The threat of a data breach during the Covid-19 crisis is a clear and present danger to companies that are not taking the right precautions.
But what happens if there is a data breach and the Data Protection Commission are called in – or you call them in yourself?
There are 22 questions that a company needs to answer from the DPC in the event that something bad has happened, such as a hacker stealing information or customers’ information being misused.
You can find the official version here, so we’re not going to list all 22 questions, but give you an overview of the key categories that need to be addressed before they become an issue that could lead to a hefty fine and undermine market confidence in your company.
Set up: It starts with the set-up: having the correct configuration of security protocols by your administrator is critical. Your administrator could be internal or a Managed Service Provider such as Ortus.
Security settings need to be correctly configured, implemented and regularly reviewed and audited. This applies to emails and file sharing, how attachments are handled, the rules to detect suspicious emails, and when to block the forwarding of data to the cloud or third parties.
Some companies are still using on-premise Exchange servers and not fully using the cloud, but the obligation on data security remains the same.
Document your plans: A Business Continuity & Disaster Recovery plan needs to be in place and documented for all company mail and data – and if mail is not in the cloud, it should be backed up to the cloud.
So the management of your company and customer data is a core part of the requirements of the DPC and they will be keen to understand that it is current, up-to-date and effective.
Auditing must be turned on, tracking your users’ actions, preferably through an ISO-accredited compliance process.
The ISO is a non-governmental international organisation that sets the standards for the industry, it is the benchmark for technology compliance.
Training and awareness: Another section focuses on training and awareness within your organisation. You need to make sure that employees are aware of the security requirements: that they understand how this works and applies to their roles; that there is ongoing training for them to behave properly and maturely when handling data.
This education process should be regularly updated, particularly if there are changes in protocols or specific threats emerging, around phishing or web access.
Mobile and home devices: One area that is a greater risk during this Covid-19 period is the use of mobile or Bring Your Own Devices, those computers that are not official company machines.
Some mobile phones are as powerful as many low-end laptops, so it is important that security is adopted for those as well: they need multi-factor authentication, GPS location tracking, Conditional Access and remote registration so the company knows what is going on with their data.
We strongly recommend – and, actually, nearly insist – that employees should not use their own devices or laptops as they are not managed, but still have access to your entire network.
The consequences: Being in breach of GDPR can lead to a fine of four per cent of turnover or €20 million – whatever is the greater – so the impact to a company in breach is potentially massive.
The good news is that when any new client has come to Ortus post-breach, we have been able to hold their hand through the process and they have come out smelling of roses.
Find out how Ortus can secure peace of mind for you and your business here.