Rapid technology advances have brought new challenges for the protection of personal data, so every organization needs a comprehensive approach to privacy management. They must also document how they collect, process and store personal data. But too many companies still fall down on the security fundamentals, and new regulations such as the General Data Protection Regulation (GDPR), Payment Card Industry (PCI) Data Security Standard, Health Insurance Portability and Accountability Act (HIPAA) and ISO 27001 are making the cost of failure far greater than it’s ever been.
Regulations and directives are unavoidable, and with non-compliance, fines and audits will undoubtedly follow. However, while these regulations feel like a burden, by employing basic security measures, they can be turned into an opportunity.
Many of the risks are in the data itself and the processes used to manage it. So, these are essential parts of a corporate initiative toward data security. Here are 10 ways to improve security compliance with data privacy regulations:
Maintain an accurate inventory of software assets: A complete view of installed software can drive consolidation of the software portfolio to reduce security risks by reducing the attack surface for software vulnerabilities. Identify and remove freeware and unauthorized software which could pose a security risk. To this end, undertake a full audit to collect comprehensive hardware and software inventory data as well as identify which applications are using personal data and the people that are using those applications. This will enable the organization to ensure that data that doesn’t comply with the data protection standards in use is reviewed.
Know what open source software (OSS) is used in the organization’s internally developed apps: Typically, organizations know less than 10 percent of the software that’s actually used. Software engineers use open source components to expedite their work—but they often don’t understand the software vulnerability risks they may contain. Take control of and manage use of OSS and third-party components. Use automation to create a formal OSS inventory and policy that balances business benefits and risk management.
Be vigilant about tracking and responding to alerts on software assets: Keep abreast of known software vulnerabilities and their criticality. To this end, ensure there’s a list of software installed that needs to be monitored for vulnerabilities, then understand the OSS components that have been used in the internally developed apps so that alerts to vulnerabilities can be acted on.
Run vulnerability assessment against all systems frequently: Identify vulnerable, unpatched software on desktops, laptops and servers. Cut through the noise to focus the research and alerts on the software assets identified in the organization’s inventory. Thereafter, detect and assess the security state of applications to react faster.
Prioritize and remediate the most critical vulnerabilities first: Implement vulnerability management policies and workflows. Drive and report on remediation processes from end to end to ensure service level agreements are met. By applying the right patches, organizations close the main external intrusion method for cyberattacks. Reducing the attack surface for cybercriminals reduces the risk and costly consequences of personal data breaches.
Remove local administrator rights from employee devices: Removing local administrator rights will further limit the organization’s exposure to risk. Use of administrative rights is a primary means for hackers to spread malware inside the enterprise. If employees have local administrator rights on their devices, they can be tricked into opening malicious email attachments or downloading apps from malicious websites. If the victim user’s account has administrative rights, the attacker can take over the device completely, install software and look for sensitive personal data.
Enforce corporate policies using an enterprise app store: Foremost, prevent users from downloading apps from unknown sources. Deploy authorized software and enforce corporate policies using an enterprise app store. An enterprise app store can ensure that governance is in place to install only authorized applications. An app store also can check software license availability and obtain proper approvals. In addition to installing new applications, an app store can be used to remove unlicensed and blacklisted applications from employee devices.
Only deploy new software that is free from known vulnerabilities: As the number, frequency and complexity of applications in an enterprise portfolio grow, so do the risks of releasing new apps into the environment. Desktop engineering, software procurement and IT security each have a role to play in reviewing these risks and determining whether apps are approved for release or require further mitigation. As part of the change control process, evaluate risks when deploying new and updated apps into an enterprise environment and ensure they contain no known vulnerabilities.
Uninstall software that is end of life (EOL), before the vendor stops support: When software reaches its end of life (EOL), vendors stop patching security holes. Detect software that is EOL and upgrade to a supported version or remove it entirely from the device. Because EOL programs are no longer maintained and supported by the vendor, there are no security updates and, hence, are insecure.
Share data between systems and collaborate: Ensure IT security and IT operations have consistent data, yet custom views, to effectively collaborate on the latest research, assessed vulnerabilities and remediation activities. Automatically create service desk tickets to track and confirm remediation.
All the above are fundamental best practices that organizations must follow in the current environment to ensure data security and compliance with data privacy regulations. According to Forrester Research, the top external intrusion method hackers use to gain access to data is through vulnerabilities in software. Similarly, Gartner says that “through 2020, 99 percent of vulnerabilities exploited will continue to be ones known by security and IT professionals for at least one year.” Proactive management of vulnerabilities is therefore vital to data security and compliance.