Taylor Wessing | Megan Lukins | Edward Spencer
Security: prevention is always better than cure.
Protecting your digital environment should be priority number one. The GDPR requires personal data to be processed securely using appropriate technical and organisational measures.
Preventing unauthorised access to your environment is the most effective way to ensure the security of personal data being processed. ‘Privacy by Design’, a principle of the GDPR, requires appropriate technical and organisational measures to be implemented in systems from the outset – organisations should consider their password policy, implementing multi-factor authentication and whether geo-blocking should be used.
Ensuring the security of processing encompasses more than the implementation of technical and organisational measures. You should also:
- provide cyber security and data protection training to employees and contractors dealing with data in your digital environment
- foster a culture of compliance with appropriate data protection policies to support the effectiveness of the technical security measures
- treat policies and training materials as live documents and resources, updating them regularly to ensure they accurately reflect the organisation’s approach to data security.
Maintaining data and cyber security is a constantly evolving task and requires regular revisiting not ‘set and forget’.
Don’t procrastinate on patches or you’ll make a hacker’s dream come true
Being able to identify and promptly fix security vulnerabilities is an essential part of maintaining effective cyber security.
Regardless of whether patch management is handled internally or outsourced to a third party Managed Service Provider (MSP), understanding who is responsible for patch management and how that works in practice is key. As the speed at which security vulnerabilities are exploited increases, it’s no longer appropriate for monthly patching to be the norm.
Top tips on patching include:
- If patch management is outsourced to an MSP, ensure the contractual terms are explicit as to whose responsibility it is to patch any vulnerabilities and within what timescale.
- If patch management is dealt with internally, establish a patch management policy that outlines responsibilities, timelines and procedures – including for periods of annual leave or public holidays.
- Test patches in a controlled environment before rolling out in order to minimise potential disruption.
- Maintain records of what was patched, when and by whom – perhaps with a system of cross checking. This will assist with audits, compliance checks and the general improvement of any patch management process.
Detection: the next line of defence
Detecting a cyber attack as quickly as possible is the critical first step in responding to and recovering from an incident.
The longer the threat actor remains in your environment undetected, the higher the risk to your data and those individuals whose personal data becomes accessible.
There are different technical solutions available to help organisations detect and respond to security incidents. Following the post-pandemic increase in remote working, organisations now have more endpoints to consider and protect. Endpoints continue to be a main entry point for threat actors. Consider taking a multi-faceted approach to detect and react to cyber threats effectively, including:
- Implementing comprehensive monitoring by using Security Information and Event Management (SIEM) systems to monitor logs and network traffic for suspicious activity.
- Deploying EDR (Endpoint Detection and Response) and XDR (Extended Detection and Response). The former is limited to endpoints such as mobile devices, laptops and servers whereas the latter covers endpoints such as networks, cloud workspaces, email and other platforms. XDR enables quicker identification of threats that might pass unnoticed in a more siloed approach like EDR alone.
- Leveraging threat intelligence platforms to stay informed about the latest cyber threat trends and indicators of compromise and understand how the organisation should respond.
Disaster recovery: bouncing back from a breach
Cyber attacks are an increasingly common occurrence and are, sadly, now accepted as a risk of doing business in a digital world.
Developing and maintaining a disaster recovery plan enables organisations to strategically resume mission-critical functions as soon as possible following a cyber incident – large or small.
The goal of a disaster recovery plan is not only to minimise downtime but also to mitigate risks associated with data loss (financial impact, reputational damage and legal consequences). At a very high level, a disaster recovery plan should cover:
- Response – it is important to activate the disaster recovery plan immediately after detecting a cyber attack to contain the threat, assess the impact, and prevent further damage.
- Recovery – restore systems and data from backups (immutable should be the aim), repair affected systems, and return to normal operations as swiftly as possible while maintaining security measures and focussing on security hardening.
- Communication and notification – manage communications with internal and external stakeholders. You may be subject to legal obligations to notify relevant data protection regulators quickly – the Information Commissioner’s Office in the UK but potentially in multiple jurisdictions if you operate cross border. Separately, consider any sector-specific regulator and whether they have notification obligations. Instructing legal advisors early to assist with reporting to regulators is strongly recommended. Equally, engaging PR specialists should be considered where there is likely to be press interest. Effective communication from day one of the recovery is vital for maintaining trust and complying with legal requirements.
Good housekeeping
There are a number of principles in the GDPR that, if followed, will limit your exposure to a cyber attack and contain the repercussions if the worst happens.
Bear in mind that cyber threats are not just external and the internal threat is just as important to consider. How you approach data collection, storage and retention can have a significant impact on what the repercussions of a cyber attack or data breach look like for your business.
- Data Minimisation – ensure you only collect personal data that is actually required.
- Storage Limitation – adhere to retention periods to ensure any data collected is not held for longer than is necessary to fulfil the original purpose of processing.
- Privacy by design – incorporate data privacy protections into the design of systems in which personal data is stored from the outset. This can include strong access controls and data masking to minimise who has access.
Registering with the ICO, where applicable, can also help to ensure that the proper focus is placed on minimising the risk of processing personal data from an early stage of a business. The ICO offers numerous resources to small businesses to help in their compliance journey and which can be used to aid education and understanding across the workforce.
Cyber security must not be relegated to an afterthought for any organisation but this is particularly true for early stage businesses which may be grappling with limited funding. The consequences and cost of dealing with a cyber attack can be catastrophic. Equally, the damage caused by any failure to properly safeguard client or customer data could prove fatal to a fledgling business. Safeguarding client trust through robust data protection and threat mitigation should be as foundational as your core product or service offering.
Integrating these top tips into the fabric of your operations will position your business not just for success as it grows and evolves, but for sustainable resilience in an ever-changing cyber landscape.
This article first appeared on Lexology. You can find the original version here.