5 steps for GDPR compliance for US-based financial firms

Even though GDPR (General Data Protection Regulation) compliance is a European Union (EU) law, it still has implications for US-based financial firms. GDPR still has reach when it comes to US organizations. It’s been seen as the largest impact on data privacy laws in the US since the passing of HIPAA laws.

What is GDPR?

GDPR, at its core, is all about the protection of personal data. With data breaches continuing to be a danger to all companies in 2019, there is extreme pressure for organizations to enact cybersecurity strategies to combat them.

Under GDPR, organizations must ensure that personal data is collected legally and under specific conditions. Those who collect it are also obliged to protect it from exploitation or misuse, respecting the rights of data owners. The inability to meet this can result in penalties.

How does GDPR impact US-based financial firms?

GDPR applies to any company operating in the EU as well as those outside of it that offer services or goods to EU citizens. Thus, for many US-based financial firms, GDPR becomes relevant. If your customer base or operations extend to those in the EU, you will be responsible for compliance. To ensure compliance, you may need to undertake a risk assessment to understand where the gaps may be.

Steps for compliance

Identify and categorize the data your company collects and processes

You start the process of compliance by analyzing what your current methods are. You’ll need to engage in a comprehensive assessment of what data you collect and why. Start with these questions:

  • Do you ask for personal data from EU citizens?
  • How do you obtain such information?
  • What do you do with the data?
  • Who has access to the data?
  • Where is the data stored?
  • Does your company have a backup and disaster recovery plan related to the data?

Once you’ve assessed where you stand and if you collect data from EU citizens, you’ll know if you need to enact compliance measures.

Ensure you have a legal basis for processing data

GDPR seeks to limit the collection, storage, and use of personal data by companies. To be compliant, you must have a legal basis for doing so. The legal basis may include:

  • You’ve been given explicit consent to use data for a specific purpose—for banks, you would need access to data to service accounts or enable transactions
  • Data processing is pursuant to a contract
  • Necessary for public interest or to protect EU legal obligations

Create company policies and procedures related to GDPR

Policy creation is critical for GDPR compliance. Your policy must include a way for EU citizens to exercise their individual privacy rights. You’ll have to provide disclosures to these subjects to address right of access, right to rectify, right to erasure, right to restrict processing, right to object to processing, right to data portability, and right to not be subject to automated decision making.

Adopt GDPR-compliant privacy notices

You’ll need to craft GDPR-compliant privacy notices and make those accessible at all data collection points. It will need to address a variety of information points, including purposes of processing, identification of the company, and data retention periods.

Ensure data protection and security

With this step, you’ll need to ensure that your cybersecurity measures offer a “reasonable” layer of protection for data. You should consider elements like encryption, confidentiality, ability to restore and access data, the potential risks, and how to ensure that any third-party processors follow the same guidelines.

These are the essential beginning steps for any financial firm to consider when focusing on GDPR compliance. It’s a very complex process, and one that can be streamlined with the help of IT security experts, like those at Imagis. If you are struggling with GDPR compliance, contact us today for a consultation. 

Insure Your Cybersecurity For 2018

Cybersecurity, no matter the size of your business or how many employees you have, is a vital part of today’s business. Everyone in your organization needs to be up to date on how to spot a cyber threat and what to do about it.

There are some fundamental things that you should be doing to help protect your business from cyber threats. As hackers find new and innovative ways to come at your data, you need to be a few steps ahead of them. Let’s discuss a few areas in which you can “seal the breach” from hackers:

  • Educate your staff on social engineering attacks

Social engineering attacks trick people into giving up sensitive information usually by posing as someone within the company or a vendor. Educate your staff on what to look for and how to protect themselves and the company from these malicious attacks. Phishing is one of these social engineering attacks that disguise a virus within the email. Once the attachment is opened, the virus goes to work attacking data and sending information back to the hacker. Make sure your employees are questioning anything that seems odd or out of place.

  • Use up-to-date anti-virus software and firewalls

You should be checking for updates periodically and installing them automatically. Cyber criminals will happily exploit any unsecured system for a one-time breach or even an ongoing theft.

  • Establish company policies for handling and storing sensitive data

Not every person in your organization needs to have access to sensitive data. Restrict who has access and make sure they are changing their passwords every ninety days at least. Also, don’t keep more data on a client than you need, and don’t hold it any longer than you have to. The less data you have on hand, the less you lose during a breach.

  • Establish guidelines for company wide computer use

Your employees should not be using company computers or devices for use with family or for personal use. This prevents them from inadvertently sending out sensitive data. This goes the other way too. Employees should not be allowed to use their own personal devices to download business data to. This should include items such as thumb drives, tablets and phones.

  • Institute a mobile device policy

Set up a protocol so that employees may access data from a secure location on their phone, but without having to download the data. Enable access codes, encryption and remote wipe software on all company devices, then keep a log of all issued and approved devices and who they went to.

  • Stay up-to-date on software patches

Make sure you are installing every hardware and software an operating system update. This keeps hackers from being able to take advantage of vulnerabilities. Be sure that these updates take place across the board. Have every computer in your organization update and make sure it gets done to avoid any breaches.

  • Use passwords

Use the built-in password functions of the laptops and other devices. Don’t allow employees to store passwords on their work computers or devices. And make sure they are using a combination of letters, numbers and symbols in their passwords to make strong passwords. You also want them to change it at least every three months.

  • Encrypt sensitive files

You want to keep out unsavory types and those meddling hackers, so encrypting your files is a must. This way, even if they get ahold of your data, they can’t view it or alter it. Encrypting data that is being sent over the internet or to the cloud for storage is also a good idea. So even if the data or files get intercepted mid-stream, they are still unable to be read or changed.

  • Dispose of old files and devices properly

Simply deleting a file on your hard drive does not mean that it is gone forever. Deleting only tells the hard drive that the space if freed up and can be used. The data can still be retrieved. The only way to insure that hackers or anyone else can get at the deleted files is to destroy the physical drive. When you upgrade equipment, such as computers, remember to destroy the old drives. But computers aren’t the only drives that you should worry about. The copier has a hard drive as well. Think about what else in the office might have data on it and secure it.

  • Back up your files

Keep copies of your data separate from your original files. Whether online in the cloud or offline at separate site from the original, always backup your data. It is best to have it backed up on the cloud and offline in another location. This way, if you are hacked or data gets lost, you will have a much better idea of what is missing and be able to get it back.

Cyber security is a big deal, and a big job. But it is never foolproof. You have to stay vigilant and uncompromising in your security measures. Don’t let hackers take what you’ve worked so hard to build. With ransomware and other cyber-attacks happening more frequently than ever before in 2017, you want to start 2018 off on the right foot.

Give Imagis a call at 888-526-4283 and let one of our consultants show you how to build a better security framework

Why You Need to Create a Business Continuity Plan

Data loss is always a concern for businesses, and now with cloud storage there is more concern than ever that data stored there could be stolen or lost. “It can’t/won’t happen to me” attitudes among small businesses could end in disaster, costing these business owners a pretty penny.

Lost profits, lost productivity and damage to your businesses reputation are just a few things that could come from loss of data…and those are the best-case scenarios. Small businesses can’t afford to lose data. Almost 60% of small businesses go under within six months of a major data loss.

The good news is that a majority of small businesses already backup their data, whether it is locally, on the cloud or both. To prevent a catastrophic loss of data, it is important that you follow some simple guidelines to preserve your data. Backup the data for starters, preferably on a daily basis, but at least a couple times a week. You also want to have a Business Continuity Plan in place.

A Business Continuity Plan is a process put in place to respond to any catastrophic loss of data with a documented and clear set of plans to recover that data. The plan includes step-by-step instructions how to recover the loss and get your network or system up and running as swift as possible to avoid a major loss in productivity or revenue, and get back to work.

Your data recovery analysis should include hiring a Managed Service Provider for your IT recovery needs. They are specially qualified to handle data recovery and to get your business back up and running after an IT disaster better than you are. They will help with the analysis and show you the best way to safeguard your data so that, in the event of a catastrophe, they can help get that data back.

What can cause your data to be lost? There are a few main causes for the loss of important data, including:

  • Hackers – A lot of times data loss is due to poor cybersecurity. Without the right preventative measures in place, hackers can infect a system with ransomware and compromise all of your files. Ransomware is likely today’s biggest threat to your data. You hear about it everywhere, including how to defend against it before they get in and take over your files. You don’t want that ransom note.
  • Human Error – Backing up files, moving files and deleting old files is something that we do every day as part of our business routine. So it is inevitable that we accidently delete the wrong files or backup an outdated version of a file. Human error is inevitable so have a plan in place for when this happens to you.
  • Software Failure – We’ve all been there. You have a dozen programs running at once as you try to accomplish a dozen tasks at once. You’re working in one of those dozen programs when the computer starts acting sluggish then crashes. Now all that data is gone because you didn’t save or back it up before the crash. Similarly, if you are using outdated software you’re asking for problems. Don’t fall victim to this. Keep software up to date and don’t over task the hardware.
  • Hardware Failure – Hard drives fail all the time. 140,000 hard drives fail every day. Some just get worn out but others fail due to extenuating circumstances such as:
  • Water Damage
  • Fire Damage
  • Overheating
  • Power Surges
  • Getting Dropped
  • Cyber Viruses and Malware – Viruses and malware are a real threat in today’s ever-connected world. The internet has immense value and you’re probably connected to it at all times, but this also leaves you open for computer viruses as well as hackers that want to steal or hijack your data, or corrupt your entire network.
  • Power Failure – The loss of power to your system might seem as if it is low risk, but that’s not always the case. A power failure to the computer can result in loss of data or even worse, hard drive failure.
  • Natural Disasters (hurricane, tornado, etc.) – A tornado doesn’t care how long it took you to backup your data or that you didn’t backup at all. A server room could flood or a main work area could suddenly cave in or be swept away. If you live somewhere prone to natural disasters, you should already be backing up data.

The best way to protect your data from hackers and other problems is to have a reliable recovery solution in place by an IT professional. The biggest threat to your data and your business is not being prepared. Get together with your Managed Service Provider (MSP) and come up with a Business Continuity Plan that works for your business.

10 Ways To Stay Safe Online

Staying safe when online may seem overwhelming. Everything that connects to the Internet can get hacked. However, here are things you can do to mitigate your risk.

  1. Always update your operating system (OS) and other software. When companies discover vulnerabilities in their software they send out security patches to solve the problem.
  2. Download up-to-date security programs, including antivirus and anti-malware software, anti-spyware, and a firewall.
  3. Don’t use public WiFi. Protect your WiFi with an encrypted password, and refresh it every few years. Today’s routers make it easy to frequently change your password.
  4. Password protect all of your devices, including your desktop, laptop, phone, smartwatch, tablet, and IOT (Internet of Things) devices. Create difficult passwords and change them frequently. Don’t use the same password for more than one account. (Or use a password manager like LastPass.)
  5. Use two-factor authentication which requires you to not only enter a password but to also confirm entry with another item like a code texted to a phone.
  6. Practice smart emailing. Phishing campaigns still exist. Hover over links to see the actual email address of the sender. Don’t open attachments unless you’re 100% sure of where they came from.
  7. Practice smart browsing. Encrypted sites are the safest ones to visit. You know they are safe when you see HTTPS in the URL, and the lock icon on your browser. If you suspect a hacker, do a quick search on the Internet for the subject line.
  8. Log out of accounts when you’re done with them. Simply closing the browser window isn’t enough.
  9. Don’t link accounts. This allows services to get a lot of your personal information – for example when a site asks you to sign in with your Facebook account.
  10. Keep sensitive data off public cloud services. Very few cloud storage solutions offer encryption for data at rest.

Want more tips on keeping safe online? Or, better yet – do you need a partner that can help you build a more secure business? Contact Imagis today by emailing us at info@ImagisInnovations.com or calling 866.462.4474.