, who can then provide an extra layer of education to all members of staff with regards to security. And, hopefully, guarantee long-term cyber protection.