New security landscape
To gain an insight into the likely impact that the new regulations could have, techradar pro spoke to two leading industry commentators. Namely, Charles White, CEO at IRM, a specialist in risk management, providing strategic consultancy, security testing and risk management software, and Michael Aminzade, VP Global Compliance and Risk Services at Trustwave, a global leader in cybersecurity services.
Techradar Pro: How will the GDPR and NIS Directive generally impact on small businesses?
Charles White: The GDPR will be the most significant driver in the way businesses conduct themselves and how they handle, process and store personal information. GDPR is a regulation and as such it is enacted without change, and brings with it significant fines, disclosure and measures that will demand that companies are well prepared and have implemented a robust cybersecurity strategy.
Michael Aminzade: Having someone that has to be responsible for data protection will help small businesses develop this skill-set. Most small businesses are focused on operations and how they use the data – protection is not generally one of their first priorities. This regulation will put data protection into focus and make small businesses think about what data they need to use and why, as well as how they must protect it.
TRP: What is your key advice to small businesses that need to implement these pieces of legislation?
Charles White: Implement controls to limit or block unauthorised access, and implement procedures internally to regularly review the map of data. You should question constantly if the appropriate controls are in place to match the threat, and make this all business-as-usual activity. Conduct a penetration test regularly and make sure your staff appreciate the ramifications to the business of not protecting PII (Personally Identifiable Information) and other sensitive data.
Michael Aminzade: Understand what data is critical to your business, and stop the dependency of keeping non-essential data "just in case". Make sure you understand your responsibilities to protect the data, and consider it from a direction of negligence. Imagine finding yourself in the dock of a court after a data breach and being asked to explain how you were not negligent in the protection of the data – could you?
Key areas to focus on would be:
- Do you know the value of your data?
- Have you allocated the appropriate amount of budget to protect the data against the value and financial footprints of your company?
- Are you using well-established security controls, such as encryption, logging and monitoring of your systems and data, firewalls and network security, database security, and so on?
- The use of PCI and ISO standards can help you point to an established good practice for the protection of data. Applying the 12 controls of PCI DSS to your personal data will go a long way to help you establish you have not been negligent.
TRP: Are there any pitfalls to watch out for when implementing these pieces of legislation?
Charles White: Compliance, be it PCI or Cyber Essentials, is no guarantee of security. Ensuring good security practices is part of business as usual. For most companies implementing good cybersecurity can take years. As the GDPR becomes law in 2017, time is running out to get your house in order. As a senior government official said to me recently, "we shall see who's swimming naked when the tide goes out" – it is fully expected that companies will be caught off-guard and found wanting when it comes to cybersecurity.
Michael Aminzade: Make sure your legal team or external council is someone who understands data protection as well as the law. Too many times I have seen guidance provided from only the legal side. You need to have a key partner who understands both sides – legal and information security.
Likewise, not having the access to the right skills can be a major problem for small businesses, but this is not an excuse for a breach. Partnering with the correct security partner that can help with data protection, information security and compliance needs is critical to successfully implementing these types of legislation in a cost-viable manner.