HKCert
Security Blog

More than a year after GDPR comes into force…

Release Date: 30 / 09 / 2019
Last Update: 03 / 10 / 2019

The General Data Protection Regulation (GDPR) of the European Union (EU), dubbed the toughest privacy protection and security law in the world thus far, has been in force for more than a year. While the regulation aims to provide better safeguard on the storage and handling of personal data, many companies, including non-European well-known ones, are still failing to comply with it.

 
For example, US-based hotel chain giant Marriott International was handed a hefty fine of US$125 million after the theft of 383 million guest records by hackers, while Google was fined US$56.8 million for its data consent policies and not giving its users enough control over how their information is used.
 
Despite such high profile cases, some companies in Hong Kong still consider GDPR not relevant to their business operations, even though its compliance is mandatory for any organisations around the world so long as they target or collect data related to people in the EU. Perhaps, they may have overlooked the fact that EU is the city’s second trade partner after Mainland China and over 2,200 EU companies have set up business in Hong Kong.
 
To help local businesses comply with GDPR, the Hong Kong Computer Emergency Response Team Coordination Centre has identified four major types of cyber attacks responsible for data breach incidents and whose impact can be migrated if proper security measures are applied. They include:
 
  • Phishing Attack: Phishing is one of the most common attack tactics with high success rate to defraud user’s credential. Therefore, user awareness training should be conducted regularly in order to maintain the vigilance of staff against suspicious websites and emails from time to time.
     
  • Exploit of System Vulnerability: A well-planned patch management, including patching cycle (e.g. test in UAT site before roll out to production site), and proper retirement plan for end-of-support systems are essential for preventing attackers from compromising the company network through legacy or unpatched system. If any legacy system cannot be phased out due to practical reason, an extra protection layer (i.e. firewall) is needed to control and monitor the access to it.
     
  • Attacks from Untrusted Network: Once staff are trying to access the company network from outside the organisation through untrusted networks (e.g. the Internet or public wi-fi), the risk of data leakages rises significantly (e.g. loss of device, session hijack, etc). Strong authentication such as two-factor authentication, use of VPN connection and data protection policy must be applied.
     
  • Insider Attack: Insider threat is one of the most significant threats faced in business espionage. Most advanced security technologies fall by the wayside when facing insider threat. Insider threats should be addressed using defence in-depth. The use of internal firewalls, network segmentation, role-based access control for network and physical accesses and user awareness are essential defences.
 
All-in-all, businesses in Hong Kong must realise that by operating in an externally-oriented economy and an international city they are not immune from GDPR compliance. From import and export trade, banking and finance, tourism and hospitality to even property management and education sectors, all sectors must take whatever measures to minimise the threats of data breaches or face becoming the next “victim” of the huge GDPR fine.
 
Reference Link: