Once you’ve finished with your opt-in form, you’re ready to collect your customers’ data. But wait, have you thought about where are you going to store all this data? What measures will you take to keep it secure?
As the GDPR states, data protection should be “by design and by default”. “It’s a principle in the GDPR that indicates that all institutions must be compliant from the very beginning, as a foundation of their processes and mechanisms”, explain our lawyers Sophie and Perrine from SSC Avocats. It means that institutions must be built with the GDPR as a core component of the company and not just something they “add” at the end.
We’ve consulted with Hadi El-Khoury, CEO and founder of Sekimia Cybersecurity & Risk Management about how to successfully fulfill this requirement and keep customer’s data secure.
Secure processes and connections are not just for checkout pages, so let’s explore what we can do to:
- strengthen our information systems
- prevent and recognize data breach
- deal with an incident if we experience one
What are the most common cyberattacks?
“The biggest threats today are phishing and ransomware”, he said:
- Phishing is a cybercrime in which someone pretends to be a legitimate institution and lure individuals via email, phone, or text-message into personal data, like passwords and banking or credit card details. “The information is then used to access important accounts and can result in identity theft and financial loss”, as states Phishing.org a project for awareness, education, and information regarding this type of threat.
- Ransomware is a type of malicious software (malware) designed to deny access to a computer system or data until a ransom is paid, and it can be a result of a phishing attack, according to the Cybersecurity and Infrastructure Security Agency (CISA).
However, these 2 are not the only things you should take care of.
“We have a lot of examples of organizations that discover that 2, 3 years ago they were infested by hackers in their information system. Why? Because those hackers were only interested in stealing or modifying information, they were not interested in ransoming or in conducting denial of service”, says Hadi.
“You need indicators that can point out when you’re being compromised, otherwise, you could never notice it”, he adds.
How can we prevent cyberattacks?
There are multiple measures we could take in order to protect our systems and our data from being stolen, modified, or infected, and they depend on a number of factors such as the size of the company, model, type of data that they collect, and more.
We could fairly say that there is a security model for every company, and the ideal way to figure that out would be to consult with a specialist beforehand.
Until you do that, Hadi suggested some basic and more advanced preventive methods that can significantly reduce the possibility of an incident.
Basic cybersecurity measures:
- Continually update your software and systems. Apply security patches as soon and as large as possible, like anti-viruses and malware detectors.
- Back up your data and, as importantly, disconnect the backup. There’s no point in having a backup online because if you suffer an attack, most likely the hacker will go and hack your backup as well.
- Implement a background check during the hiring process, according to Screen and Reveal, employee fraud and theft costs US companies $400 billion a year.
- Use a password manager ‒like LastPass or 1Password‒ and enable as much as possible the 2 Factor Authentication.
More advanced cybersecurity measures:
DNS monitoring tools. They detect and monitor anytime someone registers a domain name similar to yours to deceive its victims that it is you. If this happens it’s an indication that the entity might be preparing for an attack, so when you detect this with your DNS monitor, you can take action and alert the authorities.
Outbound flow monitoring tools. They monitor the destination of the URLs that you or an employee at your company might click on by mistake and they intercept the outbound flow if it identifies it as a malicious link.
What to do if you experience a hack or a data breach?
Having a first response route to know exactly what to do in case of a cyberattack should be like having a first-aid kit. “On a daily basis, I encounter customers that are suffering a breach and don’t know who to call. They spend countless hours searching for the appropriate expert or the appropriate forensic advisor”, explains Hadi.
We asked him what we could do to deal with a hack or a breach and he suggested 3 basic steps that we copy below.
In case of a cyber attack:
- Disconnect your information system from the internet. This will prevent intruders to go dig deeper into the attack.
- Search where the breach came from. For this, map your information system beforehand, as holistically as possible.
- Know who to call. Have a repository or the contacts of law enforcement or private organizations that could help you respond to any incident.
Fighting cybercrime together
The more we unite, the best we can fight. If you suffer from spamming, phishing, ransomware, or any other cyberattack, report it, take action, contribute to making the internet safer for all.
“The site Cybermalveillance is a public-powered platform that allows cyber victims to go and seek help and seek assistance from a variety of private companies. You could also call the cops to signal that and file a lawsuit”, he adds. At the bottom of this article, you will find a larger list of go-to sites to signal cybercrime and to seek more information on how to fight it.
“The starting point would be to raise awareness and to train your employees to abide by the ‘stop, think, connect’ mantra. So when in doubt, don’t click. Ask someone around. Double-check”, explains Hadi.
Our commitment at Octopush
As a company that manages not only our clients’ data but also that keeps our customers’ customer’s data safe, we at Octopush need to be extremely careful and methodic about our own cybersecurity.
We feel a strong commitment to fight cybercrime and bring awareness on cybersecurity for ourselves and for our customers. To be consistent with this mission,
we’ve decided to create a Consent & Data Security section that we’ll be publishing very soon.