How is your Data doing?

door | 2 januari 2016

Effective in 2016, Dutch and later Belgium ’ companies must notify the data protec­tion authority (“DPA”) and sometimes indi­vi­duals if they suffer certain data breaches that involve personal data under their control.

Who Is Affected?

The noti­fi­ca­tion duty applies to data control­lers that have an esta­blish­ment in the Nether­lands or Belgium and process personal data in the context of that esta­blish­ment. It also applies to data control­lers outside the EU that process personal data using equipment on Nether­lands or Belgium soil.

Security is no longer just an issue for the CTO. It’s a strategic, board level concern. Security must be a priority for busi­nesses. Bolting on security solutions as an afterthought to business systems isn’t good enough to protect confi­den­tial data against incre­a­singly sophis­ti­cated cyber threats.

Sometimes, the simplest errors are the most costly in security terms. Leaving a confi­den­tial document on a train, or a laptop in a taxi, or having a password that is simple to hack, are all common mistakes that companies must protect against.
The growing use of mobile devices creates greater risk, too. Employees bring their own tablets and smartphones to the office, connec­ting to social networks and the Internet of Things, and with these devices comes more potential points of failure. Busi­nesses commonly use messaging apps and file storage systems , which all create addi­ti­onal risks. Educating employees about their role in keeping the corporate network secure and creating a culture of security, is critical.

People present the biggest risk to the business, because they are the ones who make mistakes that hackers can exploit. Board members can be even more vulne­rable than most; they’re more likely to travel with confi­den­tial documents than more junior employees, and will certainly have access to the most sensitive company infor­ma­tion. They may be more expe­rienced in business, but they may not be as tech-savvy as other employees .

The senior leader­ship team should be focused on cyber­se­cu­rity and set it as a priority for the company. Security should be discussed regularly at the board level, and action taken to mitigate vulne­ra­bi­li­ties.

It is important to have a long-term plan to protect the network, employees (and their devices), and documents, and to test that plan regularly using third-party pene­tra­tion testing. This plan might include the following steps:

Avoiding breaches caused by human error

Review internal security regularly: enforce password changes, and limit what can exist outside the firewall. Regularly train employees in handling sensitive data, and keep tight control over who has access to it.

Create a clear protocol for what happens if a password is stolen, and ensure your systems can deny access rights to confi­den­tial data if needed. Always know where confi­den­tial documents are, at any given point, to avoid the risk of papers being left in a cab, or over­looked on a plane.

Securing confi­den­tial documents

Never use unsecured email send sensitive documents, and ideally avoid printing documents entirely. Use colla­bo­ra­tion tools built with security in mind to commu­ni­cate confi­den­tial infor­ma­tion. Ensure that data is always encrypted (even when it is on the move) using encryp­tion is ideal when documents are being stored on servers or devices.

Securing your data­center

If you (or your suppliers) use a data­center, secure the servers on which sensitive data is stored, and use physical security such as on-site guards, CCTV, strict access control, and generator back ups to keep the data safe and on-line.

Include redundant faci­li­ties to enable systems, storage and networks to continue even if something does happen to the primary systems. Back up data to a secondary, geograp­hi­cally separate disaster recovery envi­ron­ment and monitor your data 24/7.

Keeping the network secure isn’t an easy task, but the best place to start a culture change is at the top. And there are some chal­lenges to help make the easiest thing to do also be the most secure thing to do.

And remember, we must act now to see that the ‘preven­tion rather than cure ‘ principle is fully applied in the future.

Pin It on Pinterest

Share This