With so many companies unable to comply with GDPR now or in the future, we say the regulation is effectively dead. Yes, you’ll hear about hefty fines meted out to big organisations and multinationals who slip up. Still, regulators know many businesses cannot fully comply.
If you think of GDPR as “getting data protection right”, you might be closer to what the regulation is really about. Authorities want you to treat data with care and respect. As long as you do that, the type of harsh punitive action which makes headlines is unlikely ever to come your way.
At GDPR365, we’ve identified nine pillars of data protection which, if you address them all, will go a long way to preventing data breaches in your company. This article looks at the third pillar; vulnerability monitoring. We’ll discuss five network vulnerabilities and how to avoid them.
1. Missing Patches
One of the most common causes of cyberattacks is unpatched software or poor patch management. Unpatched software leaves security holes which are quickly exploited by criminals, even in the small amount of time it usually takes for a patch to become available. Running such software is risky, but businesses do it all the time.
It was a missing patch which caused the Equifax data breach of 2017, allowing cybercriminals to access the personal details of some 147 million US consumers.
A 2019 ServiceNow & Ponemon Institute survey found that 60% of data breaches occurred in situations where a security patch was available but not applied. Many companies have no patch management in place and only think about changing this after suffering a breach.
Companies often have countless patches to install at any one time, making them hard to deal with without disruption. In an excellent patch-management programme, patches are prioritised according to their criticality. Automated systems and methods cut response times between patch availability and installation, thus reducing risk.
Passwords are a major network vulnerability for several reasons. Included among them are bad practices such as password sharing between staff members, infrequent password changes, weak passwords, default passwords or even a complete lack of password protection.
In 2019, over 21 million unique passwords and 774 million email addresses were posted online for sale after a data breach. Emails and passwords hacked together pose a particular threat, potentially allowing access to online user accounts.
Cybercriminals may access passwords in various ways, such as by phishing or hacking. When hacking, they’ll use attack technology to crack weak passwords within seconds. Simple measures, such as increasing the number and complexity of characters, have a significant impact on password security.
Other measures against password vulnerability include password management tools and intruder lockout after a certain number of attempted entries.
3. USB Thumb Drives
The tiny size of USB thumb drives makes them the ideal storage system for inside security threats. Malicious employees are a real threat to network security, but so are those who unknowingly breach security by transferring data to their own devices before taking it home.
In 2017, a USB stick containing security data for Heathrow Airport was found under leaves in a West London street. Included on the drive was all types of sensitive data, ranging from security patrol details to CCTV locations and access details for restricted areas.
Aside from the threat of unauthorised data transfers, cybercriminals target USB drives and their typical autorun OS permission to infect computers and networks. A PC will run a piece of malware just as willingly as it does a legitimate programme.
Solutions to these problems include changing autorun policies, encrypting data so it can’t easily be read if hacked or moved, and staff training.
4. Mobile Devices and Public WiFi
A significant threat to data security comes about when employees connect their mobile devices to the company network. They might be doing this remotely from anywhere in the world. This is particularly hazardous when they use public WiFi to go online, making their device more susceptible to password hacks, man-in-the-middle (MITM) attacks and packet sniffing.
In 2014, hackers targeted influential business executives using luxury hotels in Asia. They delivered malware over public WiFi to the victims’ devices before stealing their data.
As with the USB-drive vulnerability, the solution lies in making staff aware of data-management rules and in encrypting data. Data encryption renders a breach harmless in most cases, as decryption cannot take place outside of the company premises. Using VPNs to connect to the web frustrates hackers by encrypting data.
5. Firewall Rulebases
An active firewall is not necessarily one which protects your business from attack. Firewalls often contain redundant or misconfigured rules that allow unauthorised access to the company network. It’s easy to place too much trust in what a firewall is doing.
In 2019, a misconfigured firewall was blamed for a major breach at US bank Capital One. The records of 100 million people were exposed as a result.
The solution to the above is obviously to reconfigure the firewall. Still, you should also document all the changes made to it and establish the formal practice of doing so in the future. You must continuously update firewall rules to accommodate new users and devices.
Firewall administrators are frequently flooded with change requests, which in itself is hazardous as it may mean the implications are not studied in full. It also means there’s less time to decommission existing rules which create a vulnerability. Automated firewall administration products help resolve this problem.
Get Data Protection Right
By paying attention to the nine pillars of data protection and using GDPR as your guide, you have nothing to fear from EU regulations. You’ll find many of the tools you need for efficient data management in GDPR365 software. It will help you with data mapping, risk assessments, subject access requests, privacy notices and more. Why not book a demonstration?