Making a Complete Cyber Security Checklist – 5 Essential Data Protection Controls
In our last article we talked about the ‘organisational measures’ you should carry out to ensure the protection of personal data. Now let’s consider the ‘technical measures’ you’re required to implement.
As we stated previously, the GDPR isn’t too forthcoming about the exact actions organisations should take to protect personal information. However, some clues can be found in article 32, which states that data processors and controllers should implement measures which ensure:
‘the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;’
So let’s get started and examine 5 essential technical controls required to satisfy this provision.
Cyber Attack defences
The 2022 Cyber Security Breaches survey discovered that over a preceding 12 month period over 40% of UK businesses suffered an identifiable cyber attack. With cyber criminals perpetrating the overwhelming majority of data breaches, safeguarding personal data should always start with solid cybersecurity defences.
Start by ensuring your environment falls under the scope of rigorous firewall protections, with rules configured to prohibit access to corners of the web that aren’t required for work purposes.
Deploy network-wide antivirus software. These programmes work in different ways, but usually contain a filtering element (to prevent malware entering your environment in the first place) alongside detection and removal/quarantine capabilities.
It’s also essential to use email protection technologies, as email is the most common vector of malware transmission and phishing attempts. Email filtering uses known threat signatures to block emails presenting the hallmarks of malicious intent, intercepting such emails before employees are able to engage with them.
Anti-spoofing controls are another important consideration. ‘Spoofing’ refers to the impersonation of a trusted entity by a cyber criminal, in order to carry out some sort of malicious action. To thwart such attacks, email authentication measures should be introduced. Establishing a DMARC policy (Domain-based Message Authentication, Reporting & Conformance) is a good example of such a measure.
Lastly, for more elevated defence capabilities, consider the use of an extended detection and response platform. Such platforms consolidate security oversight and control into one interface, allowing security personnel to detect threats and take action to safeguard endpoints, network and cloud assets from a single command portal.
Secure data disposal
It’s important to ensure that disposal processes guarantee the comprehensive destruction of data, both in the case of paper-based and digital storage media. This means ensuring information is not decipherable should someone encounter it either accidentally or deliberately. Paper documents must be shredded thoroughly before disposal, and any third-party document recycling companies must be vetted for GDPR compliance.
In the case of digitally-stored data, simply deleting files and folders at operating system level prior to disposal is not enough. Processes like ‘degaussing’ – which uses magnetism to render storage devices unreadable – should be used to guarantee data can never be recovered from end-of-life devices.
Robust authentication measures
It is estimated that around 60% of data breaches involve account credentials. These can be obtained by cyber criminals using phishing attacks, but sometimes they are able to exploit weakly protected accounts using something known as a ‘brute force attack.’ This attack method involves the use of software to effectively username/password combinations. Once the account has been compromised, the criminal can often navigate the system extensively, and inflict a great deal of damage before being discovered.
So what can be done?
A robust password policy is a great place to start. Employees should be instructed on password best practice, with guidance given in relation to password length, complexity and reset frequency. Creating unique, complex passwords that are required to be reset regularly will reduce the success rate of password hacking attempts.
If it’s available to you however, you should definitely consider activating multi-factor authentication, including passwordless options for maximum protection. Additional authentication steps can include ‘something you have’ (a code might be sent to a registered device), ‘something you are’ (authentication might include a biometric element such as a fingerprint or facial recognition) in addition to ‘something you know’ (typically a password or pin).
Lastly, you should apply additional access controls to the more sensitive data types, including what the GDPR refers to as ‘special category data.’ Apply additional password protections to files containing such data, and grant access on a strictly need-to-know basis.
Physical Security
While cyber security is often viewed as the most pressing threat facing data processors, it’s important not to let you guard down when it comes to physical security. This means rigorously implementing physical access controls to your premises, including sign-in procedures, ID verification and guest access restrictions. Visitors should be supervised as much as is practicably possible, and should never be left alone in the presence of sensitive data. Depending on the size and nature of your organisation, it could be worth investing in physical security infrastructure such as CCTV, alarm systems, and security turnstiles.
Encryption and pseudonymisation
Curiously, this is the only technical measure the GDPR is explicit about.
Encryption refers to the randomisation of data in order to make it indecipherable to onlookers. The process involves the use of a ‘key,’ which when sent to the intended recipient effectively ‘cracks the code’ and makes the data readable once again. Wholesale database encryption can be costly to implement, so this protection method is best applied solely to more sensitive data types on a file-by-file, folder-by-folder basis.
Virtual private networks are a great way to introduce encryption to data in transit. Establishing one between offices for example, creates an encrypted pathway for data transfer, shielding dating from prying eyes as it passes through public networks.
Email encryption tools are another simple and accessible way to introduce encryption. These can make the email process of receiving an email slightly more clunky for the recipient – they may have to download the same encryption software you’re using or decode the email using a key – but such tools are a great way to safeguard information more sensitive or business-critical in nature.
Finally, let’s talk about pseudonymisation. Fortunately, in this instance the GDPR precisely defines what they mean by this, explaining:
‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person’
Essentially this means codifying datasets to make it impossible for an onlooker to link information to an identifiable individual, without further information. A great way to protect personal information, this can render data useless to a criminal actor without the supporting information also being present.
Conclusion
With cyber threats growing at an unprecedented rate and criminals using increasingly sophisticated methods, it’s never been so important to protect personal data with a range of effective security devices. With support from your teach team or IT provider, the above list can be used as a cyber security checklist, allowing you to apply comprehensive protection measures to you data and ensure compliance with the ‘integrity and confidentiality’ principle of UK GDPR.
