Organizations, especially those collecting and using personal data, must take the necessary measures to ensure the confidentiality, integrity and security of the data, therefore to be GDPR compliant as stated in Article 5. This objective could be achieved only by following the best practices in protecting and maintaining the IT systems. Below are some cyber security tips that should be taken into consideration.
To be GDPR compliant and to protect the personal data collected and used by the employees, the companies have to keep their IT systems secure. One of the basic steps in this direction is to protect your network by using a firewall. It adds a layer of security and filters the traffic that comes from the Internet into your computer system or private network. A well-configured firewall can protect your organization from unauthorized access and intrusions from the Internet.
Another important cyber security element is to restrict the access to the critical information and grant permissions to the people and sources that you trust. The employees of your organization need to have access permissions to the extent that is required for them to fulfil their duties.
According to the best practices in the information security, there shouldn’t be a collective user account. Each user should have a separate username and password so that you can have a clear overview what is happening in your organization. In addition, in case of a security breach, you will have a benchmark to drill down into your logs and find the root cause.
When it comes to passwords, there should be a policy that makes sure the employees use strong passwords, containing a combination of letters, numbers, and symbols. To prevent unauthorized access and to keep safe from brute force attacks, the organizations should limit the number of unsuccessful login attempts. Once reached, the account should be locked out. In addition, the access to valuable business data such as online banking or password managers should be further protected by using two-factor authentication. Besides, whenever an employee leaves the company or is absent for a long period, his password and user access must be terminated immediately.
One other fundamental cyber security element is the use of an anti-virus program to protect the data from cyber criminals. The network should be scanned against malicious software regularly and the results should be evaluated. It’s important not only to use such a program but also to review the warnings and take actions against the abuse. On some occasions, people are ignoring the signs and signals they are getting from the antivirus program and they realize that their data has been compromised when it is too late.
Yet another cyber security tip is to keep your software up to date. If the software used in your organization is a few years old, the security must be reviewed and evaluated to ensure it is still adequate.
To keep high level of security, you can consider performing regular penetration tests against the security updates to confirm they are available and applied, to test the OS, the applications, the networks, and check against vulnerabilities.
If your data is affected or compromised, it will break one of the key principles of the CIA security model, namely availability. In order to prevent that, you should have the ability to restore the data, so your IT system can get back to operations as quickly as possible. Loss of personal data is a violation of the GDPR compliance. To protect your data from natural disasters, malicious software or hackers, it is imperative to keep a backup. The extra copies of the data should be stored in such a way that they are not visible for the rest of your network otherwise they can be encrypted or deleted. Also, it is appropriate to have at least one backup copy outside your network.
Cyber security training for employees
Another way to safeguard the personal data that is handled by your organization is by performing regular cyber security trainings for your staff. Your employees may have limited knowledge regarding cyber security threats, however, they may be the endpoint against cybersecurity attacks. This may lead to personal data leak due to human mistake like sending an email containing personal data to the wrong recipient or opening an email attachment that contains virus.
The employees at all levels must know their roles and responsibilities and they should be taught how to distinguish threats like phishing emails or to recognize risks related to publicizing business activities in the social media.
The GDPR recommends data encryption when possible and it is certainly a powerful way to show compliance. By encrypting the personal data at rest and in transit, it will remain secure and protected from potential cyber-attacks. Additionally, it is advisable to use https certificates to increase the online safety.
To be complaint with the GDPR requirements, the organizations should keep personal data that is accurate, actual and maintained no longer than required. Some organizations may have collected large amount of personal data that is no longer accurate or needed. If the data is still in use, it should be well protected to avoid unauthorized access to it. If there is data that is no longer required, it should be erased by following the established policy for deleting data.
Keeping an IT environment safe and secure can be a challenging task. However, following the above advices can be a good start. LogSentinel can help as well! To sign up, click here.