Two sets of data breach regulations are looming large for Australian CIOs and IT managers and the race is on to achieve compliance.
Australia’s Mandatory Data Breach Notification laws came into effect last month while the European General Data Protection Regulation (GDPR) regulations kick in in late May. Both sets of regulations bring strict new rules about how personal data must be managed and what needs to be done should a breach occur.
For months now, IT teams have been focused on putting in place the infrastructure and policies need to adhere to these new laws. Data stores have been audited, networks secured, and alert mechanisms put in place to warn of any problems that arise. Many organisations should have also reviewed the use of device passcodes, compliant with security policy, for example, including a minimum length, a mix of alphanumeric, a change every certain number of days, and the removal of common phrases.
To comply with the new Australian laws, organisations must also have in place methods of notifying affected individuals. If a security event occurs that causes personal data to be compromised, all victims must be promptly informed.
A gap in the armour
While corporate IT teams have been working hard on ensuring servers and desktop PCs can comply with the regulations, there could still be a pool of devices that has been operating ‘under the radar’.
Usually sitting in departments such as marketing and sales, Apple Mac computers have as much potential to cause compliance headaches as Windows machines, but are often not paid as much attention when it comes to security.
Some devices also come into a corporate IT infrastructure as the result of a Bring Your Own Device (BYOD) program. Executives may opt to use a MacBook or an iPad as part of their daily routine and connect it to centralised applications and databases. Often, the IT department may consider such devices to be out of their realm and so do not pay close attention to their security status.
As a result, sensitive data such as customer emails and records could end up being stored on an unsecure device or one that is not being closely managed by the IT team. The device may well be totally unencrypted, so if it was lost or stolen there would be nothing to stop the data from being compromised.
Such a scenario could cause big problems for the organisation under the new regulations. A breach of personal customer details through the loss of an unsecured device could have significant reputational and financial implications for the organisation.
Taking a proactive approach
To ensure all Apple devices on which personal customer data could be stored will not cause problems under the new laws, IT teams need to make preparations that cover four important components. These are:
- Enforce encryption: While Apple iOS-based devices have encryption turned on by default so long as they have a password enabled, this is not the case for Macs. It’s important not to leave setting up encryption in the hands of the users as there is no way to ensure that it is completed and any stored data is secure. With all data encrypted, the loss or misplacement of a device will not result in any notifiable data breaches, meaning there is one less thing for the IT department to worry about.
- Patch regularly: It’s a basic step in any security strategy, but becomes particularly important in the light of the new regulations. It’s unwise to expect users to regularly update their Apple devices and so this should become a responsibility of the IT department. By putting in place suitable management tools, the process can be automated and devices prevented from accessing the corporate network if their patches are not up to date.
- Remote wipes: Another layer of security can be provided by ensuring the IT department has the ability to remotely wipe Apple devices should they go missing. This can ensure any data is removed before it can be misused and the device rendered useless for any criminal. An alternative is the remote locking of devices. This can be a good approach should the user believe the chances of finding it again remain strong but also ensures stored data remains secure in the meantime.
- Improve reporting: To ensure compliance with the new regulations, organisations will need to have the capacity to report on the status of all end points and data stores. It will be important to have in place tools that can automate this process to ensure reports are always complete and up to date at all times.
By following these steps, the IT department can ensure that all Apple devices within an organisation are just as secure as other parts of the infrastructure. There will no longer be a chance that devices which may have been forgotten can cause big headaches further down the track.