How can I better protect my company's data? 3 takeaways from "BlackAlps - Cybersecurity for SMEs".
"Cybersecurity for SMEs" is a series of events organized each year by Innovaud, Y-PARC and Alp ICT, as part of the BlackAlps conference. The aim is to address a range of information security-related topics for SMEs in our region, providing them with an insight into the challenges of cyber-security.
The 2018 edition took place on May 29 at Y-Parc, and focused on a recurring but often neglected corporate issue, namely data protection in the face of internal threats: data leaks or destruction, negligence, malice on the part of an employee or ex-employee, or others. The consequences of such an incident are often far-reaching: loss of customer data, loss of competitive advantage, not to mention potential legal problems, notably linked to the protection of personal data.
The figures speak for themselves: 5,000 data sets stolen or lost every minute worldwide, 67% of companies have no plan in case of attack. Our moderator, Yohann Perron, sets the scene at the start of the event, reminding us of the urgency and importance of equipping ourselves against these threats. But how?
We would like to thank three companies active in this field, HDC Légal, ELCA and Pryv, for sharing with us their ideas for concrete solutions.
#1 Legal take-away: What are your obligations under current and future law?
With the General Data Protection Regulation (GDPR) coming into force only a few days ago, it was important to clarify the obligations of Swiss companies. What's more, recent scandals relating specifically to data security don't just concern Facebook, Cambridge Analytica or Equifax. 800,000 Swisscom customers suffered data theft last October, and weren't notified until February 2018. Should Swisscom have notified them sooner? What are the regulations in terms of security and responsiveness in the event of a problem? Neglecting this element can have very negative consequences, both in terms of sanctions and reputation.
David Raedler, doctor of law, lawyer at HDC Légal and vice-president of the Tribunal de Prud'hommes, presented us with the best practices to follow in order to limit the risks involved.
The RGPD is not directly applicable in Switzerland except in the following cases:
- You process the data of European citizens;
- You regularly offer goods or services to European customers;
- You are profiling people in the European Union.
Current Swiss law :
According to the general principle of current Swiss law (Art. 7 of the DPA), the protection of personal data extends not only to the company processing the data, but also to subcontractors. David therefore advises you to include appropriate technical and organizational measures in a contract with your subcontractors.
Future Swiss law :
The DPA is currently being revised, with the threefold aim of bringing it into line with European law, improving data security and taking technological developments into account. One of the main changes will be the obligation to report data breaches (to the data controller, the data processor and the data subject), which is not the case under current Swiss law. There is also a desire to have non-nominative data (pseudonymization) to increase security. The P-LPD is due to come into force by 2020.
How do you meet these obligations?
- Identify data processing operations and the media on which they are based
- Assess the risks associated with each treatment
- Implement and verify planned measures
- Periodic safety audits.
4 tips to ensure the security of your data :
- Know your IT environment, secure your systems
- Limit the amount of data to be processed and pseudonymize it
- Establish a clear internal procedure for immediate reaction in the event of data theft
- Transparency: informing your employees and regulating what they have to do
#2 Technical takeaway: Data encryption, a compromise between security and usability
How do I secure while guaranteeing access to data?
One solution is data encryption, in which no nominative data is stored. Also known as anonymization or pseudonymization, this process protects sensitive data without restricting its use. Jean-Luc Beuchat, Manager at Swiss IT company ELCA, presented us with three use cases to illustrate the possibilities.
However, encrypting data is not enough. Jean-Luc recommends that companies appoint a security officer or system administrator who can be trusted. He or she will authenticate the information, renew the keys and ensure the handover in the event of a change of staff. A real educational effort is needed to ensure that your teams understand how to use these tools.
3 tips for successful data encryption :
- Use standards (algorithms that have been evaluated)
- Understanding how to use keys
- Call in the experts
#3 Take-away compliance: How can confidentiality guarantee the availability of compliant personal data for business use?
Personal data is giving rise to a new economy, as Pryv co-founder and CBDO Evelina Georgieva explained. The emergence of personalized services and products highlights the value that personal data brings to businesses and individuals alike. The benefits for companies using applications based on personal data is estimated at 330 billion euros a year by 2020.
As a result, accessing and securing personal data has become critical. Managing privacy and consent are must-haves, but they don't have to be restrictive. On the contrary, privacy can be a source of new opportunities for your company, such as developing personalized services and reinforcing your image with your customers. Guaranteeing digital trust will give you a real competitive edge.
Swiss company Pryv presents an innovative solution that enables companies to manage personal data with full respect for data confidentiality. It is designed to meet the growing demands of customers and regulators for more transparent and reliable management of personal data. Kinntek, a Swiss HealthTech pioneer, has already integrated this privacy software to market its digital physiotherapy solution with advanced privacy-preserving capability. The Swiss deep tech solution promotes the protection of personal data from the moment it is created, and then throughout its use, sharing and portability. This helps guide your company's decisions to ensure compliance, throughout the lifecycle of projects, services and innovations.
4 tips to ensure your compliance:
- Understanding the legal landscape
- Securing available data
- Guaranteeing transparency to increase trust
- Know your customers' needs to develop better offers
USEFUL LINKS
Presentations by our speakers:
- "Security breach and data protection: what are your obligations under current and future law?" - David Raedler, HDC Legal
- "Data encryption: an example of compromise between security and usability" - Jean-Luc Beuchat, ELCA
- "How Privacy can secure compliant personal data availability for business usage?" - Evelina Georgieva, Pryv
Resource guides:
- Review of Cyber Hygiene practices - ENISA (European Union Agency for Network and Information Security)
- Implementation guide for SMEs - CIS Controls (Center for Internet Security)
- Guide des bonnes pratiques de l'informatique - 12 essential rules to secure your IT equipment - CPME (Confédération de PME) - ANSSI (Agence Nationale de la Sécurité des Systèmes d'Information)