Few businesses are using technology to aid GDPR compliance
Few businesses have the technology in place to manage end-to-end GDPR compliance, according to a survey TSG has carried out.
69% of those who responded said they were aware of where all of their business data was stored, but only 18% said that data was categorised and appropriately secured based on content.
This indicates a key challenge businesses are facing in the run up to GDPR; discovering and appropriately cataloguing data. It’s likely that many businesses have Personally Identifiable Information (PII) stored alongside day-to-day documents and files, rather than categorised and stored separately and securely.
Another key finding from our survey is that only a quarter of businesses (27%) are currently using data encryption; this is a vital element of securing your business data so that in the event of a breach, the data is useless to the hacker. Sophos Safeguard encrypts files individually and keeps them encrypted even if transferred to the cloud, a shared folder or an external storage device, ensuring they are inaccessible to outsiders. It’s business as usual, as anyone with permissions can continue working on their documents with no impact.
Similarly, only 30% of companies implement device encryption on laptops, tablets and other mobile devices. Like file encryption, this is important to the security of your business data. But with an increasingly mobile workforce, device encryption will soon be an unavoidable business requirement; currently employees use an average of 2.3 different devices to carry out work (Forrester). This is where Endpoint Security comes in, offering not only device encryption but the ability to manage anti-virus and a powerful behavioural analysis tool that spots suspicious activities and files.
Over half of organisations (55%) allow employees to use cloud-based file shares such as Dropbox. Whilst this is an effective method of distributing large files particularly to customers or suppliers outside of the business, this significantly increases the attack surface area and can allow data to fall into the hands of unintended recipients if files aren’t restricted correctly. Fake Dropbox emails can also lure account holders into downloading malware and even Ransomware; the original Petya virus – which has gained notoriety thanks to the global attack that hit the NHS amongst others in May – used fake Dropbox emails as a distribution method, leading unfortunate employees to download Ransomware instead of the innocent Word document they were expecting. Not to mention that Dropbox account details have been hacked and sold online…
It’s not all bad news, however. 72% of respondents said their business has a disaster recovery solution in place. But it’s worth noting that this isn’t split by business size or the type of business continuity plans these organisations have. It’s very likely many businesses only back up files on external devices like USB sticks or to cloud storage. To have a true disaster recovery solution is to back up physical servers and virtual environments to fully restore a business’ function should the worst happen. We’ve covered the difference in a previous blog, but it’s important to implement a solution that will work for your business; what critical functions do you need to ensure are always available?
A further 48% of businesses are protected against Ransomware; it’s likely the recent global attacks have raised awareness of this growing threat and made business leaders realise they can’t afford to take any risks when it comes to cyber security; however, this still means 52% are potentially exposed to Ransomware attacks and we know that hackers don’t discriminate – they’ll attack businesses regardless of size. We’ve blogged a number of times on Ransomware:
- The WannaCry Ransomware attack shows you can’t ignore IT security any more
- Windows XP isn’t responsible for WannaCry attacks
- LOL! Ransomware is no laughing matter
- Email spoofing exposed!
- 4 ways to spot Ransomware
- Ransomware: What you need to know (infographic)
- Locky and beyond: The biggest Ransomware threats of 2016
The innovative use of technology will prove critical in your journey towards GDPR compliance. With so many potential places you could be holding PII, it would be incredibly time-consuming to manually search for documents that could potentially hold personal data; and there’s always the risk of human error. It doesn’t end with searching for your documents – you’d then have to record where all of your data is located, analyse it and possibly action it – for example, encrypting your PII data.
Along with TermSet, we’ve developed a powerful PII Discovery tool using TermSet’s unique metadata functionalities. The tool will search for 21 different types of PII in your documents so you don’t have to, and can also be customised to include any PII you collect that is unique to your business. There are a number of plans to suit businesses of all sizes, and the tool can be expanded to include CRM and ERP systems.
Qlik Sense desktop, or a full-blown Qlik Sense business intelligence solution, is built into our packages, which will allow you to analyse that data and delve deeper into it; where’s it held? Do you hold more of a particular type of PII? The Qlik Sense tool brings all of your data together so you can work with it in an easy-to-use format; only 13% of businesses currently use intelligent reporting tools, so this is your chance to get ahead of the competition.
To take your GDPR compliance to the next level, you can implement workflows to not only take the manual, time-consuming tasks away from your employees and increase productivity, but to ensure you always remain compliant.
Using intelligent automation tools like Flow and Nintex, you could automatically encrypt or move any documents that contain PII as soon as the TermSet tool discovers them. Additionally, if a customer, employee or ex-employee gets in touch about the Personally Identifiable Information you hold on them – which, come May 2018, you will be legally required to provide or else you’ll be in breach of GDPR – you can set up a workflow that automatically searches for that person’s information and produces a report of all information held. You could then generate an email back to that person, or submit it for approval. The possibilities are endless.
The results of this survey show how few businesses are taking advance of technologies that can not only support GDPR compliance but also increase productivity and provide greater insights into the business. Are you using technology to support your GDPR compliance?