Upcoming regulations are due to pose significant challenges to UK organisations that hold data. GDPR and the recently published UK Data Protection Bill, which is designed to bring UK organisations into line with their European cousins, are complex pieces of regulation that must be built into plans for the next year.
However, due to the sheer scale of these regulations, many businesses might be fooled into thinking that only large businesses need comply – but the reality couldn't be further from truth. Any organisation that deals with the personal data of EU citizens; regardless of size, industry or location – must comply with the new regulation. With less than nine months left for businesses to prepare for the biggest shake up in data privacy and protection, compliance is critical to every organisation's security strategy. Under GDPR, failure to comply will be costly, with fines up to €20 million or four per cent of its annual turnover.
The full GDPR requirements are extensive and many businesses will have to do considerable work to meet even the most basic among them. In particular, SMBs in the UK with operations or supply chain in the EU need to focus their attention on both GDPR compliance and their wider cyber-security posture. While UK SMBs are subjected to comply with GDPR, there is a level of scrutiny around data management that many SMBs are unlikely to have experienced before. This adds to the concern around regulations, with UK SMBs lacking confidence that they can meet the stringent security requirements specified under the new regulation.
SMB security landscape
We recently conducted some research on this subject and found that one fifth (20 percent) of UK SMBs hadn't begun the compliance process for GDPR. Meanwhile nearly three-quarters (73 percent) of those businesses that need to comply didn't think customer data would be any safer with GDPR in place.
Another possibly more concerning problem is that 51 per cent of SMBs have admitted that they believe they're too small to be targeted by cyber-criminals. Ultimately, this leaves them not only under-prepared but under resourced to adequately deal with potential cyber-breach. This is especially true as targeted attacks now often focus on small- to-medium sized businesses using techniques like RDP brute force attacks. These compromise critical resources, dropping malware and Trojans into customer environments that encrypt data and steal credentials.
Some basic steps could be taken to improve security and better protect the data the businesses store. Here are some general tips that can be used to protect the IT environment, thwarting potential malware threats to SMBs.
· Make sure that endpoint security is installed and set up correctly
· Regularly check that backups are working, data integrity is maintained and data is easily restored to the host
· Ensure that the latest Windows updates are applied and keep all plugins up to date – these steps should be part of the management regime
· Use a modern browser with an ad blocking plugin
· Disable autorun: although a useful feature it is used by malware to propagate itself around a corporate environment.
· Disable Windows scripting host: VBS and Powershell are examples of scripting languages used by malware authors to either cause disruption in an environment or to run process that will download more advanced malware.
· Have users run as limited users and NOT admins: This tip is important because some current ransomware threats are capable of browsing and encrypting data on any mapped drives that the end user has access to. Restricting the user permissions for sharing or the underlying file systems of a mapped drive will provide limits to what the threat has the ability to encrypt. Also gaining access to an admin account gives a would-be attacker access to all network resources and rights to do things like create accounts.
· Show hidden file extensions: One way ransomware like Cryptolocker and others frequently arrive is in a file named with the extension. “PDF.EXE” or something similar. The malware writer counts on the default Windows behaviour of hiding a known file extensions. If full file extensions are visible, it is easier to spot suspicious files.
The cold, hard, truth is that today's threat landscape is becoming more advanced and cyber-criminals are getting smarter. Given the current climate around data security and breaches, it is not a question of if your organisation will be affected, but rather when. UK SMBs need to wake up to the fact that their businesses are prime targets for cyber-criminals.
Although it is clear that businesses have a basic understanding around the GDPR regulation, the underlying issue is that SMBs believe that the new regulation is simply an advisory measure – one that allows participating organisations to highlight their compliance online and in marketing materials. Unfortunately it is compulsory law that sets to protect the data of European consumers and forces organisations to disclose breaches ASAP. This highlights a real need for education by the channel. This represents an opportunity for MSPs and channel partners who can help bridge the knowledge gap and assist their customers with security audits and a review of existing systems.
SMBs operating across Europe really need to adopt a multi-layered security approach to meet GDPR. That includes network security, antivirus protection and thorough data protection. To ensure the economy can continue to grow in this increasingly complex legislative framework, government and the wider security industry must collaborate to support SMBs through the process of becoming compliant.
GDPR also represents real benefits for citizens because businesses are obliged to report breaches immediately rather than concealing them for months for fear of brand damage. Individuals will be better protected from the ever-increasing numbers of Identity theft and social engineering attacks borne out of some of the high profile data breaches in the past few years.
Five tips to get your business ready for GDPR
1. Act now & ask for help. This is the biggest change to data protection laws since the current EU Data Protection Directive was passed in 1995. Getting ready for the GDPR will require time and resources to implement new processes. It's crucial to get started now so your business is ready. Business owners are not supposed to be experts on this kind of thing – ask your local IT provider to support your efforts.
2. Know your data. Find out what data and personal data your organisation has, where it's stored, and in what systems. Planned audits and allocated resources for this work should be scheduled in sooner rather than later.
3. Delete. Make sure that any data you do not need is deleted securely. There are legal requirements to maintain certain types of data. But when data retention is not required, disposing of it helps reduce risk. This needs to be done professionally with specialist equipment or software.
4. Communicate. With any process change, effective communication is essential. Proper internal communications to all employees and external communications to suppliers will help make them aware of changes and give them time to amend their own processes in good time.
5. Assess. Consider a privacy impact assessment. When auditing the business's processing of personal data in relation GDPR, decide if a privacy impact assessment is required. Consider whether invasive means of collecting personal data are used and if the data is processed fairly and lawfully. Individuals must be informed about the purpose of use and how the business processes personal data in a transparent fashion.
Contributed by Adam Nash, EMEA Manager at Webroot
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media or Haymarket Media.