Organizations, especially those collecting and using personal data, must take the necessary measures to ensure the confidentiality, integrity, and security of the data, therefore to be GDPR compliant as stated in Article 5. This objective could be achieved only by following the best practices in protecting and maintaining the IT systems. Below are some cybersecurity tips that should be taken into consideration.
To be GDPR compliant and to protect the personal data collected and used by the employees, the companies have to keep their IT systems secure. One of the basic steps in this direction is to protect your network by using a firewall. It adds a layer of security and filters the traffic that comes from the Internet into your computer system or private network. A well-configured firewall can protect your organization from unauthorized access and intrusions from the Internet.
Another important cybersecurity element is to restrict the access to the critical information and grant permissions to the people and sources that you trust. The employees of your organization need to have access permissions to the extent that is required for them to fulfill their duties.
According to the best practices in information security, there shouldn’t be a collective user account. Each user should have a separate username and password so that you can have a clear overview of what is happening in your organization. In addition, in case of a security breach, you will have a benchmark to drill down into your logs and find the root cause.
When it comes to passwords, there should be a policy that makes sure the employees use strong passwords, containing a combination of letters, numbers, and symbols. To prevent unauthorized access and to keep safe from brute force attacks, the organizations should limit the number of unsuccessful login attempts. Once reached, the account should be locked out. In addition, access to valuable business data such as online banking or password managers should be further protected by using two-factor authentication. Besides, whenever an employee leaves the company or is absent for a long period, his password and user access must be terminated immediately.
One other fundamental cybersecurity element is the use of an anti-virus program to protect the data from cybercriminals. The network should be scanned against malicious software regularly and the results should be evaluated. It’s important not only to use such a program but also to review the warnings and take actions against the abuse. On some occasions, people are ignoring the signs and signals they are getting from the antivirus program and they realize that their data has been compromised when it is too late.
Yet another cybersecurity tip is to keep your software up to date. If the software used in your organization is a few years old, the security must be reviewed and evaluated to ensure it is still adequate.
To keep the high level of security, you can consider performing regular penetration tests against the security updates to confirm they are available and applied, to test the OS, the applications, the networks, and check against vulnerabilities.
If your data is affected or compromised, it will break one of the key principles of the CIA security model, namely availability. In order to prevent that, you should have the ability to restore the data, so your IT system can get back to operations as quickly as possible. Loss of personal data is a violation of the GDPR compliance. To protect your data from natural disasters, malicious software or hackers, it is imperative to keep a backup. The extra copies of the data should be stored in such a way that they are not visible for the rest of your network otherwise they can be encrypted or deleted. Also, it is appropriate to have at least one backup copy outside your network.
Cybersecurity training for employees
Another way to safeguard the personal data that is handled by your organization is by performing regular cybersecurity training for your staff. Your employees may have limited knowledge regarding cybersecurity threats, however, they may be the endpoint against cybersecurity attacks. This may lead to personal data leak due to human mistakes like sending an email containing personal data to the wrong recipient or opening an email attachment that contains the virus.
The employees at all levels must know their roles and responsibilities and they should be taught how to distinguish threats like phishing emails or to recognize risks related to publicizing business activities in social media.
The GDPR recommends data encryption when possible and it is certainly a powerful way to show compliance. By encrypting the personal data at rest and in transit, it will remain secure and protected from potential cyber-attacks. Additionally, it is advisable to use https certificates to increase online safety.
To be compliant with the GDPR requirements, the organizations should keep personal data that is accurate, actual and maintained no longer than required. Some organizations may have collected a large amounts of personal data that is no longer accurate or needed. If the data is still in use, it should be well protected to avoid unauthorized access to it. If there is data that is no longer required, it should be erased by following the established policy for deleting data.