Has COVID-19 made local government less cyber secure?
You can't have failed to notice: the GDPR (General Data Protection Regulation, in Dutch 'de Algemene Verordening Gegevensbescherming') has come into effect. There are stricter rules in place regarding the protection of personal data. The penalties for violating the privacy rules are a lot higher.
That a lot is changing this year in the area of the protection of personal data is therefore beyond dispute. So it is all the more important to focus your attention on the changes that really matter! Which trends regarding the protection of personal data must you not ignore in 2018?
1. Ransomware attacks - What to do?
In 2017, the world was shocked by ransomware attacks. Ransomware is software that blocks access to data. The rightful owner of the data only gets access to the data again after he or she has paid a 'ransom' to the criminals behind the ransomware. One of the biggest attacks in 2017 was carried out using the Wannacry ransomware. Among other things, this program affected a large number of hospitals in Great Britain.
It is expected that more of these types of attacks will take place in 2018, and that they will be more destructive. Criminals will threaten to publish unlawfully obtained data. There may also be attacks in which the ransomware only becomes active after a while. As a result, the ransomware could also affect backups. Ransomware will also start using 'machine learning'. This 'smart ransomware' will be able to reprogram itself, for example. This will make it more difficult for virus scanners to detect the ransomware.
Under the GDPR, organisations are required to take technical measures in line with the state of the art. Your organisation will also have to use machine learning, for example, just to keep ransomware outside. Organisational measures in this area are mainly about raising awareness among employees. Do they know how to recognise ransomware and do they know what to do?
2. Customers are aware of their rights - What will you have to deal with?
A study by KPMG has shown that many people do not know what the GDPR is exactly. As soon as they do know, they turn out to be interested:
- 51% of respondents want to make use of the right to be forgotten;
- 60% of them want the right to access;
- 56% of them want the right to data portability;
- 59% of them want the right to rectification.
This has quite some significance for your organisation! Apart from data incidents which receive a lot of media attention, requests can be received from customers who wish to exercise their rights. How do you organise this?
Each organisation therefore needs strict processes to handle these requests. For the right to access and the right to data portability, it is important to be able to quickly retrieve data from different applications. This data must be readable for people and/or computers (in case of transfer). And how do you ensure that all data are removed on a customer if he/she requests this? Is this not possible due to technical or administrative reasons, such as an obligation to retain? Be clear and transparent about this.
3. Two-factor authentication is becoming the standard - How do you use this?
Security based on a password alone is no longer sufficient. Most user passwords are weak, and many users have the same passwords for multiple systems. In the worst case, colleagues know one another’s' passwords. Sometimes these are even written on notes left on the desk. At the same time, people find it annoying when they have to log in again each time.
You solve both problems by using two-factor authentication (2FA). This involves something that the user knows (the password) being supplemented with an extra layer of security by means of something that the user has (for example a mobile device) or what the user 'is' (such as a fingerprint or an iris scan).
Thanks to advancing technology it is easier to secure systems with multiple methods. 2FA is being used in increasing numbers of organisations. You would expect that this would lead to more hassle. On the contrary – it ensures that the users have fewer passwords to work with, because a single sign-on in combination with 2FA is secure.
4. Prevention is becoming more important than cure - How can you be 'demonstrably' in control?
Even in the unlikely event that there are never data leaks or other incidents in your organisation, this does not mean that you are automatically in compliance with the GDPR. You must demonstrate that you, as an organisation, are doing everything to exclude unauthorised access to personal data.
This means that you must actively take measures that reduce the risk of data leaks. You must also document these measures to show that your organisation is set up to prevent an incident. Also ask yourself what the answer is to the following questions:
- How have you trained your employees to make them aware of the risks?
- Have you taken technical measures, such as a separate Wi-Fi network for guests, which is shielded from other devices?
- What warnings do employees receive when they send emails to wrong addresses?
Finally, it is important that there are protocols in place, so that it is clear what needs to be done if an incident nevertheless occurs.
5. Humans as the weakest link in the protection of personal data - What can you learn from this?
Much can be achieved through technical measures, but the human aspect of data protection remains important. After all, a large number of data leaks are the result of human error. Consider, for example, the accidental sending of a file to a wrong email address or the sharing of sensitive information via a public service.
- Make sure your employees are aware of the new rules that apply. For example, organise an internal event with an external speaker who explains the new rules of GDPR, and then explain about your new policy.
- Designate a project manager in each department or team who is responsible for the implementation of this policy.
- Have each department or team carry out an assessment of what is and is not permitted.
- Ask employees to think about changes which will be necessary to guarantee the optimum protection of personal data.
- The project leader coordinates the process as a whole, and draws up a progress report.
Companies that want to take the lead in privacy are putting great emphasis on awareness among all employees. It is sensible to use software that, in the background, actively assists employees in making the right choices. Only if this software does not get in the way of the user and does not make the work unnecessarily complex will it contribute to a safe working environment.
How do you get through the Year of the GDPR intact?
Raising awareness surrounding privacy and the GDPR/AVG is a layer that includes the necessary organisational and technical measures. This is so important because 46% of data breaches occur because employees do not handle sensitive data with awareness. But how do you tackle this? In this ebook, we will give an answer to this question and provide you with practical tips.