Do you say rubber band or elastic band? Actually, both terms are prone to inaccuracy. Strictly speaking a rubber band tells you what it is made of, not what its properties are. It may or may not be stretchy. The timing belt in most cars is a tough, toothed rubber band. You certainly don’t want that to stretch.
An elastic band is a band that can stretch. Confusingly, it might or might not be made of the substance called elastic which is a tape or fabric of thin cloth woven through with strips of pliant rubber.
All of which is to say, the way we use language is often an impediment to accuracy and a fast route to misunderstanding. Especially when we think that the way we use a word is the only way anyone else will interpret it.
I often encounter people who use the terms data privacy, data protection and cybersecurity interchangeably. And these three disciplines are far, far from the same thing. It’s the same with people who think compliance with the General Data Protection Regulation (GDPR) demonstrates they have a complete cybersecurity framework in place. GDPR isn’t cybersecurity. In some instances, they have a common interest and an overlap of purpose, but they are very different doctrines.
Let’s briefly set these out so we’re clear what they are.
Data Privacy means being in control of what data you choose to reveal and share and being in control of what anyone you’ve shared it is allowed to do with it—including who they may or may not share it with.
Data Protection is the collection of policies, procedures and technologies that you implement and deploy to ensure there is no breach of personally identifiable information (personal data) from your organisation.
Cybersecurity is the combined suite of technology, governance and training that your organisation mounts to combat the risk of succumbing to a cyberattack.
There’s definitely some common ground here. But that’s not enough to make them the same thing. Archaeologists use pollen analysis—that doesn’t make them botanists.
The Scope of GDPR
Specifically, GDPR is about the processing, storing and transmitting of personal data. Processing means doing anything with the data. Sending a single email to a single recipient counts as processing data. Storing is as simple as it sounds. If you have personally identifiable information recorded either digitally or on paper, you’re storing personal data. Transmission means sending personal data to someone else.
The GDPR requires you to apply governance to your operations so that you can control and safeguard the data and to uphold the data subjects’ rights regarding their personal data. That means implementing a suite of policies and procedures to uphold the demands of the regulations. If you think of it as a miniature quality management system specifically for personal data, you won’t be far off the mark.
Overall, you must satisfy the six core principles of the GDPR. In a nutshell, these are:
- The data must be processed lawfully, fairly and transparently.
- The data must be collected for specified, explicit and legitimate purposes.
- The data collected must be adequate, relevant and limited to what is necessary for processing.
- The data must be accurate and kept up to date.
- The data should only be kept in a form that allows the identification of data subjects for as long as necessary.
- The data must be processed in a manner that ensures its security.
Plainly, to satisfy the requirements of the sixth core principle you have to apply some of your cybersecurity measures to the processing, storing and transmission of personal data. But cybersecurity deals with a whole lot more than personal data.
For example, nothing we’ve discussed so far prepares your staff for identifying social engineering phone calls, phishing emails or spear phishing attacks.
Nor will the GDPR tell you to configure a guest Wi-Fi so that visitors don’t connect to your main network just to get to their smartphone onto the internet. Compliance to the GDPR won’t ensure the firmware in your routers, managed switches and firewall are patched up to date to close off vulnerabilities.
So, what is Cybersecurity?
There’re three strands to cybersecurity. The effectiveness of your cybersecurity depends on your technological defences, your IT governance and the behaviour of your staff. All three must be in place for your cybersecurity to be considered robust.
This is the hardware and software that you procure and deploy to protect your network. This will include a firewall, endpoint protection software, and the encryption of mobile devices and email. It also includes the design of your network itself. A segregated network limits the spread of malware and hampers the lateral movement of threat actors if they manage to compromise your network.
The operating systems on all of your servers, virtual machines, desktops, and laptops must be a current, supported version, and must have all security patches applied. Likewise, software applications must be within the manufacturers’ support life-cycle and must receive patches and upgrades. The firmware in network devices such as routers and firewalls must be patched up to date and still supported by the manufactures.
Group policies should be used to enforce your password policy. Two-factor or multi-factor authentication should be implemented where possible. USB access should be restricted and controlled or disabled altogether. Regular, encrypted, backups to different media must take place. At least one backup should be made off-site.
There’s no limit to the amount of technology you can throw at cybersecurity. If your network is sufficiently large you may consider an intrusion detection system. At the top end, you can implement zero-trust networks and deception technologies.
What is right for you is the appropriate mix of hardware and software that provides sufficient protection according to your network, your assessed risks and your budget.
But beyond GDPR you will need an Acceptable Use Policy so staff know what they can and cannot do with your IT resources. A Password Policy will explain what makes a good and bad password. You’ll need a Schedule of Maintenance that details when penetration testing and vulnerability testing should take place, and when hardware and software patches must be obtained and applied.
A cybersecurity Incident Plan will act as your play book when cyberattacks happen. It must be rehearsed with all stakeholders involved in the run-through. If the worst case happens, you’ll require a proven Disaster Recovery plan. You don’t write your lifeboat plan when the ship is going down. You do it ahead of time and rehearse it. Making it up on the spot isn’t going to cut it.
Of course, it’s not just the big ticket items that need policies and procedures: many of your daily IT operations need control and governance too. For example, we mentioned the review and approval process for opening firewall ports. That review needs to take place each time a port is requested to be opened. That won’t happen without a formal process.
Your technology-based defences are only effective if they are fitted, configured and maintained correctly. IT governance is only useful if competent policies and procedures are developed, written, implemented and willingly adopted. Both of which rely entirely on your staff doing the right thing at the right time.
Good IT Security Hinges on the Staff
Your staff are every bit as vital to your security as any piece of technology. They’re the ones who must follow the processes. That means the processes have to be introduced properly, and formally adopted.
You need your staff to be on 100% board with your cybersecurity vision. The majority of malware arrives by phishing email. And your staff are the ones receiving these emails. Phishing emails are carefully worded to coerce the recipient into opening a malicious attachment or clicking on a link. The attachment will contain malicious software that downloads the actual malware payload. Links in the email take the victim to a copy-cat website that either captures their log in credentials or infects their computer with malware.
Modern phishing emails are slick, convincing and compelling. Gone are the days when the widow of Nigerian spy needed to get millions of pounds out of the country. The era of the ridiculous premise has passed. Phishing emails no longer have mangled English and spelling mistakes.
Spear phishing emails look like they’ve come from someone senior in your own organisation. They go to someone in the finance department. The premise is the senior executive is in a mild panic: they forgot to do something, and it needs to be down now. Please make a payment to this customer of this value, to these bank details. And of course, the bank details are those of the cybercriminals.
You can’t expect your staff to recognise fraudulent emails without training. Their ability to spot these threats is protecting your business from ransomware attacks. Social engineering attacks like this can also arrive via text (smishing) or over the phone (vishing). Infected USB memory drives are dropped where staff will find them and take them back to their desks. Cybercriminals see your staff as a resource that can be exploited, just like a network vulnerability.
If you see the point in applying security patches to your equipment, you should see the sense in training your staff so that they are not an exploitable organic vulnerability. And empower them to speak out. They must be coached to query anything they think is suspicious. Don’t criticise them for double-checking whether something is genuine. They should be encouraged to have a healthy degree of caution. Rampant paranoia doesn’t serve anyone well, but informed attentiveness will work wonders.
You Need Them Both
Compliance with GDPR is mandated by law. By including the GDPR in chapter two of the Data Protection Act 2018, it became enshrined in Irish Law. So, leaving the EU does not remove the burden of GDPR in any way. It’s here to stay.
Effective cybersecurity is mandated by common sense, and the need to ensure business continuity. Cybercrime is here to stay, too.
GDPR and cybersecurity are two different things. They address different needs. And you need them both.