The consequences of a customer or company data breach can be catastrophic to a business of any size. The resulting damage to reputation, customer and the bottom line are just the tip of the iceberg. Businesses could pay the price of enormous penalties, imposed by strict compliance regulations. As firewalls are no longer enough to protect your data, businesses must implement multiple layers of protection down to every network endpoint—from PCs to printers—to build their defenses and address compliance requirements.
In today’s tech-enabled world, device proliferation is leading to complex multi-device and multi-platform infrastructures as businesses continue to focus on becoming mobile organisations and meeting the demands of their workforce. Every one of these devices is an access and exit point for company data and can come at a security cost. One of the biggest challenges facing companies today is how to control and secure data without disrupting business operations. Increasingly, data is being held and processed beyond the firewall boundaries, making the task of securing data more difficult for network defenders.
The rise of cyber attacks has led to the implementation of data security regulations which are important to businesses around the world. Directives such as the EU General Data Protection Reform Act (GDPR) are not just relevant to organisations based in the EU, but apply to any organisation collecting data from EU residents.
The EU GDPR warns businesses of significant fines if they’re found to be non-compliant in the aftermath of an attack. These fines are on top of the financial destruction caused by the data breach itself. Other regulations such as The Directive on security of network and information systems (NIS Directive) have imposed new network and information security requirements on operators of essential services and digital service providers (DSPs). Organisations are now required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs). The pressure is on.
Key requirements of the EU GDPR
Businesses must comply if they collect data in the EU
If an organisation collects and uses personal data in the EU, they need to comply. This includes people buying goods and services as well as monitoring customer behaviour in order to use that data. For example, if your business tracks online activity to improve customer targeting. Even if your business is outside the EU, every device that can access customer data must be secure.
Businesses must be meticulous with maintaining documentation
The requirements related to maintaining documentation, conducting impact assessments and reporting breaches is time-consuming. Every time a new device is added to the network, it should be secured to your policies and monitored by a SIEM (Systems Information and Event Management) tool to track issues, enable remediation and support compliance reporting.
Businesses must report a breach within 72 hours
Businesses must notify the Data Protection Association without undue delay and – where feasible – within 72 hours. If they don’t, a reasoned justification must be provided. This requirement is designed to protect the rights of individuals to know what is happening with their personal data and understand if the organisations that hold their data have the correct procedures, tools and products in place to monitor, identify risks, and stop attacks.
Businesses have to pay heavy penalties if they do not comply
EU GDPR regulations feature a tiered approach to penalties and the severity of the breach will dictate the size of the fine. The maximum penalty to pay could be 4% of a company’s annual turnover up to €20 million.
3 tips to ensure your PCs and printers are compliant
When it comes to PC and printer protection, there are practical steps to take to ensure your endpoints comply with these regulations.
1. Prepare for compliance audits
To prepare for any compliance audit, IT teams should ensure they can effectively monitor their entire IT infrastructure including endpoint devices such as PCs and printers. They should also schedule regular assessments to keep every endpoint device, including their entire printer fleet, in compliance with the policy.
2. Carry out a complete audit
IT teams must identify every device that can access their company and customer data and assess the level of security it has built in. It’s also recommended they use a fleet security management tool that can immediately identify new devices and automatically apply corporate security policy settings.
3. Embrace security by design
IT teams must put the right policies in place so that compliance requirements are not an afterthought but an intrinsic way that new devices and services are introduced into the network. Ensure you are able to monitor every device including your printers and feed anomalies or incident information into your network-wide vulnerability assessment and monitoring tools, such as an SIEM tool.
Want more information on how to implement layers of security that include every endpoint on your network? Start here.