When it comes to data protection, and the requirement under UK GDPR to process and store personal data securely, you might not immediately think of Estate Agents, and for that matter financial advisors, solicitors etc. But Estate Agents hold large amounts of information on their clients, including their financial history, bank account details, copies of passports and other identifying documents, much of which they are required to hold for 7 years, under financial services legislation. So the scope for a data breach is huge.
Some examples include:
A London estate agent has been fined £80,000 by the ICO after leaving the personal data of more than 18,000 customers exposed for almost two years. The incident occurred when the estate agent passed the details from its own servers onto a partner company. An “Anonymous Authentication” function was not switched off, which meant there were no access restrictions to the data between March 2015 and February 2017.
The exposed details included bank statements, salary details, copies of passports, dates of birth and addresses of both tenants and landlords.
Writing on its website, the ICO said its investigations had uncovered a ‘catalogue of security errors’. The Agent had failed to take appropriate technical and organisational measures, in addition, only alerting the ICO to the breach when it was contacted by a hacker.
Lack of adequate data security is an important basis for imposing fines. Are you one of the SMEs who has swallowed the line that a firewall and some anti-virus, plus cloud storage, is all you need?
In addition to inadequate security, one of the frequent reasons for imposing a penalty is failure to report a violation despite the obligation under the law. Have you got that covered with an adequate policy and process in place and understood?
This can all be a real nightmare for many SMEs, particularly those with a large amount of personal data, much of which they can’t ditch. For example, financial data which under other legislation, they must keep for 7 years. I’m thinking about Estate Agents and financial advisors, even solicitors who I find are very good at telling others what they need to do to comply with the Act but aren’t so hot on how to do it.
One of the biggest issues I find with SMEs, is that they often think they know where all their data is but get quite a surprise when they discover multiple instances of the same data set. This has become a real issue since COVID, in that remote working is becoming normal and it’s a real temptation for an employee, working from home with possibly less than robust broadband, to copy data from cloud storage to their PC to ensure they can keep working on it. Then they upload it again when they’ve finished but forget to delete their copy. That’s just one instance but it is vital to understand where all this data is. What if for instance, you get what is known as a subject access request, where a client or other member of the public wants to know exactly what personal data you have on them, and why. I spoke to a financial advisor recently who told me that it took one of their partners off the road for 3 weeks, to discover where all the data was kept on just one person. But under the law, they had no choice but to bite the bullet.
We’ve been pondering these problems for some time, and they boil down to processing and storing the data securely and being able to quickly lay your hands on it. There are several systems on the market which will capture where your data is, and who has access to it, generally under the banner of Data Loss Prevention, or DLP. These systems are based on an event-driven approach and require extensive ongoing rules management built for LAN/WAN perimeters and are becoming much less effective working in an increasingly perimeter less environment.
Local and Wide area networks and the notion of a security perimeter are no longer valid with the transition to hybrid cloud, work-from-home, and zero-trust architecture. In such a setup, sensitive files are spread across on-premises repositories (File Server, NAS) and different cloud-based repositories. These cloud-based repositories are divided between the ones that you manage (managed cloud, such as organisational OneDrive), shadow IT (such as communication apps like slack or WhatsApp), and 3rd party portals. We needed an answer to this new data landscape with a cross-platform discovery functionality, coupled with the data flow monitoring capabilities.
We came across Actifile, which works very differently to a standard DLP, which in any case, often requires other tools to provide the security functionality needed. Actifile is based on analysing data risks and applying pre-emptive encryption that handles both external threats and insider carelessness, all in the world of no security perimeters. Moreover, Actifile’s set and forget method, requires little to no maintenance, and can be up and running securing data, in less than 3 working days providing a detailed breakdown of the data risk and leverages the data risk for data flow monitoring, auditing and remediation. This approach greatly simplifies the process.
Actifile is a cloud-based management platform coupled with a lean agent for workstations (both Windows and Mac), File Servers, NAS and Terminal Servers, and a sidecar docker instance for cloud-based file shares (. i.e., OneDrive).
Step 1: Data Risk Discovery and Quantification
Based on predefined privacy regulations and PII definitions, Actifile immediately starts scans for sensitive data using smart patterns. Actifile then quantifies data risk per PII type in local currencies.
Step 2: Data Risk Monitoring and Auditing
Tracks and audits data risk in real-time by continually monitoring incoming and outgoing sensitive data flows from and to the perimeter-less organization.
Step 3: Data Risk Remediation by Encryption
Our patented transparent encryption process automatically secures sensitive data across all endpoints, cloud apps, 3rd party portals, and shadow IT. The entire process, from initial deployment through data risk analysis to remediation by automatic encryption takes as little as 72 hours.
Finally, and importantly, it is very light on administration, quick to set up and we are offering a 30 day trial at no cost. If you don’t like it, we take it away.
Recent Comments