27 January 2020
The implementation of GDPR and the rapid enforcement of the rules including fines and threats of fines running into the millions has placed the spotlight on businesses’ ability to secure their customer’s and employee’s data.
Any breach now comes very much under the spotlight of the media, politicians and public alike. Just in the first few weeks of 2020 we have seen a number of examples of breaches reported in the press involving large companies, with potentially thousands of people affected.
Regus, the serviced office provider saw the job performance data on more than 900 employees, leaked online via management website Trello. The leak came through a partner who was commissioned to audit the performance of the sales staff. The data was easily mined via a Google search after an employee at the l partner accidentally set the Trello board to “public”. Read more.
The other major breach was Mitsubishi Electric, which saw cyber criminals take potentially sensitive data. Again, this breach began with its supply chain, with affiliate companies in China which then spread to the internal network. Read more.
Securing supply chains has to be a priority for businesses in 2020. Indeed, in order to adhere to GDPR businesses must ensure that their entire supply chain is secure. The regulation is being enforced with a sense of urgency, that has not been the case with other regulations. This has been the case across Europe.
A recent survey found that between January 2019 and January 2020 there were on average 278 breach notifications per day across Europe, with data protection regulators imposing around €114 million in fines.
With much emphasis being placed on third party defences in GDPR, businesses must get on top of it.
“The recent examples of the Regus and Mitsubishi data breaches show just how vulnerable supply chains can be,” said AJ Thompson, CCO at Northdoor. “The public and media are now very much aware of the value and the importance of securing their data. Businesses that seem unable to do this, will suffer not just financial but also reputational damage.
“Whether there is an accidental leak, as in the case of Regus, or something more sinister, as with Mitsubishi Electric, the situation is essentially the same. Both were caused by a partner having insecure defences of security practices.
“No matter the investment and sophistication of your own cyber defences, allowing a partner, whose defences are vulnerable, negates any effort you have made. Cyber criminals are always inventing new, innovative ways of securing access to sensitive and valuable data, businesses simply cannot afford to stand still and need to ensure that their partners are equally alert.
“The answer is to industrialise your GDPR process. By using automated systems, rather than leaving them for manual checking as well as thorough check of existing partner contracts is crucial to ensure your outward defences are as secure as your internal ones.
“The key is proactivity though. Sitting on your hands, even if you believe you are adhering to regulations means you are always at risk from cyber criminals who are constantly looking for new ways to get their hands on valuable or sensitive data. This proactivity has to include your partners, as without them being on board it’s impossible to secure your systems,” concluded Thompson.