UK may be leaving the EU, but it doesn’t mean that UK businesses are off the hook when it comes to information security and data protection guidelines.
The UK government has made it clear that there will be harsh penalties for any company who does not take measures to secure themselves from data theft and cyber-attacks. Data protection laws that are focusing on client and consumer data are also being drafted in the UK with the General Data PRotection Regulations (GDPR) as the template.
The New UK Data Security Measures
With the UK’s new data security laws, companies particularly those running services for critical infrastructure will need to create robust data security safeguards and policies. Non-compliant businesses could risk fines as high as £17 million or 4% of global turnover. However, companies who do what they can to implement and prove smart data security policies are in place in the event of a cyber-attack need not worry. They will not be fined under these circumstances.
It is no coincidence that these new requirements come in the wake of WannaCry a few months earlier. Wannacry is a ransomware that many cybersecurity experts theorize was more sabotage than malware. This attack left UK’s National Health Service (NHS) crippled. NHS’ systems were brought down by the malware to the point that patients at NHS hospitals, some in critical care, needed to be rerouted to other facilities. It became a life and death situation.
These types of attacks are exactly what the UK government are trying to avoid in the future. Moving forward, companies will need to have quick recovery systems in place to avoid power outages, rerouting patients such as was the case for NHS, and even protection for autonomous driving services.
The biggest components of the new measures would include threat detection, cyber security awareness training for employees, and failover for critical systems in the event of a cyber-attack. These new UK rules have to do with service providers rather than the protection of personal data.
New Data Protection Laws Are Drawn From GDPR
Not to be confused with the above data security measures that focus on products and services, the UK is also revamping their data protection laws. In actuality, this will be drafted from articles of the GDPR. So, what does this mean? It means that IT teams will need policies in place to deal with the protection of personal data despite Brexit. On an employee level, this information already needs to be protected by law, but new standards suggest IT needs to take extra caution when handling consumer data.
Problems that will arise from these new laws will be monitoring personal data, knowing where that data is, ability to remove that data upon request, and ensuring data protection from external and internal threats. A data breach could have your business risking lofty fines in the millions of pounds.
How Can Companies Prepare?
The line between information security and compliance is becoming more blurry. Being compliant is not going to be enough when it comes to cyber-attacks. These new rules have yet to be enacted, and they are, at the very least vague. But the point is that you need to mitigate the present and future risks to your business.
Encryption and failover are great ways to protect from data theft, but they don’t go far enough to protect from spear phishing attacks or other social engineering tactics. This is where security training for employees can come in handy, but this only goes so far. Frequently testing your users to ensure that they don’t fall for phishing attacks is another way to raise awareness.
Encryption also doesn’t help with backdoors, such as the Eternal Blue backdoor that was used in Wannacry or attacks like NotPetya that spread via hacked update servers. These vulnerabilities give hackers a way into your networks by attacking a known (or unknown) vulnerability. Keeping your software up to date is an obvious way to protect your business data, but you can go a step further with penetration testing.
Use Hardened Platforms to Maximize Protection
Another way to protect critical data is to avoid using unencrypted email and anonymous FTP servers. These FTP servers can act as launch pad for attacks and do very little to secure data besides basic username and password credentials. Additionally, any of these solutions send clear text over the wire which leaves you vulnerable to man-in-the-middle attacks. Replacing unsecure systems such as basic FTP with a secure file transfer solution, such as MOVEit Transfer, can add a strong layer of encryption.
MOVEit also is a hardened platform meaning it provides multi-factor authentication, access control, and tamper evident logs. These are just a few of the major benefits that MOVEit provides for companies that need to move data quickly, securely, and maintain compliance.
There is still time to prepare for the new government measures, but also note that GDPR is also just around the corner. By covering all your bases now, your business is in a better position to avoid a data breach, lofty fines, and even civil suits. Under GDPR, organisations will need to be able to provide a Data Protection Impact Assessment (DPIA) for all the technologies they use. The good news is that we have a flat-pack DPIA available for MOVEit, written by compliance legal experts Cordery. Contact us to find out more.
Last but not least, make sure to visit Ipswitch at IPExpo Europe October 4th and 5th to learn more about how our tools can help you stay compliant to these new regulations.
Contact us to find out more at firstname.lastname@example.org