More than a year after GDPR comes into force…
The General Data Protection Regulation (GDPR) of the European Union (EU), dubbed the toughest privacy protection and security law in the world thus far, has been in force for more than a year. While the regulation aims to provide better safeguard on the storage and handling of personal data, many companies, including non-European well-known ones, are still failing to comply with it.
- Phishing Attack: Phishing is one of the most common attack tactics with high success rate to defraud user’s credential. Therefore, user awareness training should be conducted regularly in order to maintain the vigilance of staff against suspicious websites and emails from time to time.
- Exploit of System Vulnerability: A well-planned patch management, including patching cycle (e.g. test in UAT site before roll out to production site), and proper retirement plan for end-of-support systems are essential for preventing attackers from compromising the company network through legacy or unpatched system. If any legacy system cannot be phased out due to practical reason, an extra protection layer (i.e. firewall) is needed to control and monitor the access to it.
- Attacks from Untrusted Network: Once staff are trying to access the company network from outside the organisation through untrusted networks (e.g. the Internet or public wi-fi), the risk of data leakages rises significantly (e.g. loss of device, session hijack, etc). Strong authentication such as two-factor authentication, use of VPN connection and data protection policy must be applied.
- Insider Attack: Insider threat is one of the most significant threats faced in business espionage. Most advanced security technologies fall by the wayside when facing insider threat. Insider threats should be addressed using defence in-depth. The use of internal firewalls, network segmentation, role-based access control for network and physical accesses and user awareness are essential defences.