general data protection regulation for sme kurt … · 2018. 6. 27. · • blockchain developer...

GENERAL DATA PROTECTION REGULATION FOR SME

KURT CALLEWAERT

BRUSSELS 21/06/2018

WHO

Kurt Callewaert

• [email protected] 0473 340465

• Lecturer Applied Computer Sciences

• Research manager

• Computer & Cyber Crime Professional

• Blockchain Developer & Architect

• Postgraduate DPO

Enterprises turnover from e-commerceby country

http://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics

B2C = on average 35%

http://ec.europa.eu/eurostat/statistics-explained/index.php/E-commerce_statistics

GDPR survey of 660 European CIO’s

https://www.ontrackdatarecovery.nl/nieuws/datavernietiging-europese-privacyregels/

https://www.ontrackdatarecovery.nl/nieuws/datavernietiging-europese-privacyregels/

• 25 May 2018• Extra-territorial reach• Core principles:

• Lawfulness, fairness, transparancy Accuracy• Purpose limitation Retention• Data minimisation Integrity and confidentiality

• Consent• Data subject rights

• Right to be forgotten Right to data portability• Right to object to direct marketing Subject access requests• Profiling and automated decision making

• Privacy notices• Accountability• Data protection officer• Data security• Processors• Transfers outside the Union• Sanctions

GDPR in one slide

SME’s and security policy?

http://ec.europa.eu/eurostat/statistics-explained/index.php/ICT_security_in_enterprises

Enterprises with a security policy


Enterprises with a security policyby country

European survey on SME policy



ISO survey of 27001 certifications11

ISO 27001 certifications

United Kingdom RomaniaItaly GermanySpain NetherlandsPoland Czech RepublicHungary BulgariaTurkey SlovakiaFrance SerbiaIreland GreeceSwitzerland AustriaSweden PortugalCroatia Russian FederationBelgium SloveniaNorway FinlandLithuania DenmarkIceland LatviaAlbania ArmeniaBosnia and Herzegovina CyprusThe Former Yugoslav Republic of Macedonia Ukraine

WHY SHOULD THE SME ACT?

• Compliancy with GDPR (sensitive personal data)

• Company reputation damage

• Continuity

• Competition

innovative creative entrepreneurial

• Accountant

• Customer / contractor

• IT supplier

• Bank

• Assurance

• Professional association


WHO IS THE SME’S TRUSTED ADVISOR?


OUR ADVICE TO THE SME: SET UP AN ISMS

INFORMATION SECURITY MANAGEMENT SYSTEM


CYBERSECURITY AUDIT PROGRAM NIST CSF

innovatief creatief ondernemend

ACCESS CONTROL


PRACTICAL SOLUTIONS: SECURE CLOUD STORAGE

1. Usable security2. Private cloud storage3. Possibility to integrate with server-side encryption or client-

side encryption4. Multi-version backup


PRACTICAL SOLUTIONS: SECURE MAIL

1. Usable security2. Most of the encrypted email solutions are not usable3. PGP, S/MIME4. Usability studies show this

1. 1999: Why Johny can’t encrypt

2. 2006: Why Johny still can’t encrypt

3. 2013: Confused Johny

4. 2015: Why Johny still, still can’t encrypt5. Other protocols / tools


PRACTICAL SOLUTIONS: DEVICE ENCRYPTION

1. Use the standard tools for your OS for laptops2. Be careful: encryption should not be “security theatre”


PRACTICAL SOLUTIONS: DATABASE ENCRYPTION

1. Very DBMS and version dependent2. Very dependent on your clients and specific architecture3. An ERP system comes with a database that you cannot control

yourself4. Threat model ? Who do you trust or not ?5. If any client can send SQL (or web services) to the server, what

is the point of encrypting the database content ?


PRACTICAL SOLUTIONS: NETWORK ENCRYPTION

1. Choose the correct protocols2. Network segmentation (IoT)3. VPN


PRACTICAL SOLUTIONS: MONITORING IDS/IPS

1. Monitoring is key for good security2. Monitoring as a service to SME’s3. Host intrusion detection, network intrusion detection4. Monitoring all the security tools: firewall, antispam, web

filtering, email filtering, host agents (HIDS),


AWARENESS TRAINING

* Phishing* Social Engineering* Strong Passwords


ISMS4SME IMPROVEMENT

general data protection regulation for sme kurt … · 2018. 6. 27. · • blockchain developer...

Documents