What use is a GDPR consultant when you can’t be sure of your identity?
2018 is going to be a funny year if what I’ve seen and read so far in 2017 is anything to go by. We have the biggest shake up in data protection in a generation and it is causing quite a stir. To add to that, spammers seem to have hit the jackpot with various types of spam that confound even world class anti–spam products and they seem to be getting some traction.
One thing we do well at Nitec is reporting. I have a bit of a mantra that I drum into the guys and gals in the office. What gets measured, gets done. Most of you will have heard that before and it’s a great mantra for security. The only way to get security implemented to a high standard is to monitor it to death and keep talking about it to clients.
Let’s not get things round the wrong way though. GDPR is a good thing. Having control of your data is a good thing. I have no beef with GDPR. What I have a beef with is customers spending money on learning about GDPR and talking about GDPR while simultaneously having no interest in security.
There are two things that you can do today and while they cost very little, they have a significant impact on your GDPR compliance and fortunately for you, average IT Joe, they are as simple as pie to test. So, let’s talk two measures you can use to get some stuff done.
1) Have you enabled 2 Factor Authentication.
Basic 2 factor is free (at least on Office 365) and is the single biggest uplift you can get this year to your security. Identity is the one thing you need to be sure of. If you can’t be sure the people logging on are the people they say they are, you are just wasting time even talking about GDPR. Before you can say “Aw crap, I’ve stuck my password into a fake web site”, you’ll be reporting a breach to the data commissioner. You are either doing this or you’re not. If you’re not, then, as our Liz might say, 2018 is going to be an “Annus Horribilus”.
2) Have you organised your data?
The second part of identity is Roles. The first part from paragraph 1 is “Is the person logging on who they say they are”. This section refers to what a person can see when they log on. When I go to see people I far too often find a humungous ball of data that everyone has access to. This is a risk for Crypto viruses as they run wild through everything. It also means far more people can access data than need access to data.
Luckily this is easily tested too, or at least this will give you a feel. If your company is like my company you, have a number of departments. If you can’t email them that is a pretty good sign that your data is all over the place. In other words, can I email marketing, accounts or firstname.lastname@example.org. Why? Because if you don’t have departments in your IT system you can’t be using them to secure stuff. If you not doing that, you’re probably not securing stuff correctly. Plainly and simply it’s too hard otherwise.
Don’t believe me. If you came back as a fail on this test go and ask where marketing store their data. I’ll bet that too many people have access. I might be wrong but since I started in IT 17 years ago I reckon I can count on my ovaries the number of people who have no groups and simultaneously have good permissions.
If you’re the Boss, you need to take some action. Our worst–case scenario is that you end up having to report under GDPR. Step 1 is to sort out Identity and Roles. Get that done first and if you need to, get us in to help. If you don’t do this first GDPR is going to eat you for breakfast.