Data in transit: a potential gap in a business’ GDPR compliance
Most businesses have solutions in place to protect data at rest but what about data in transit?
With the General Data Protection Regulation (GDPR) now in effect, businesses must also consider the protection of data in transit and the implications of a breach under GDPR.
And for businesses that possess sensitive categories of data – having security measures in place to ensure that data remains private and secure is of the utmost importance.
But even with GDPR in effect, a staggering 75% of SMBs in the UK have admitted to not upgrading their cyber security policies – and, in fact, 25% have even admitted that they have no plans to upgrade – or even review – their current security policies according to our research report.
The fact is that there are a number of GDPR data security risks facing businesses – particularly SMBs, so having robust solutions in place (such as a VPN for GDPR) is essential.
In this blog, we’ll look at how businesses can protect their data in transit and ensure that they are compliant with GDPR standards by plugging this potential gap.
Use security controls and data encryption tools
First and foremost, businesses need to implement robust security controls to help protect data in transit. Firewalls and network access controls, for example, will help to keep networks secure and prevent intrusions from unauthorised devices or IP addresses. Businesses should whitelist employee devices so that they can access the business’ network and only allow selected incoming traffic via their router.
But this is just the start: to truly protect data in transit it is essential to put in place file level encryption. Before data is transferred between systems, or employees, it must be encrypted to provide an essential additional layer of security.
There are a number of free file encryption tools available online for businesses. These tools encrypt the data, which can only be unlocked and read by recipients with the decryption keys. This means that even if a cyber criminal manages to obtain data in transit, without the key, they won’t be able to decipher the information.
In addition to file-level encryption, businesses should use a virtual private network (VPN) to create secure connections, thus ensuring data in transit is both encrypted and remains private. Cyber criminals cannot see what information is being transmitted from the device to the target server and even if they do manage to access it, without the decryption key it is unintelligible and hence unusable.
If working remotely, verify networks before and during the connection process
Spoofing WiFi networks is a popular tactic amongst cyber criminals. Cyber criminals set up a network that appears to be legitimate and wait for unsuspecting users to connect. For example, cyber criminals might set up a fake network at a train station entitled Victoria Station Free WiFi.
To many, this wouldn’t seem amiss – and most wouldn’t take the time to check or verify the connection either. They would connect, browse the internet, access their email and be none the wiser. Cyber criminals can then steal their details and use them as they please.
Regardless of the circumstances, employees should take the time to validate WiFi connections when working remotely. Here are a few things that should be looked out for and implemented:
Terms and conditions: Genuine public WiFi networks will immediately direct users to a terms and conditions page and ask the user to sign up.
Error messages: If applications stop working or browser error messages are regularly being displayed, the network could be fraudulent.
Hyper Text Transfer Protocol Secure (HTTPS): Upon connecting, verify the security of the connection by checking the URL for HTTPS. If there’s no HTTPS, the current session is not secure and cyber criminals can access transmitted data.
Ask a staff member: Staff members should be able to confirm if a WiFi network is legitimate or not.
Follow best practices for transferring data over unsecure networks
Ideally business employees should avoid transferring data over unsecure networks – such as public WiFi at train stations, airports and cafes – but if it cannot be avoided there are some practices to follow.
- Use a VPN to protect data in transit
Using a VPN is the best way to protect data on unsecure networks. Simply put, a VPN creates a virtual encrypted tunnel between the device it’s installed on and the target server. Traffic is routed through this tunnel, so all data is encrypted and hidden from those snooping on the network.
Under GDPR, a VPN will prove incredibly useful in protecting sensitive data in transit.
- Browse in incognito mode and ensure sessions are encrypted with HTTPS
If a VPN isn’t available, employees should browse in incognito mode and only use websites that have HTTPS when transferring or receiving sensitive data.
Browsing in incognito mode will allow employees to hide their search history as well as dump any tracking cookies that are picked up during the session. Using incognito mode along with a VPN can add another layer of security and help employees to keep activities online private.
Hyper Text Transfer Protocol Secure (HTTPS), on the other hand, is the secure version of HTTP and it means that all communications between the browser and the website are encrypted. It’s often used to protect highly confidential online transactions – but most websites today use HTTPS. To determine if a website has HTTPS enabled, look for a padlock in the address bar.
- Use 4G
It’s always better to use mobile data (4G) than public WiFi – this is because only the device user is active on the connection; no one else is privy to the information and data transferred via 4G is encrypted.
If employees are working remotely and do not trust a public WiFi connection – it is always safer to use 4G.
What happens if businesses don’t implement encryption?
Without some form of online encryption or VPN, employees working remotely will unwittingly expose critical business data to cyber criminals. In the context of GDPR compliance, the loss or theft of this data could lead to severe financial penalties. The maximum administrative fine under GDPR is €20 million, or 4% of annual global turnover – whichever is higher – so it’s incredibly important for businesses to equip employees with a VPN to securely browse the internet and access business services whilst on public WiFi networks.
A VPN provides a critical and much-needed layer of online security and helps to ensure that data in transit is protected and private and that businesses are compliant with GDPR. Following the points outlined in this blog will help businesses and their employees to avoid data breaches and prevent cyber criminals from getting access to critical business, client or personal data.
If you want to find out more about the current cyber security landscape and how businesses – particularly SMBs – are coping, download our free market research report below.