Implementing GDPR in the cybersecurity landscape – 4 objectives
A new European privacy act called General Data Protection Regulations (GDPR) is being enforced and it will permanently change the way organisations across the globe collect, store and process data. Technology keeps on changing with new advances every day and it has become almost impossible for the average user to imagine a day without the internet. We rely it continuously to send emails, share documents, pay bills and even to purchase goods, exposing our personal details online and increasing the risk of being susceptible to cyber attacks.
Credit card information, contacts, addresses, social media posts and IP addresses are all stored digitally and could get into the wrong hands. The intended outcome of the GDPR is to create a standardised set of expectations about how an organisation must manage and protect personally identifiable information on employees, clients and other applicable data subjects. Implementing GDPR is supposed to give all internet users better control over their personal data and provide them with the certainty that their personal information is being protected.
The penalties for non-compliance of GDPR are serious (British Airways has recently been fined $230 million for a 2018 data breach that affected 500 000 customers) which means that now is the time to prepare. Here are the four main aims of security-related outcomes of GDPR that all organisations processing personal data should seek to achieve:
- Manage security risk
- Protect personal data against cyber attacks
- Detect security threats
- Minimise the impact of attacks
GDPR aims to ensure that personal data is collected legally and under rigid guidelines. Organisations that obtain personal information are obliged to secure it from corruption and misuse. Data breaches are inevitable, whether they occur through an ignorant act of an employee, partner or third party, or an attacker with malicious intent. Regardless of who is at fault, under GDPR regulations your organisation is ultimately responsible.
The question is whether there is a way for companies to minimise the risk of data breaches and comply with GDPR and there is a simple answer to it – cyber security training is your first and most important line of protection. A well-informed team is critical to establish and maintain a security policy. Training should be multi-layered, including everyone from the boardroom to the shop floor and data security should be an integral part of an organisation’s business culture that should also include maintaining an ongoing cycle of improvement. All employees in an organisation also need to understand that everyone has a part to play in protecting company and customer data.
Staff training can ensure that an organisation’s employees work correctly to reduce security risks, recognize suspicious emails and different types of cybercrime, and understand the importance of anti-malware software. It is also essential to receive confirmation that your staff have performed and understood the training. The organisation’s management also needs to ensure that it’s IT department takes responsibility for regular vulnerability scans and the updating of software and hardware on all the systems on the network which can be achieved using F-Secure’s RADAR vulnerability management software.
GDPR will shift the landscape of cybersecurity and protecting against security breaches and the items mentioned above are some of the effective measures that can be taken to help an organisation make the necessary preparations.
