general data protection regulation for sme kurt … · 2018. 6. 27. · • blockchain developer...
TRANSCRIPT
GENERAL DATA PROTECTION REGULATION FOR SME
KURT CALLEWAERT
BRUSSELS 21/06/2018
WHO
Kurt Callewaert
• [email protected] 0473 340465
• Lecturer Applied Computer Sciences
• Research manager
• Computer & Cyber Crime Professional
• Blockchain Developer & Architect
• Postgraduate DPO
Enterprises turnover from e-commerceby country
http://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics
B2C = on average 35%
GDPR survey of 660 European CIO’s
https://www.ontrackdatarecovery.nl/nieuws/datavernietiging-europese-privacyregels/
• 25 May 2018• Extra-territorial reach• Core principles:
• Lawfulness, fairness, transparancy Accuracy• Purpose limitation Retention• Data minimisation Integrity and confidentiality
• Consent• Data subject rights
• Right to be forgotten Right to data portability• Right to object to direct marketing Subject access requests• Profiling and automated decision making
• Privacy notices• Accountability• Data protection officer• Data security• Processors• Transfers outside the Union• Sanctions
GDPR in one slide
SME’s and security policy?
http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises
Enterprises with a security policy
Enterprises with a security policyby country
European survey on SME policy
http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises
ISO survey of 27001 certifications11
ISO 27001 certifications
United Kingdom RomaniaItaly GermanySpain NetherlandsPoland Czech RepublicHungary BulgariaTurkey SlovakiaFrance SerbiaIreland GreeceSwitzerland AustriaSweden PortugalCroatia Russian FederationBelgium SloveniaNorway FinlandLithuania DenmarkIceland LatviaAlbania ArmeniaBosnia and Herzegovina CyprusThe Former Yugoslav Republic of Macedonia Ukraine
WHY SHOULD THE SME ACT?
• Compliancy with GDPR (sensitive personal data)
• Company reputation damage
• Continuity
• Competition
innovative creative entrepreneurial
• Accountant
• Customer / contractor
• IT supplier
• Bank
• Assurance
• Professional association
innovative creative entrepreneurial
WHO IS THE SME’S TRUSTED ADVISOR?
innovative creative entrepreneurial
OUR ADVICE TO THE SME: SET UP AN ISMS
INFORMATION SECURITY MANAGEMENT SYSTEM
innovative creative entrepreneurial
CYBERSECURITY AUDIT PROGRAM NIST CSF
innovatief creatief ondernemend
ACCESS CONTROL
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: SECURE CLOUD STORAGE
1. Usable security2. Private cloud storage3. Possibility to integrate with server-side encryption or client-
side encryption4. Multi-version backup
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: SECURE MAIL
1. Usable security2. Most of the encrypted email solutions are not usable3. PGP, S/MIME4. Usability studies show this
1. 1999: Why Johny can’t encrypt
2. 2006: Why Johny still can’t encrypt
3. 2013: Confused Johny
4. 2015: Why Johny still, still can’t encrypt5. Other protocols / tools
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: DEVICE ENCRYPTION
1. Use the standard tools for your OS for laptops2. Be careful: encryption should not be “security theatre”
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: DATABASE ENCRYPTION
1. Very DBMS and version dependent2. Very dependent on your clients and specific architecture3. An ERP system comes with a database that you cannot control
yourself4. Threat model ? Who do you trust or not ?5. If any client can send SQL (or web services) to the server, what
is the point of encrypting the database content ?
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: NETWORK ENCRYPTION
1. Choose the correct protocols2. Network segmentation (IoT)3. VPN
innovative creative entrepreneurial
PRACTICAL SOLUTIONS: MONITORING IDS/IPS
1. Monitoring is key for good security2. Monitoring as a service to SME’s3. Host intrusion detection, network intrusion detection4. Monitoring all the security tools: firewall, antispam, web
filtering, email filtering, host agents (HIDS),
innovative creative entrepreneurial
AWARENESS TRAINING
* Phishing* Social Engineering* Strong Passwords
innovative creative entrepreneurial
ISMS4SME IMPROVEMENT