In this week’s Whiteboard Wednesday, Samantha Humphries, international solutions marketing manager at Rapid7, explains how to best secure your data prior to GDPR implementation on May 25, 2018.
Welcome to Whiteboard Wednesday. My name is Sam Humphries and I am the international solutions marketing manager for Rapid7. Today we are going to talk about securing ahead of the general data protection regulation, or GDPR, which comes into effect on the 25th of May, 2018.
Okay, we have some recommendations for you. Securing is only part of GDPR, but it's a very important part. First of all, encrypt your data. You may already be encrypting data on laptops that leave your environment. It's also important to encrypt personal data in transit and also at rest. If you are unfortunate enough to be breached, ensuring that that data is encrypted is a very important step, to making sure that that data cannot be used for nefarious purposes by an attacker.
As you are going through and setting up your security program, making changes to it and even doing things like vulnerability management, making sure that you prioritize based on risk is called out specifically within GDPR. You have to maintain a level of security appropriate to the risk. For systems that process or hold personal data, or indeed systems that can access them, making sure you prioritize their security based on risk is a vital step.
Don't forget about your web applications. Privacy by design is called out in the GDPR text multiple times. From the moment that a data subject can enter data to your organization, through a web form for instance, making sure that that is secured using some sort of testing tool, to make sure that the web apps aren't vulnerable to attack, is a good step towards GDPR compliance.
Understanding your weak spots is an important part of any security program. Level setting and knowing where you are today will give you an idea of where you need to build. As you're preparing, doing something like a pen test will be a good start. Additionally, you have to have a process in place for understanding how good your security stack is. This is an ongoing thing, to make sure that you can test and assess how effective your security policies and software are.
Making sure you have a capability to detect attackers quickly and early will stand you in good stead as far as data breaches are concerned. The best data breach you can have is one that you prevent, or don't have in the first place. Having some technologies in place to be able to spot attackers early, or being well prevent them from accessing data and breeching your environment.
The cloud is another area where you need to take care. Data these days is everywhere, it's not just stored on servers. If you don't have visibility into cloud services that your users are using, it's altogether possible that you don't have full visibility into where your data is, and ignorance doesn't count as an excuse when it comes to GDPR. Make sure you understand what services are in play and make sure that they are confirmed services that your users are supposed to use and that you're not suffering from shadow IT.
Finally, make sure that you limit access to those who need it. This could mean going through and checking who has access to some of your user accounts. If you have multiple people utilizing a password-less admin account. This could be bad. Do you have people accessing an account where they all know the password? Do you have accounts for instance, where you've granted admin access to certain systems or applications, because that was easier in going through and doing role-based access, based on what they really needed?
If you've given them admin access, they can just do what they want. With GDPR, making sure that people can only access the data they're supposed to be able to access and they can access the programs that use that data, will definitely be considered when you're looked at to see if you're compliant.
If you need help with any of these things, please have a look at the links below. Thank you for joining us.
