Cyber incidents pose an increasing threat to the security of information, with hacking, ransomware, cyber fraud and accidental information losses. An additional complexity arises when organisations need to share data. They need to have mutual trust in each other’s ability to keep data secure and take assurance from each other’s risk management and information assurance arrangements for this to happen successfully.
An organisation’s exposed technology to common cyber-attacks will typically include computers that are capable of connecting to the internet, including desktop PCs, laptops, tablets and smartphones, and internet connected servers including email, web and application servers.
Large organisations would already be expected to have some knowledge or experience of cyber security. However, like smaller companies, many still have limited capability to implement the full range of controls necessary to achieve robust cyber protection. Small organisations (including single employee businesses), and even some medium-sized organisations, may need to obtain further guidance and support to ensure the technical controls are adequate.
Cyber security is the activity required to protect an organisation’s computers, networks, software and data from unintended or unauthorised access, change or destruction via the internet or other communications systems or technologies. Effective cyber security relies on people and management processes as well as technical controls.
In order to maintain security and to prevent processing in infringement of the GDPR, the controller or processor should evaluate the risks inherent in the processing and implement measures to mitigate those risks, such as encryption. Those measures should ensure an appropriate level of security, including confidentiality. In assessing data security risk, consideration should be given to the risks that are presented by personal data processing, such as accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed which may in particular lead to physical, material or non-material damage.
Steps to cyber security
An effective approach to cyber security starts with establishing an effective organisational risk management regime. Clearly communicate your approach to risk management with the development of applicable policies and practices. These should aim to ensure that all employees, contractors and suppliers are aware of the approach, how decisions are made, and any applicable risk boundaries.
You should develop a strategy to remove or disable unnecessary functionality from systems, and to quickly fix known vulnerabilities. Apply security patches and ensure the secure configuration of all systems is maintained. Create a system inventory and define a baseline build for all devices.
The connections from your networks to the Internet, and other partner networks, expose your systems and technologies to attack. Protect your networks from attack. Defend the network perimeter, filter out unauthorised access and malicious content. Monitor and test security controls.
Managing user privileges
All users should be provided with a reasonable (but minimal) level of system privileges and rights needed for their role. Establish effective management processes and limit the number of privileged accounts. Limit user privileges and monitor user activity. Control access to activity and audit logs.
User education and awareness
Users have a critical role to play in their organisation’s security and so it's important that security rules and the technology provided enable users to do their job as well as help keep the organisation secure. Produce user security policies covering acceptable and secure use of your systems. Include in-staff training. Maintain awareness of cyber risks.
All organisations will experience security incidents at some point. Investment in establishing effective incident management policies and processes will help to improve resilience, support business continuity, improve customer and stakeholder confidence and potentially reduce any impact. Establish an incident response and disaster recovery capability. Test your incident management plans. Provide specialist training. Report criminal incidents to law enforcement.
Malicious software, or malware is an umbrella term to cover any code or content that could have a malicious, undesirable impact on systems. Produce relevant policies and establish anti-malware defences across your organisation.
System monitoring provides a capability that aims to detect actual or attempted attacks on systems and business services. Good monitoring is essential in order to effectively respond to attacks. Establish a monitoring strategy and produce supporting policies. Continuously monitor all systems and networks. Analyse logs for unusual activity that could indicate an attack.
Removable media controls
Removable media provide a common route for the introduction of malware and the accidental or deliberate export of sensitive data. Produce a policy to control all access to removable media. Limit media types and use. Scan all media for malware before importing onto the corporate system.
Home and mobile working
Mobile working and remote system access offers great benefits, but exposes new risks that need to be managed. Develop a mobile working policy and train staff to adhere to it. Apply the secure baseline and build to all devices. Protect data both in transit and at rest.
The content herein is provided for your convenience and does not constitute legal advice.
Compliance Technology Solutions B.V. 2018