How Your IT can help with GDPR
We’ve spent the past few months trying to explain that GDPR is not an IT issue.
But we still get emails from customers that say things like “Can you explain how you will make us GDPR compliant please?” (not a direct quote but pretty close!).
Firstly, to reiterate GDPR is NOT an IT issue, it’s a business issue which includes some elements of IT and technology. Your IT support provider is not going to embed ‘Privacy by design’ for you, rewrite processes and procedures, or check that your getting proper consent from data subjects – well to be fair some might, for a cost and with questionable qualifications to do so.
It’s interesting to note that none of the ‘12 Steps To Take Now’ prescribed by the ICO are technology related.
Having said that there are IT related elements that can help you show you are taking data protection seriously and mitigate risk. The likelihood is that ICO investigations will happen to companies who suffer a data breach, if your data is better protected than the next company hackers are likely to move on to them.
Making your data safe makes good business sense and is part of GDPR. It’s just not all of it, and it isn’t the bit that has changed from the 1984 Data Protection Act.
What we can do
There are probably three main areas of Data Protection that you as a business can safely leave with your IT support provider.
Boundary firewalls and internet gateways
Firewalls and gateways provide a basic level of protection wherever a user connects to the Internet.
A firewall monitors all network traffic and identifies and blocks unwanted traffic that could be harmful to your computer, systems, and networks.
It is not enough to simply have a firewall as the security provided can be adjusted like any other control function, these are called the firewall ‘rules’. It is in this area that many unmanaged firewalls fail to offer the levels of protection that they are designed to do.
You should have a firewall – we go into detail as to why in this past post – but it also needs to be correctly configured. Not setting default deny-all policies, failing to restrict inbound or outbound traffic to authorised connections or using default administrator passwords are all common issues that the IT support provider or Managed Service Provider (MSP) will take care of, so you don’t need to worry about them.
Access controls and admin privilege management
It is vitally important that you prevent accidental and intentional damage caused by current or former employees.
User accounts, particularly those with access privileges (e.g. administrative accounts) should be assigned only to authorised individuals, managed effectively, and provide the minimum level of access to applications, computers, and networks.
Protecting user accounts and helping prevent misuse of privileged accounts is essential for any IT system or network. 88% of insider threat incidents included privilege abuse.
Within a fully managed contract, we’d expect that the MSP would implement a user account management system, ensuring that the correct staff have the correct privileges and that these are changed if an individual changes role.
This requires an open communication channel between you and the MSP, ensuring that they know when changes take place to your staffing, especially when staff leave so that access to systems can be closed off.
You should be using unique usernames, e.g. everyone shouldn’t be logging on with a single account and password – your MSP should insist on this. And password strength is another element that an MSP will push including setting up policies to regularly change passwords.
You can opt out of MSP password policies but you’ll generally be asked to sign a disclaimer and, should the worst happen, your MSP would be well within their rights to say ‘I told you so’!
Attackers constantly identify and exploit software vulnerabilities. It’s critical that you apply hotfixes and patches to address these vulnerabilities.
Put simply your MSP will automate this, patches will be applied in the background and you’ll be constantly running the latest versions of software and operating systems.
As well as making sure the software you use is up-to-date your MSP should also be able to warn you well in advance if anything you’re using is about to fall outside support and therefore present a possible security risk. For example, Windows 7 extended support, and therefore security patching, ends on January 14th, 2020 – so you need to ensure that you’ve moved away from that OS by then.
Whilst this doesn’t immediately seem to be related to data protection, it is often out-of-date and unpatched software that opens the door to those that wish to steal data.
Whilst your MSP will do a lot more we think these are the most pertinent things for GDPR. They also form part of the Cyber Essentials Certification, which we feel is a good framework for cybersecurity within a small and medium-sized business.
If you are interested in finding out how our Fully Managed IT Support Service can help with cybersecurity and GDPR compliance, or you’d like to investigate whether Cyber Essentials certification might be beneficial for your business please complete our contact form for a callback, or give us a call on 0115 9717567.