What we do
This blog has been written in partnership with Sophos as part of Softcat's GDPR vendor spotlight series.
Over the past year or so since the General Data Protection Regulation (GDPR) has crept into headlines there's been a noticeable shift in the rhetoric of vendors whose products are in some way related to data security, compliance or anything else that can be linked, however tenuously, to GDPR. As understanding of GDPR has increased within organisations, the message from vendors has shifted from 'we have the silver bullet' to 'we won't make you compliant but we can help along the way'. I think this change is a welcome one and in the wider context of digitisation, automation, and generally doing more with less, leveraging the right technology to make processes easier is the best route towards GDPR compliance.
When it comes to engaging with GPDR, the onus is on businesses at the very highest level (after all, the fines are not just for IT departments!), but inevitably high level engagement will lead to workflows and tasks being created for IT teams. It's here that incredible value can be gleaned from solutions that focus on data, endpoint, network, cyber, physical or any other security you care to think of! In this blog, I'll talk about some of the tasks and considerations which I believe will become more important, and how Sophos can help with some of those challenges.
Before we think about data owners, accessors and managers, let's start at the beginning: what if an organisation simply gets breached? Under the regulation breaches must be reported within 72 hours to the Supervisory Authority (that's the ICO for the UK). What does this look like in practice? First, you need to be able to identify where the breach has occurred. If we take ransomware as an example, this looks quite simple on the surface. Using Sophos Intercept X we know that any process which starts to encrypt files within a short time frame is probably malicious, so the process is killed. So far so good. But how did the file get there? Where else did it go on the network? How did it enter the network? Sophos understands these problems and has created unified management over both its endpoint clients and gateways. This approach allows admins to automate pieces of the breach detection and response process, and visualise file trajectory through the network extremely easily. In a situation where a breach has happened, this is hugely useful for organisations that use this platform.
When discussing security, we need to talk about the people within an organisation. Another trend has tended towards end user training and empowerment around cyber, phishing and other threats which may directly touch end users. This is really important. However, people can make mistakes so it's important that an organisation which utilises responsible controls and protection around data needs to implement checks and balances on employees. This will ensure the confidentiality, integrity and availability of data is maintained if anyone inadvertently interacts with something malicious. Sophos Intercept X does exactly this. There is no reliance on having seen malware previously. By understanding purely the characteristics of ransomware, Intercept X can isolate and kill encrypt processes before data is (usually) irretrievably lost. This extra safety blanket can absolutely form part of a multi-layered approach to ensuring data is received, processed and stored in a responsible way.
When thinking about data it's really important to act in terms of least privilege. This is not just true in terms of implementing zero trust between DC resources and campus LAN by using a Sophos next-generation (XG) firewall, but also by understanding who has access to data which you hold. Of course this should be limited by business function after a process of consultation with identified data owners. However, in almost all cases IT personnel will need to manage the data which resides on the network. Should IT personnel be able to see what documents contain? In many cases: absolutely not. Personally identifiable data on a network should be treated with the assumption that it is 'need-to-see' only. An important measure in this space is encryption, which Sophos Safeguard forms an important part of for many of our customers.
So absolutely, GDPR is a business problem, and no single vendor provides a silver bullet. Yet, as with almost anything which a business does in this digital age, technology can make vital processes much easier, save time and ultimately money if employed in the correct way.
Sophos are a part of this active and dynamic process, and have very successfully helped many corporate and public sector customers. If you'd like to find out more speak with your Softcat account manager or get in touch using the button below.
We would love to hear any comments you have about this article!