general data protection regulation for sme kurt … · 2018. 6. 27. · • blockchain developer...

GENERAL DATA PROTECTION REGULATION FOR SME

KURT CALLEWAERT

BRUSSELS 21/06/2018

WHO

Kurt Callewaert

• Kurt.Callewaert@howest.be 0473 340465

• Lecturer Applied Computer Sciences

• Research manager

• Computer & Cyber Crime Professional

• Blockchain Developer & Architect

• Postgraduate DPO

Enterprises turnover from e-commerceby country

http://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics

B2C = on average 35%

GDPR survey of 660 European CIO’s

https://www.ontrackdatarecovery.nl/nieuws/datavernietiging-europese-privacyregels/

• 25 May 2018• Extra-territorial reach• Core principles:

• Lawfulness, fairness, transparancy Accuracy• Purpose limitation Retention• Data minimisation Integrity and confidentiality

• Consent• Data subject rights

• Right to be forgotten Right to data portability• Right to object to direct marketing Subject access requests• Profiling and automated decision making

• Privacy notices• Accountability• Data protection officer• Data security• Processors• Transfers outside the Union• Sanctions

GDPR in one slide

SME’s and security policy?

http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises

Enterprises with a security policy

Enterprises with a security policyby country

European survey on SME policy

http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises

ISO survey of 27001 certifications11

ISO 27001 certifications

United Kingdom RomaniaItaly GermanySpain NetherlandsPoland Czech RepublicHungary BulgariaTurkey SlovakiaFrance SerbiaIreland GreeceSwitzerland AustriaSweden PortugalCroatia Russian FederationBelgium SloveniaNorway FinlandLithuania DenmarkIceland LatviaAlbania ArmeniaBosnia and Herzegovina CyprusThe Former Yugoslav Republic of Macedonia Ukraine

WHY SHOULD THE SME ACT?

• Compliancy with GDPR (sensitive personal data)

• Company reputation damage

• Continuity

• Competition

innovative creative entrepreneurial

• Accountant

• Customer / contractor

• IT supplier

• Bank

• Assurance

• Professional association

innovative creative entrepreneurial

WHO IS THE SME’S TRUSTED ADVISOR?

innovative creative entrepreneurial

OUR ADVICE TO THE SME: SET UP AN ISMS

INFORMATION SECURITY MANAGEMENT SYSTEM

innovative creative entrepreneurial

CYBERSECURITY AUDIT PROGRAM NIST CSF

innovatief creatief ondernemend

ACCESS CONTROL

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: SECURE CLOUD STORAGE

1. Usable security2. Private cloud storage3. Possibility to integrate with server-side encryption or client-

side encryption4. Multi-version backup

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: SECURE MAIL

1. Usable security2. Most of the encrypted email solutions are not usable3. PGP, S/MIME4. Usability studies show this

1. 1999: Why Johny can’t encrypt

2. 2006: Why Johny still can’t encrypt

3. 2013: Confused Johny

4. 2015: Why Johny still, still can’t encrypt5. Other protocols / tools

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: DEVICE ENCRYPTION

1. Use the standard tools for your OS for laptops2. Be careful: encryption should not be “security theatre”

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: DATABASE ENCRYPTION

1. Very DBMS and version dependent2. Very dependent on your clients and specific architecture3. An ERP system comes with a database that you cannot control

yourself4. Threat model ? Who do you trust or not ?5. If any client can send SQL (or web services) to the server, what

is the point of encrypting the database content ?

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: NETWORK ENCRYPTION

1. Choose the correct protocols2. Network segmentation (IoT)3. VPN

innovative creative entrepreneurial

PRACTICAL SOLUTIONS: MONITORING IDS/IPS

1. Monitoring is key for good security2. Monitoring as a service to SME’s3. Host intrusion detection, network intrusion detection4. Monitoring all the security tools: firewall, antispam, web

filtering, email filtering, host agents (HIDS),

innovative creative entrepreneurial

AWARENESS TRAINING

* Phishing* Social Engineering* Strong Passwords

innovative creative entrepreneurial

ISMS4SME IMPROVEMENT