Once the GDPR deadline passed, many people thought the work had been done. In fact, it’s Ground Zero for data security.
In the run-up to May 25, when the General Data Protection Regulation became enforceable, the focus was on getting rid of data or making sure what was being held was relevant. Now the emphasis is on keeping that information secure as breaching this new privacy law can cost an organisation up to 20 million euros, or four per cent of its annual revenue.
We have been advising businesses for many years about keeping data secure and, for a while, it was like selling insurance, trying to encourage people to spend money to prevent a negative outcome.
The vast majority of our clients now understand that data has a value and should be protected. If you’re a watchmaker and someone gives you a Rolex to repair you would take good care of it. People are now starting to treat clients’ personal data with the same kind of respect. However, some businesses saw 25 May as a one-off event, rather than thinking “what happens next?” at a time when data security is a growing problem.
Edinburgh is a major target for international cyber criminals. In the last year, we have investigated four serious attempted attacks in the city, from places like Nigeria and Singapore. They have focused on fairly low-key firms in the property sector, targeting between £30,000-£150,000 in potential financial gain.
The criminals have used social engineering to glean information from websites and social media; two of these attacks came while a finance director was on holiday, a fact spotted on his Facebook posts.
In a way, this has helped Edinburgh businesses become more focused on cyber security and I like to think firms will not wait for a big fine to be imposed to tighten their practices and save themselves money and reputational damage.
Any form of personal information, from names and addresses to dates of birth, national insurance numbers and bank details, should be kept secure.
This data should be encrypted when being transmitted from one system to another. Most modern devices have encryption built in but not turned on, so it is just a matter of activating it. Passwords are still the number one form of protection on computer systems, but many people still use insecure passwords like Password1 or 1,2,3,4.
We advise using passphrases, with three random words that mean something to you but are not connected and combine them with numbers or punctuation marks.
For greater security, use a two-factor authentication system, adding an ever-changing six-digit code. This is not only safe but also shows best practice.
We also advise security awareness training for staff. The biggest weakness to security is still the human factor. Social engineering is a huge problem – you can have the best technical security, but if people give out information over the phone to a stranger it’s a major issue.
Duncan Reid is co-founder of IT support firm Icelantic