Comply with Data Security – Contain Ransomware
Inadequate data security policies can make it easier for ransomware attackers to use corporate data as leverage. As Sophos recently reported, some attackers are turning to extortionate tactics. Instead of simply encrypting files, they threaten to release the data if no ransom is paid. Thus, you put the injured company in a position where it will be fined, not to mention the damage to the reputation of its brand. For this and many other reasons, compliance with regulations and information security are closely interwoven. In the opinion of Pure Storage, compliance with data protection regulations is thus becoming an even more important pillar of any security strategy.
The following short list of Pure Storage shows best practices, i.e. proven measures that help companies comply with the regulations and avoid ransomware criminals.
Creating a Compliance Framework
A security or incident response framework explains how to detect, respond to, and recover from incidents. Similarly, a compliance framework provides a structure for all compliance regulations that relate to an organization, such as how to evaluate internal compliance and privacy controls. Such a framework also helps to identify data, such as personal or sensitive data, which require stricter security protocols.
Defining policies about what data is collected and why
This step is part of creating a framework. There are many reasons to document the what and why of data collection. The supervisory authorities may require that such guidelines be established; if the data comes from consumers, even more stringent requirements may be imposed on the description of the collection guidelines (see point 4).
Creating Privacy Policies
Informing customers about what data is collected, what it will be used for and how and for how long it will be stored. Also inform customers about how they can gain access to their personal data or be “forgotten”, i.e. how their data will be removed from the systems.
Strengthening the commitment to disclosure
Pass on, publish and maintain publicly accessible data protection guidelines.
Stay up to date on the latest legal regulations that affect compliance
A “privacy by design” operating model can help you keep up with and adapt to the ever-changing regulations. This means that they include data protection in the development and operation of IT systems, infrastructures and business practices, rather than trying to incorporate it retroactively.
Establish data retention and deletion policies
This step is crucial. Retention schedules determine how long data is stored on a system before it is deleted, and schedules may vary by industry. A compliant, mature and secure company is characterized by the fact that it develops solid guidelines for data retention and deletion, which are constantly reviewed.
Choosing a data encryption protocol
Determine which type of data encryption should be used and where – on-site, in the cloud, etc. Depending on where the data is stored, the decisions can be different.
Talk to the CISO about network controls
Since compliance is closely related to security, organizations should involve their CISO in conversations about configuring network devices, access control with minimal rights, event logging, and multi-factor authentication.
Anonymization of sensitive data
If necessary, data should be anonymized in order to remove personal identification data by masking, tokenization, hashing or anonymization.
Document how all parties affected by a security breach will be notified
According to the GDPR, such notifications are mandatory – and companies definitely want the notification process to run smoothly. It is important to determine who is responsible for the notification, how to solve the problem and what to do to prevent further incidents.
The use of data is associated with immense possibilities, but also with responsibility. Companies that believe in the wisdom “data is the new oil” must also take compliance into account, otherwise the data may not belong to the company for a long time.