Universal Data Protection explains how to reduce your risk of a data loss from an ‘insider threat’, which can include theft of IP, theft of client database, or exposure of employee or client personal data.
Insider threat is important to contain as more data breaches are the results of a trusted employee or third-party supplier leaking information, rather than external hackers gaining access to your data. And as cyber security technologies such as anti-virus, penetrating testing, end point detection etc. stop external hackers gaining access, they cannot stop authorised personnel stealing or damaging data through malicious intent or human error. Therefore, if you rely on cyber security technologies alone, you will fall short in protecting your data.
Many SMEs believe GDPR does not apply. Leading up to May 2018, I was asked by multiple small business owners ‘did GDPR apply to them?’ almost 12 months later, I am still being asked this question. As a result, many SMEs are falling short of GDPR compliance resulting in a massive risk to business as, 60% of SMEs will fold within 6 months of being attacked.
In the past CEO’s and Boards have shown a lack of commitment to protecting employee and client data from being exposed through a cyberattack or insider threat, they have viewed it as an inevitable fate rather than a risk that needs to be controlled. And as companies are failing to protect personal information, we continue to see our personal information exposed to the criminal world placing our identify at risk, this has happened with Facebook, Fitbit, Quora, Starwood, British Airways as well as SMEs such as Houzz, FEMA etc. SMEs are often main targets for criminals as they can easily access SME systems due to weaker controls, in order to gain access to larger business.
With ongoing data breaches occurring new laws have come into place called the General Data Protection Regulations Act of the EU, also known as GDPR. From now on, companies who expose personal data of employees or individuals will face fines of up to 4% of global revenue or 20 million euros.
But does GDPR apply to your business?
If you collect, use, hold or do anything else with personal information of your employees or clients or both that can identify this person i.e. email address, physical address, phone number, financial information etc. then the company will have to comply with GDPR no matter what size your company, as you are deemed to be a ‘Data Controller’.
If you are still unsure if GDPR applies to your business then please take this short assessment provided by the Information Commissioners Office, also known as the ICO. The ICO is the UK independent regulatory body that investigates data breaches and issues fines.
Once you have taken this short test, if the answer is yes, then move to the next step which is to check If you need to register your business with the ICO. Please take this assessment to confirm.
Finally, if you are required to register your business, you can do so by visiting this link.
You have now completed the first step towards protecting your data based on the laws of the UK. The next article in this series will delve deeper into protecting data, by looking at the Difference between Cyber Security vs. Data Management. If you have additional questions on GDPR and compliance you can contact us at firstname.lastname@example.org.
This article was written by Tanya Harris, Co-Founder of Universal Data Protection and CEO of Harrman Cyber, and insider threat business partner of Amazon Web Services. They specialise in reducing the risk of an Insider Threat and Data Management. She can be contacted at email@example.com.