Lately we have been engaging in a very concerted educational effort in two very important areas: ransomware and GDPR.
The General Data Protection Regulation (GDPR), of course, covers protection and privacy of personal data of EU citizens.
Ransomware, of course, is a nightmare. (Remember early in this season of “Homeland” when Carrie mistakenly downloads ransomware, and the hacker demanded $5000 to get her data back?)
But the GDPR raises the stakes of ransomware even higher than before, and organizations following the new laws must be aware of the added impact it poses in the event of an attack.
What happens if you get breached
First, you’ll have to be completely transparent and let people know if their personally identifying information (PII) has been compromised. You will need to notify the appropriate Data Protection Authority (DPA) within 72 hours of being aware of the breach and notify anyone affected “without undue delay.”
It’s important to note that ransomware does not simply lock up your data so you cannot get it back without paying. It is theft of your data, and the door is wide open for the attacker to access the data.
(Remember on “Homeland” when the attacker realized that Carrie had super top-secret CIA agent data on her computer, and upped the ransom to $10,000 or he would expose it all?)
How to know if PII has been breached
In order to determine if PII has been breached, you need to know where that data is physically located – on your own hardware, within an individual data center, or even the cloud.
This means you need control over both the physical data location and data sovereignty – restricting legal access to data to the jurisdiction in which you operate. Many companies worry about storing data outside their jurisdiction, and rightly so.
ioFABRIC software allows administrators to create zones for data based on any specific need: geographic location, security level, access privileges, etc.
You can make sure PII is kept only on encrypted storage. If only some of the data is PII of EU citizens, create a GDPR-compliant zone for that data with added security. ioFABRIC can control data placement down to an individual hard drive.
Keep unauthorized users out
Ensuring that no one can access data who isn’t authorized to do so also requires precise control.
ioFABRIC offers role-based authentication and delegation that can be tied into Active Directory. From the dashboard, you can view which data has been accessed by which user, whether it was moved, and if so, where and when.
Stay compliant and be prepared
The best scenario is to defend yourself against an attack by securing and maintaining access to data. A cybercriminal is no match for an effective, GDPR-compliant data protection strategy.
(Remember on “Homeland” when the hacker raised the ransom to $20,000 and then Carrie tracked him down and kicked his butt? We don’t recommend that.)