The best way to avoid suffering fines under the GDPR is not to have a breach in the first place; and to do that you need to make sure your cybersecurity is up to scratch against modern threats.
The most important thing to remember is that when it comes to cybersecurity, there is no magic bullet. Your customer data can be stolen via a website hack, a malware attack, an infected email, a rogue USB, social engineering, and many, many others. There is no single piece of software or hardware that can protect perfectly against all of this, and that is why Kogo advocates for the layers of security approach.
Many companies think a standard firewall or router will protect the network, and have no idea how vulnerable this makes all their systems. A standard firewall is like a simple lock, or even just a closed door; nothing that will stop a determined cybercriminal! Instead a UTM (Unified Threat Management) firewall is like having a professional lock, and a bouncer outside to deter criminals. A standard firewall won’t protect you if one of your employees, or a visiting guest, unknowingly connects an infected device to the network; but a UTM firewall constantly scans for threats both external and internal, meaning even employee error is accounted for!
These vulnerabilities are at every layer of your systems; standard antivirus cannot help with many email-borne attacks, and zero-day viruses can bypass the cheap or free antivirus solutions many businesses rely on.
With layers of security, you don’t rely on any single solution to keep you safe. Instead, any attack has to get past multiple sophisticated layers of protection to infect your systems and steal your data. For instance – an infected email might be able to break through standard antivirus, but it’s probably not going to be getting through targeted email protection, endpoint antivirus, and a hardware firewall any time soon. By properly protecting every point of weakness, you bring down the chances of a data breach hugely. If there’s no data breach to begin with, there’s no fines, no reputation loss, and no infections or damage to clean up!
I’m not saying building a wall of defences, vulnerability testing, and awareness are the only things you need to consider for the GDPR, but you have to start somewhere, and improving your cybersecurity is a lot better than what many companies are doing: burying their heads in the sand and pretending the GDPR won’t affect them.
Just How Bad Are the Fines?
The fines for a breach under the GDPR are very heavy. The fines are variable, based on the breach and the company’s efforts to resolve it, but they have a theoretical maximum of twenty million euros, or 4% of the company’s annual global turnover, whichever is higher. Lesser incidents have an upper limit of half those numbers; that’s still disastrous for most businesses!
As an example, when TalkTalk was fined for their data breach in 2016 they were fined £400,000. But, as reported by The Register, under the GDPR, that charge could have gone up to roughly £59 million!
If you suffer a breach, proving you had done your best to protect the stolen data will heavily decrease any fines you may receive. Cyber Essentials is a government-backed certification designed to help you ensure your cybersecurity, and to prove you did so should things go wrong.
Cyber Essentials certification is proof that you have worked to attain a fundamental level of IT security. It has two tiers, both based on finding and patching basic holes in your IT infrastructure that could have been easy methods of attack for cyber criminals.
The first level of Cyber Essentials is a self-assessment questionnaire that gets you to investigate your cybersecurity and sort through your vulnerabilities, helping you patch hidden weaknesses in your systems. The second level is Cyber Essentials Plus, where a third-party comes in to double check that same checklist and perform penetration testing to find weaknesses that cybercriminals will check for!
Penetration testing is, in essence, attacking your own systems. By playing the part of an outside cybercriminal and performing non-damaging attacks on your systems, a penetration tester can find the weaknesses real cybercriminals could exploit to steal data or infect your company, highlighting them for you to patch before it is too late. Kogo highly recommends all companies perform penetration testing of their systems, along with monthly vulnerability scans, as these are an excellent indicator of your overall security.
You may need some help from an IT expert while undergoing the Cyber Essentials questionnaire, as it can get quite technical and in-depth, but it is a very good start not only to put you in a more defensible position, but also to identify risk areas in your business, and put you on the path to improving your cybersecurity.
The most important thing to remember is that these issues surrounding the GDPR are much easier to deal with while there’s time to spare. Don’t wait until the last minute, or later, to reform your data handling policies, initiate cybersecurity best practices, and get Cyber Essentials certified! Contact Kogo now for assistance getting your business compliant, from qualifying for Cyber Essentials to setting up a cybersecurity stronghold of layered security!
Contact Kogo on 01342 333000 or email [email protected], or contact us directly here.