The European Union’s Parliament approved and adopted the General Data Protection Regulation (GDPR) in April 2016. This regulation will take effect after a two-year transitional period, meaning it will be fully enforced on May 25, 2018. At this time, if organizations are non-compliant, they will face hefty fines. There is a tiered approach to these fines; however, at a maximum an organization can be charged 4% of annual global turnover or 20 million euros ($23,554,200).
The GDPR applies to all organizations that process and hold the personal information of EU residents, regardless of the company’s location. To exemplify, the regulation pertains to all organizations located within the EU, as well as organizations that are located outside of the EU that offer good, services, or observe the behavior of EU citizens. These rules also apply to both controllers and processors of information, meaning that the cloud and other technologies are not exempt from the GDPR.
If information can be used to identify a person, directly or indirectly, it is protected under the GDPR. This includes but is not limited to names, email addresses, financials, medical data, and computer IPs.
Steps to take to prepare for the GDPR:
- Perform a compliance audit against the GDPR legal framework to identify where gaps exist, then work to remediate these shortcomings.
- Classify the personal data your organization possesses that is protected by the GDPR and implement the appropriate security measures. This includes understanding what information you have, where it came from, who it is shared with, and who has access to it.
- Appoint a data protection officer for your organization.
- Document all processes and keep a record for the Data Protection Association (DPA) in the country or countries your organization conducts business.
- Make sure the appropriate contracts are in place to protect your organization and ensure that the businesses you engage with are employing the same security measures.
Infringements of the GDPR include:
- Not having sufficient customer consent to process personal information.
- Not having records in order.
- Violating the “Privacy by Design” and “Privacy by Default” concepts.
- Failing to notify the data subject and the supervising authority about a breach or incident.
- Not conducting an impact assessment.
Altogether, the GDPR is the most important change to data privacy regulations in decades. It is intended to make organizations more secure and accountable to their data subjects during all stages of their interactions. For more questions or to implement GDPR standards in your organization, please CONTACT US.
Federal governments and major technology firms are arguing for or against encryption, respectively. But why?
Due to recent political turmoil and devastating events overseas, the topic of end-to-end encryption has reentered public discussion. At the center of the debate, you have federal governments and major technology firms, each arguing for or against encryption.
The fourth, holiday quarter is the most critical revenue driver for retail businesses, as consumers purchase gifts for their family and friends. However, the increased spending and transfers of personally identifiable information provides an ideal opportunity for an attacker to steal user credentials, payment information, and consumer goods.
Whether you are traveling, using your mobile device, or shopping in-store, COMPASS recommends that you take the following precautions to protect your sensitive information this holiday season:
- Create an email address specifically for any shopping sites to limit the likelihood of your information being compromised if one of your online retailers experiences a data breach.
- Be wary of apps that impersonate well-known retailers. Red flags to look out for are misspelled words in the description and recent creation dates.
- Do not use untrusted or unknown Wi-Fi hotspots, especially to make online purchases.
- Make sure the websites you are on are secure. Look for HTTPS rather than HTTP in the address bar.
- Designate a single card for any credit transactions to monitor suspicious activity.
For more holiday security best practices, download our Holiday Security Guide and follow the tips in the upcoming weeks to protect your information from being compromised.
Cyber security controls are only effective if there are no means of bypassing them. If a vulnerability exists that enables someone or something to circumvent your organization’s existing set of security standards, your whole network could then be compromised. With the rise of cybercriminals targeting known vulnerabilities on unpatched systems, especially through worms and malicious code, implementing a patch management system in your organization is critical to maintaining a strong security posture.
Patch management is the routine procedure of administering updates for all technologically based products and programs, primarily applications and operating system versions. The goal is to create a securely configured digital environment in your organization that is consistently protected against all known vulnerabilities.
To be successful, patch management must be an ongoing process in which your system administrator or managed services provider:
- Maintains knowledge of available patches.
- Determines what patches are appropriate for the specific systems.
- Prioritizes the patches and protects your most critical vulnerabilities first.
- Tests the patches on non-critical systems before installation.
- Performs backups before installing a patch.
- Installs patches and makes sure they work properly.
- Tests the systems after installation.
- Documents all installed patches and the processes utilized.
Patch management is a critically important aspect of cyber security risk management because outbreaks like WannaCry occur because of unpatched vulnerabilities being exploited. In an organization with hundreds of systems, it only takes one compromised system to then harm the entire network. Altogether, in the technological world, there is rarely, if ever, a software or application that is developed without having to be modified or upgraded. As a result, a process must be implemented to distribute patches and remediate known vulnerabilities.
If you would like to discuss patch management in your organization, please CONTACT US.