In order to know how to improve your security, it is best to look back at where things went wrong. For example, telecom providers were already required to report data leaks to the ACM (formerly Opta) in the past. Last year this organisation imposed a fine of € 364,000 on KPN for its inadequate security, which allowed for the infamous 2012 monster hack. A rough wake up call, but we can probably assume that awareness of and attention to data security has increased significantly at KPN.
Measures in three areas
This is what lies at the heart of it all: to prevent a warning or fine, you must be able to demonstrate that you have considered the privacy of your personal data. A leak can never be 100% prevented, but if one does occur, it is important to demonstrate that appropriate measures have been taken. Measures can be taken in three areas: legal, organisational and technical.
On the legal side, it is wise to ensure that you have processing agreements in place with parties where you store personal information (such as hosting providers). Although many companies pay little attention to this aspect, a processing agreement is required when the processing of personal data is outsourced.
From an organisational point of view, it is important that you are able to prove that you are aware of the importance of data security and that this is an embedded part of your businesses processes. The ISO27001 certification is highly suitable for this, but even without this certification you can use elements of ISO27001 to increase the security of personal data. For example, consider the creation of a ‘data asset catalogue’, in which different types of data that are present in the organisation are classified according to sensitivity and in which requirements are set for dealing with these types of data. A good resource for this is the handbook of the IBD, the information security service of the VNG. Such an asset catalogue can provide the basis for risk analyses for specific applications or situations. Moreover, you could also consider retirement procedures, keeping track of certain employees, recording who has access, secure destruction of data carriers, etc.
Finally, technical measures must be taken. Of course, you can neatly classify you data and set requirements for storage and transport, but if there are no technical measures in place to secure those requirements, all will be for nothing. Such measures start with the isolation of systems with sensitive data from other systems and proper technicals checks on authorisation. An effective technical way to reduce the likelihood of data leaks and fines is to conduct a vulnerability inspection on systems that contain sensitive data. During such an inspection, an expert will examine the system in great detail for any potential vulnerabilities that malicious people may use to access your data. Subsequently, recommendations will be made for resolving these vulnerabilities. If these recommendations are followed up upon, one can easily demonstrate to his/her supervisor that serious attention has been paid to leakage prevention in the event of a data breach. This will significantly reduce the likelihood of a warning or fine.
By proactively taking the correct measures, the risk of damage to your organisation becomes significantly smaller. So make your organisation aware of the risks and get started today!