[BreachExchange] Local data protection compliance: Mission impossible for SMEs?

Audrey McNeil audrey at riskbasedsecurity.com
Tue May 10 21:25:41 EDT 2016


http://www.itproportal.com/2016/05/08/local-data-protection-compliance-mission-impossible-for-smes/

All indications show that for the majority of small and medium sized
companies (SMEs), issues that have to do with data protection, information
leaks, and compliance of data security laws, are almost a ‘mission
impossible’.

Data protection: Your mission if you choose to accept it

According to a study by Gartner, in 2015, 35 per cent of organisations will
have a critical need to use a data protection solution, but only 1 per cent
will be able to implement it. In addition, it is known that companies are
currently suffering data breaches, either by their own employees, suppliers
or customers. Up to 25 per cent of companies have recognised they have had
an information leak in the last year.

All this shows the low level of compliance with data protection laws in
small and medium sized businesses. While in some cases this can be
attributed to a lack of knowledge about the law, in many others it is
simply a matter of priorities. Employers with fewer resources or with
smaller budgets chose to spend their time on day to day problems and ignore
what they consider to be ‘extras’, thus facing possible significant
penalties.

Imagine a small medical clinic. It is not unreasonable to think that
medical records and other patient data are stored in Excel files on work
computers that are used on a daily basis and are not under lock and key,
nor do they have appropriate security measures.

This is already a breach of the data protection laws that, because we are
dealing with files which require a high level of security, entail very high
penalties in case of an audit by the Data Protection Agency. In addition,
there is no control over whether those files are copied, printed, sent by
email, etc… and, regardless of the penalties for breaches of the data
protection law, a significant risk is taken by the company considering the
damage that can be caused to their image should there be an eventual
information leak.

There are solutions out there

SMEs should know that there are technology solutions in the market today
available at affordable prices that can help them comply with data security
laws.

Returning to our example, the employer would only need to protect the Excel
file with one of these solutions, giving permissions to edit the file only
to the healthcare workers, and permissions to only read the file to the
administrative staff. The files subject to the data protection law would in
this way be encrypted and protected as required.

In this simple way, without deploying expensive tools, altering employee
work processes, or having to maintain a manual register of who has accessed
personal data, the SMEs would exceed the requirements for compliance with
the data protection law which, up to now, has usually been too difficult
for a small business to do because it traditionally required
infrastructure, tools and IT staff dedicated to it. All of this without
forgetting the protection of the image of the company by the prevention of
possible information leak.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160510/c61eddcb/attachment.html>


More information about the BreachExchange mailing list