GDPR Regulations and Protecting Your Data from Insider Threats

In my last blog I talked about the importance of understanding what data you hold and where it is stored, so that you can ensure that you are protecting it suitably in readiness for GDPR.

Today I wanted to elaborate on considerations around protecting your data. In preparing your recruitment business for GDPR it is important to realise that as well as securing your personal data from external cyber threats, a subject I covered in this previous blog, you also need to be securing it from insider threats.

So what do I mean by insider security threats?

Well this can be something like a rogue employee, a disgruntled ex-member of staff, or a leaver who perhaps takes data such as a client list or candidate list with him when he leaves your organisation. Equally, and more commonly, it can be a genuine member of staff who accidentally causes a security breach or data loss.

We’re all so busy these days, trying to keep all the plates spinning and land the next deal, that when it comes to using our IT systems and accessing our data our natural tendency is to take the quickest and easiest option. Whether that’s making all our passwords the same for ease of memorability, copying a few files to dropbox to quickly share them with someone else, giving a colleague our password to make life easier, copying some files to a USB stick to work on at home later, stopping software updates or antivirus running so we can get on with our work, or clicking on a rogue attachment in our haste, our good intentions can very easily and quickly lead to a data breach. And with GDPR on the way, the reputational damage and considerable fines that follow a data breach can be potentially devastating for any business, especially one like recruitment, where so much personal data is held as a matter of course.

Human error is actually one of the commonest causes of a data breach, so it is good practice to put in place policies and controls that will minimise the risks of such an occurrence. Password policies would be one such control. I’m sure for ease of memorability, we would all naturally tend towards an obvious password, but these are very easily guessable and as such do not provide the level of care and protection of your confidential data that GDPR demands. Equally, there is a fine balance to be struck, as overly complex password policies, which demand long and complex passwords which frequently change, can result in staff feeling the need to write their passwords down – and having passwords recorded on sticky notes certainly doesn’t demonstrate due care of confidential data under GDPR!

Having appropriate processes and procedures around starters and leavers is also key in ensuring that only authorised personnel have access to your confidential data. Equally, it is best practice to only give staff the minimum access to systems and data that is needed to do their job, in order to minimise risk from a data breach or deletion, whether accidental or deliberate.

Staff education is also vital in ensuring that your systems are not compromised by security threats like malware or ransomware, which are often transmitted via rogue emails.

Mobile working has also opened up a plethora of new challenges, and preventing data loss or data leakage from mobile devices is a key area that needs careful management under GDPR. With company emails now frequently being synchronised to personal mobile phones, and data often being held on laptops to enable remote working, it is all too easy for confidential data to accidentally get lost if a device is mislaid or stolen.

Equally staff can sometimes be unaware of the implications of having certain pieces of software on their laptop, home PC, tablet or smart phone and may be unwittingly backing up or synchronising confidential and/or personal company data to an unsuitable or insecure location somewhere in the cloud. With many public cloud services hosted worldwide, it is important to realise that such practices can easily be inadvertently creating a breach of the GDPR, which imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organisations, in order to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Nowadays, it is also likely that external organisations or third parties may have legitimate access to some of your IT systems or data. In this case this needs to be secured in just the same way as it is for your own staff, so you are clear who has access to what data, why this is needed and how it is controlled. There also need to be procedures in place to review, amend and remove access for third parties, as business relationships evolve and change.

Luckily there are solutions to effectively manage the risk around data breaches. Technology is part of the solution, but equally important are your processes, procedures and controls to ensure you minimise your company’s risk from insider threats as well as protecting against the more highly publicised external security threats and cyber attacks.

Epoq IT offer one of the few security services that cover both sides of the equation. MySecurity is an affordable subscription-based service for small and medium sized recruitment consultancies that provides effective protection from insider and external threats through a blend of technologies, processes, procedures and staff training. To find out more about MySecurity, please download the MySecurity data sheet.

If this article has raised any questions you would like to discuss or you would like more information about Epoq IT’s range of GDPR readiness solutions, please do not hesitate to contact me on  (01494) 444065 or email gary.swanwick@epoq-it.co.uk