Technological advances bring newfound challenges to the protection of personal data. Security fundamentals are still a pitfall for many companies and an all-inclusive approach to privacy management is needed. New regulations like the Notifiable Data Breach Regulation (NDB), General Data Protection Regulation (GDPR), Payment Card Industry (PCI) Data Security Standard and ISO 27001 make the cost of failure larger. While regulations and directives are unavoidable and non-compliance results in fines and audits, employing basic security measures can result in new opportunities.
Risks can be in the data itself as well as the processes used to manage it, making them an non-negotiable aspect in a corporate initiative towards Data Security. Here are 10 ways to improve security compliance whilst adhering to data privacy regulations:
- Maintain a consolidated inventory of software assets
A complete view of installed software can drive consolidation of the software portfolio to reduce security risks by reducing the attack surface for software vulnerabilities. Identify, review and remove freeware and unauthorised software which could pose a security risk. This will ensure that data that doesn’t comply with the Data Protection standards in use is reviewed.
- Take control of and manage use of Open Source Software (OSS) used in the organisation’s internally developed apps
Typically, organisations know less than 10 per cent of the software that’s used. Software engineers use open source components to expedite their work often without understanding the associated software vulnerability risks. Use automation to create a formal OSS inventory and policy that balances business benefits and risk management.
- Remain alert to software vulnerabilities by tracking and responding to warning signs on software assets
Keep aware of known software vulnerabilities and their criticality. Ensure that there’s a list of software installed that needs to be monitored for vulnerabilities; and then understand the OSS components that have been used in the internally developed apps, so that alerts to vulnerabilities can be acted on immediately.
- Regularly conduct vulnerability assessments across all systems
Identify vulnerable, unpatched software on desktops, laptops and servers. Focus the research and alerts on the software assets identified in the organisation’s inventory and allow yourself the ability to detect and assess the security state of applications to react faster.
- Implement vulnerability management policies and workflows
Drive and report on remediation processes from end-to-end to ensure Service Level Agreements are met. By applying the right patches, organisations close the main external intrusion method for cyberattacks.
- Ensure local administrator rights are removed from employee devices
Local administrator rights are a primary means for hackers to spread malware. If an employee has local administrator rights on their device, they can be tricked into opening or downloading malicious content. With administrative rights, the attacker can take over the device, install software and look for sensitive personal data.
- Prevent users from downloading apps from unknown sources
Deploy authorised software and enforce corporate policies using an enterprise app store. An enterprise app store can ensure that governance is in place to install only authorised applications, check software license availability and obtain proper approvals. An app store can also be used to remove unlicensed and black-listed applications.
- Only implement new software that is clear of known vulnerabilities
Desktop engineering, software procurement and IT security each have a role to play in reviewing the risks of new apps and determining whether they are approved for release or require further mitigation. As part of the change control process, evaluate risks when implementing new and updated apps and ensure they contain no known vulnerabilities.
- Uninstall software that is End of Life (EOL)
When software reaches its End of Life (EOL), vendors stop patching security holes. Detect software that is EOL and upgrade to a supported version or remove it entirely from the device. Because EOL programmes are no longer maintained and supported by the vendor, there are no security updates, and hence are insecure.
- Collaborate by sharing data between systems
Ensure IT Security and IT Operations have consistent data, but custom views, to effectively collaborate on the latest research, assess vulnerabilities and remediate on activities. Automatically create service desk tickets to track and confirm remediation.
According to Forrester Research, the most common external intrusion method hackers use is through software vulnerabilities. Proactive management of vulnerabilities is vital. Gartner experts echo this sentiment, saying that “through 2020, 99 per cent of vulnerabilities exploited will continue to be ones known by security and IT professionals.”
So, now you have the answers – these are the best practices that organisations should follow to ensure data security and compliance is undertaken with data privacy regulations at the forefront of their Data Security initiatives.