General Data Protection Regulation: How Sophos can help
It has been a while since the European Parliament adopted the new General Data Protection Regulation, also known briefly as GDPR, on 14 April 2016. This will now enter into force on 25 May 2018, giving companies just two years to prepare for the new regulation. In the meantime, much has been read about it, as US companies are also obliged to comply with the General Data Protection Regulation.
In this article, we want to show how Sophos can help you comply with the new General Data Protection Regulation. We do not go into detail on what is written in the 11 chapters, divided into 99 articles, of the GDPR. Much of the current wording is still rather vague and it is difficult to define the texts precisely. The lobbyists have done a good job, because larger companies can afford years of litigation to negotiate the wording. However, this is not so great for small and medium-sized enterprises, because we would have preferred it to be clearly defined. The first suit will show how some articles are to be understood.
Right at the beginning, since we are at home in Switzerland as Avanet: Yes, Swiss companies with EU customers are also affected by the General Data Protection Regulation.
Many companies are therefore currently doing nothing at all and accept the risk of being sued. Some states have already announced that they do not have the resources to investigate the complaints.
So what is the new general regulation?
Here are a few examples to get a feel for what it’s all about and how IT security can help:
- EU citizens have the right to request personal data from companies.
→ Some companies already have a problem here. A worker may be employed for hours to collect this data.
- EU citizens can request the deletion of their data.
→ Also here a small challenge to the IT, because also the backups are meant with it. Not every software can delete individual records from backups. This is also in conflict with data retention.
- If data is stolen from a company, there is a reporting obligation, unless the data has been encrypted.
→ Exactly with this example we are now on the subject, because IT security suddenly plays an important role here.
IT security must be taken seriously
We personally like the fact that the basic data protection regulation provides further arguments that the topic of IT security simply has to be taken seriously. Who ignores it and still has the feeling that he does not need a clean solution for his company, will sooner or later be punished for gross negligence. Too often we still see PCs, servers or other systems hanging directly on the Internet without protection! Current updates and patches are ignored again and again.
Even if Windows XP no longer receives patches, this does not mean that the system is now secure. Some may laugh now, but there really are people who believe that!
We also often see people surfing the Internet with browsers that have not received updates for a very long time. Uses a modern browser that is state-of-the-art in terms of security.
Ransomware industry thinks in new directions
We live in an age in which ransowmare and exploits are among the more successful methods of attack. This industry is, of course, also preparing for 25 May. New ransomware has already been sighted, which no longer encrypts the data and requires bitcoins for decryption, but loads company data into the Internet in the background for weeks and then displays the following message:
We have your data! Send us XXX Bitcoins, or we will publish them.
Now even the backup, which many had as a solution against the encryption of the previous Ransomware, does not help any more. If the data are published, the company will suffer damage to its image on the one hand and a fine of up to 20 million euros or 4% of the annual turnover on the other hand.
Protection: Simple and relatively inexpensive
There are a few simple ground rules you should follow:
- use a current operating system (PC, server, smartphone, IoT devices)
- do regular software updates
- install a professional antivirus
→ In our opinion, Avira, Avast, Windows Defender and the like are not enough when you look at their technology. I deliberately write technology because the marketing or website copywriter of these solutions is doing a really good job. If you believe the descriptions, these free products also protect against everything. In addition, I would always recommend Sophos Intercept X. For servers, there is Sophos Server Protection.
- Encrypt your data carriers (hard disks, USB sticks, etc.)
→ Helps with the loss of a device. Bitlocker for Windows and FileVault for macOS is a good solution here. This can be enabled manually on a few computers or centrally managed on many devices using Sophos Device Encryption .
- Encrypt your files
→ Here you can find software like VeraCrypt (also free successor of Truecrypt) or Cryptomator. A disadvantage of the first one is that everything is stored in a container, which for many reasons is cumbersome and not very secure (e.g. only one password for all data). With Cryptomator (free) this is better solved. Each file is encrypted with its own key (including the file name) and the files remain separate, which is better for a backup than the container solution. What do you get from Sophos? From our point of view, nothing really useful for smaller companies. Unless you want to run a Windows server with DB and AD connection. In this case, Sophos SafeGuard would be a good solution. No matter which product you use, a good encryption stands or falls with a secure password! But don’t use the same “secure” password everywhere.
The GDPR explicitly mentions encryption as an appropriate method for protecting data in the event of a data breach (Article 34).
- Train User
→ It is always the case with protective mechanisms: they should be present, but in the best case they should never be used. This is exactly what happens with a backup, for example. But some users don’t know better and click every link and respond positively to phishing emails, which can have a negative impact on IT security. For this reason, we have for example Sophos Phish Threat. This allows you to create phishing campaigns and test employees. Afterwards they will be trained. This method is intended to increase awareness that an e-mail is not always genuine, even if it has been copied almost perfectly.
- Securing mobile devices
→ Company emails, contacts and calendars are very often located on mobile devices. Today, company data is also carried around with you, of course. That’s why you should be able to protect your notebooks, smartphones or tablets and define uniform policies or delete them if necessary. Sophos Central Mobile.
- Secure Networks
→ If you now meet at least 50% of the above mentioned points, you can dedicate yourself to network security. A correctly configured firewall can make a difference and even the wireless networks can be secured with it. Sophos XG Firewall.
- Encrypt Emails
→ How long have you been talking about encrypting emails? Very long! But only in certain industries has this become established, as it is still not very comfortable. Sophos would also have a few solutions here, but here too I must honestly say that I do not think they are either SME-compatible or mature.
These are the rough points we would like to suggest to you so that you are not among the first to unexpectedly violate the GDPR. 😉
Finally, as is usually the case, a few PDFs from Sophos itself that have addressed this issue.