Whilst businesses have been doing everything they can to change and alter their policies in time for the GDPR deadline, there is one main area that is easily overlooked, the area of mobiles. It is important to remember that GDPR is not a one-time implementation, but an evolution of consistently high security standards and mobile devices need to be a part of your ongoing GDPR plan, to ensure complete compliance. To help you achieve this, here, Mike Puglia, Chief Strategy Officer at Kaseya, discusses the top five tips in achieving compliance with your mobile network.
- Conduct a gap analysis and compliance assessment: A gap analysis is a useful way to show exactly where your organisation is already in compliance, revealing existing compliance programme trends within the company as well as highlighting which areas need work and steps that must be taken to ensure complete adherence. The compliance plan will define what is good and working and will also recommend specific improvements.
- Shine a light on shadow IT: Examples of shadow IT include Dropbox, Skype and Evernote, which are applications, systems and hardware that are used by individuals without company support or sanction. They pose significant compliance risks. If an individual is using a system that you don't know about, to store or transfer data that comes under GDPR, this puts the company at risk of a breach. Internal policy should be clearly communicated throughout the organisation, as well as keeping a record of doing so, employees should all be aware that they should not be using these systems without company approval.
- Practise proper patch management: A patch management solution should automatically update servers, remote computers and workstations with software and patches, which can also include operating system fixes. This is a crucial yet challenging task for those that rely on manual IT means, so automation of patch management is a simple, efficient way of ensuring this is carried out correctly.
- Secure mobile devices: Mobile devices are often overlooked in the world of GDPR compliance but in actual fact, they should be as compliant as their desktop counterparts. Applications can have offline functions which means that any data transferred via that app, will also be stored locally on the device which can fall outside of your network's security, breaching your GDPR guidelines and leaving this data at risk. This means that all apps, both supported and shadowed, should be reviewed regularly to minimise risk.
- Decommission devices:
Any type of device that is lost, or stolen, should be decommissioned immediately to prevent anyone else from procuring confidential company data through it. The same policy should apply to equipment belonging to ex-employees, particularly when an employee has been terminated.