Security as a Priority: GDPR and its effect on small business
“One of the most important questions in the world is who owns the data of humankind. The most important asset of the 21st Century is not land, and it’s not money, it’s really data.”
– ‘Homo Deus: A Brief History of Tomorrow’ book published in 2016, author Yuval Noah Harari
To echo the bold statement above, in an age where our existence has become so seamlessly integrated with technology the question still stands as to who and where ownership lies with data of humankind. The next logical question then arises where one cant help but ask-
What happens when the companies processing and storing personal identifiable information (PII) fail to adequately protect customer data, with systems not up to the task- leaving data to fall in the hands of criminals?
As the recent global ransomware outbreaks have proven, criminals have also realized how valuable any kind of data is, and they are going for it.
Unfortunately, they are also winning,
Companies are still failing to adequately protect consumer data. Hacker House recommends cyber security as a top priority in every company, instead of an item that only needs to be crossed off a compliance checklist. In an attempt to keep pace with the current digital landscape, the EU intervened and has passed the General Data Protection Regulation (GDPR), which will be enforced from the 25th of May, 2018. The new EU regulations extend the data rights of the individuals, and therefore require organisations to develop clear policies and procedures to protect personal data, as well as adopting appropriate technical and organisational measures.
More or less, GDPR is the compliance that mandates appropriate safeguards be set for better transparency and clarity with in organizations use of data.
With all the force feeding of “GDPR talk “coming over the next 12 months, it can be a bit overwhelming to know where to start. It’s a task no one wants to face alone. It also goes with out saying that GDPR will also have a massive effect on business, especially small business. Questions arise around the storage of data, the transactional value of that data- including encrypting and the transferring of data in and out of the EU, as well as the need to employ an official Data Protection Officer for those companies with 250 employees and handling over 5,000 files a year. And if your organization should fail such intended expectation, you can expect some hefty fines. These fines could nearly kill a company as much as the breach of data from an attack would. Should a data breach occur, administrative fines of up to 4% of the annual global turnover or €20 million (whichever is greater) will be charged. These fines are much higher than those imposed by the current Data Protection Act in the UK. As a matter of fact, it is estimated that companies in the UK would have been fined over €69 million last year alone, compared to the £880,000 that were actually charged, as imposed by the current regulations.
It is often assumed that small businesses are immune to cyber attacks because any breach would be better spent at a large corporate who would have more to share, and more to give away.
One of the most obvious reasons small businesses are targeted is because most don’t have budgets to put together extensive security measures. “Cheap and cheerful”, or sometimes “non existent” seems to be the mantra echoed amongst small business. When companies become complacent or not worried about being attacked, that is often the best time to penetrate. For example, small businesses love to use cloud services for everything- it’s easy, simple, but also doesn’t use strong encryption. Along with small to non existent IT departments or security teams, small businesses also wouldn’t necessarily invest in time for user awareness- and training on the importance of strong passwords, spear phishing emails, and not to download anything from the internet.
In addition to being “easy prey” for attackers, small businesses also work as entry points for corporates. Often times the small business is used to gain access to a larger system and collection of data. This is known as “third party hacking. “ Essentially the hacker would gain entrance into a weak and poorly defended system inside a small business and then He/she “connect the dots”—what information can be extrapolated from the relationship between the two companies? Is the small business a supplier into the larger one? A perfect real world example of this is when Target was breached in 2013. They were targeted through a small heating and air conditioning company that had a contract with them. When Home Depot was attacked , their customer data was stolen with vendor long on credentials. to “install custom-built malware that stole customer payment card data and e-mail addresses.”[1]
Losing information in an attack is catastrophic for small business. It’s no wonder over half of these victimized companies going out of business in less then a year after their attack.[2] And even if your company does survive, its truly heart breaking to disappoint your customers faith and trust they once had in the integrity of your company. Small Business owners have to work very hard to maintain the integrity of their brand—one bad attack and their entire reputation can be at stake.
Companies will have to work to find budget available for new data storage systems, and appoint new officers to manage that data. Before you wait to find out how much money you will have to spend on controlling that data, start by ensuring your current infrastructure is secure. When you know where you stand, you can set a baseline for where you need to be. Managing GDPR and the new data regulation is one thing; securing and defending networks when there is an attack is another. And both are contingent on each other.
Before spending more cash on new systems, start with building a security culture into your organization. Get a pen test. Secure your perimeter and configure the appropriate firewalls. Set up secure passwords and a clear chain of command user authentication. Host a workshop to build team awareness and safe security protocol.
Before you know how to properly store, manage and control your data—you must secure it.
Let Hacker House work with you to test potential vulnerabilities.
Hacker House professional services show you where your Achilles’ heel is. We have been busy preparing for the new regulations, making sure we fully understand the ramifications, and we are confident that we can support your business with our extensive expertise in the cybersecurity field.
We work with your security needs so that your culture of securing and defending works from day one, not after the fact.
The Hacker House extensive Hands-On Hacking training courses empower your employees with the same skillset of an attacker. We teach all the tactics – establish a foundation- and continue to allow our students to hack with our tools conveniently from the virtual world playground we have built into the course.
[1]: Michael Winter, Home Depot Hackers Used Vendor Log-On to Steal Data, E-mails, USA TODAY, (Nov. 7, 2014, 8:57 AM), http://www.usatoday.com/story/money/business/2014/11/06/home-depot-hackersstolen-data/18613167/.
[2]: Graham Winfrey, Can Your Company Survive a Cyber Attack?, INC. (Dec. 5, 2014), http://www.inc.com/graham-winfrey/how-to-protect-your-company-information-in-the-digital-age.html.