What Is It?  What Do We Need To Know?  What Should We Do?

If you don’t know what the GDPR is, and if you’re not ready for it, you’re going to get caught short because this is a legal deadline and it’s coming up fast. The General Data Protection Regulation goes into effect May 25, 2018.  It’s a privacy law that the European Union is enforcing to protect the personal data businesses collect. Even if your business is outside of the EU, you must comply.

What is the GDPR?

The GDPR affects all internet business worldwide. It’s a very complex law, so we can’t explain everything here. We’ve provided some resources below that you should check out.  Keep in mind that there are many gray areas where this law is concerned. So, you should do some research to determine how the law affects your organization’s unique situation.

The GDPR is an internet privacy law. All businesses, small or large, and even entrepreneurs who do business on the Internet with consumers located in the European Union need to be aware of how the law affects them.

It doesn’t matter if your company is inside the EU, or anywhere else in the world– If you do business with anyone in the following countries, you must comply with this new law by May 25th:

1. Austria
2. Belgium
3. Bulgaria
4. Croatia
5. Cyprus
6. Czech Republic
7. Denmark
8. Estonia
9. Finland
10. France
11. Germany
12. Greece
13. Hungary
14. Ireland
15. Italy
16. Latvia
17. Lithuania
18. Luxembourg
19. Malta
20. Netherlands
21. Poland
22. Portugal
23. Romania
24. Slovakia
25. Slovenia
26. Spain
27. Sweden
28. United Kingdom

The GDPR is a consumer data protection law. It ensures that individuals can:

• Access their personal data.
• Export their personal data.
• Correct errors to their personal data.
• Object to the processing of their personal data.
• Erase their personal data.

The GDPR applies to the acquisition, processing, and storage of personal data – from initial gathering to final deletion of this data and every point in between. It applies specifically to personal data and anything that pertains to identifiable data such as:

• Names
• Email Addresses
• Physical Addresses
• Phone Numbers
• Birthdate
• Age
• Sex
• Race
• ID Numbers
• Nationality
• Citizenship
• Marital Status
• Family Data
• Health Data
• Physical Characteristics
• Profile Pictures
• Occupation
• Employment History
• Income
• IP Addresses
• Cookies
• (and more)

This could be information you collect automatically from Google, an opt-in, or other collection method online – anything that would identify an individual.

How Will The GDPR Affect My Business?

If your business has a website or an email list, you may be affected.

The GDPR affects any business relationship or transaction whether commercial or free where one or more of the entities are in the European Union. It’s not based on citizenship, rather location.  Any business within the EU must comply with the GDPR across its entire audience. If your business is in any of the 28 European Union Member States, you must comply with the law if you conduct a transaction with anyone located anywhere. If your business is located in the U.S. and you collect data about any business or person in the EU, you must comply with the GDPR.

How Should We Prepare For The GDPR?

There are three requirements you must meet before May 25th.

Controls and Notifications

• Protect personal data using appropriate security.
• Notify authorities of personal data breaches.
• Obtain appropriate consents for processing data.
• Keep records detailing data processing.

Transparent Policies

• Provide clear notice of data collection.
• Outline processing purposes and use cases.
• Define data retention and deletion policies.

IT and Training

• Train privacy personnel and employees.
• Audit and update data policies.
• Employ a Data Protection Officer (if required).
• Create and manage compliant vendor contracts.

Some Examples

Before the GDPR:

Let’s say you offer a whitepaper or free video to people online. Before the GDPR, your prospect provided their information, you gave them the freebie, and the consent was assumed because they accepted your gift.  Pretty easy, right?

After the GDPR:

You can no longer assume that their consent is given if they accept your gift. Now you must specifically obtain their consent. It must be given freely, specifically, and be unambiguous. Nor can you require them to give their consent to receive the gift.

Note: This new standard applies to all of your existing lists. Beginning May 25th, you can no longer send marketing emails to anyone who hasn’t given their precise consent for you to keep their personal information.  Plus, you cannot go back and ask them for their consent. You’ll need a stand-alone system to do this.

What Can We Do To Comply With These Strict Rules?

This is important. You must do this BEFORE May 25, 2018.

Compliance/Preservation

Step 1. Segment your email mailing lists into two parts.

• Non-EU subscribers
• EU-based subscribers and any unknowns

You want to continue to build goodwill with your Non-EU contacts so reach out to them as you would have before.  The EU-based and unknowns you’ll need to re-engage with. Here’s what we mean:

Step 2. Reengage EU-based and Unknowns.

• Before emailing them, add additional value and content to your website.
• Then send them a link to your website and request their specific consent to keep their personal information.
• Set up a system to migrate those who give consent over to it.
• On May 24, 2018, you must delete anyone in this group who hasn’t consented.

Remember, storing and deleting their information is considered processing. That’s why you must do this BEFORE May 25th.

Breach Notification Requirements

The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016.  It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.

Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization.  They must be prepared in advance to respond to security incidents.

The Following Are Additional Steps You Should Take To Prepare Your Technology Before May 25th  

Your Technology Solutions Provider Can Help

• Perform a through inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine in what geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
• Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
• Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
• Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for any-sized organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
• Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your TSP makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

Resources To Check Out For More Information

The European Commission’s website regarding the GDPR:

https://ec.europa.eu/info/law/law-topic/data-protection

Wikipedia

General Data Protection Regulation

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Information from the service vendors you use:

• Mail Chimp
• Salesforce
• Google
• Microsoft

These and other services have GDPR-centric webpages with helpful information that impacts your relationship with them, how they handle processing, and how they can help you comply with the new regulations

PowerPoint is an amazing, multi-faceted software program from Microsoft that allows users to create professional-looking slideshows. These presentations have evolved from being a novelty to an essential part of everyday business around the world. The slideshow format makes it easy to tell a story that can be shown on a projector or TV. This program is used for small groups, large audiences, or even families wanting to show off their vacation photos.

This type of presentation offers so much and can be completed by even a novice. When the audience has visual and auditory elements, it’s much easier to get your point across while holding everyone’s attention. Often a PowerPoint demonstration is recorded so it can be viewed just like a YouTube video.

What’s new for 2016?

For 2016, Microsoft has integrated many helpful changes into all of its Office 365 programs, including PowerPoint. The great thing about Microsoft is that they carry over their product features from one Office 365 program to another. This means that if you’re already familiar with Word, you’ll have no trouble working in PowerPoint. The program uses the same menus and commands for common tasks like formatting text and adding pictures.

Available for any device

Office is now available on any device so you can work on your new PowerPoint demonstration from your smartphone, tablet computer, PC or Mac. If you want to collaborate on a project, then save it to OneDrive so that others can access the file and make their own changes or add new content. PowerPoint demos are always saved as a .ppt file, which is easy to open using any version of Office. You can give collaborators viewing or editing privileges.

Available in any language

Another helpful thing about PowerPoint is that it is used worldwide and available in many languages. This makes it easy to create a new slideshow in French, Italian, German, and many other languages. You may want to create a spectacular slideshow for your team in Italy or you may have teams in several countries. It’s easy to produce a stunning PowerPoint display in just about any language that can be shared across various devices.

What are PowerPoint Presentations used for?

Users find various ingenious ways to give any project a distinct flavor of its own. There are so many uses for PowerPoint that it’s hard to name them all, but below are just a few:

• Product launch
• Marketing plans & strategies
• Business plans
• Trade shows
• Club meetings
• Classrooms
• Quarterly-earnings presentation
• Employee training
• Sales meeting
• Family tree
• Public appearance
• Photo slideshows

How to begin

As you can see, there are endless ways to use PowerPoint to get your point across, entertain or make a boring presentation much more interesting. Begin by choosing a style. Remember that you can go back and change this at any time. Nothing is set in stone with Microsoft products because they’re versatile and user-friendly.

Begin by opening PowerPoint and selecting New>Blank Presentation to create a slideshow from scratch. Next, select your template or design. Templates and Themes offer you a wide selection of attractive colors, designs, and layouts. Double-click on one and the first page of the theme will open. You can add text and pictures to each slide. Also, add or remove text boxes simply by clicking on them and then choosing Delete. If you need inspiration, then select “Take a Tour” and the program will give you a brief explanation of how it works.

Once you’ve completed work on each frame, you can add exciting features like animation and transitions. If these two functions seem confusing, find a how-to video to get simple instructions or ideas. With all the various choices and features in PowerPoint 2016, it’s easier than ever to create a professional slideshow that will wow your audience.

Working with Templates

The program itself offers a number of exciting templates for any type of presentation, but you can also go online and choose from thousands of templates and themes. Once you’ve chosen a design, it’s time to add some text. Most people start at the beginning, so a title is often found on the first slide. Simply click on the top text box on the first slide, then start typing. If you want to change the font size, type, or color, highlight it first. Next, go up to the Home tab and sort through the many font styles there. This procedure is exactly the same as that for changing formatting options in Word.

After you get your first slide perfect, you can add notes at the very bottom. Notes will not show up on the presentation. Instead, they’re used to help the presenter create their audio dialog. If you aren’t ready to create your notes, simply skip this step and go back to it later. When you’re ready to add a new slide, it’s easy to do. Right-click in the left column that shows the thumbnails of your slides. You can also go to the Home tab and choose New Slide.

Using the home tab allows you to make a few choices when adding the next slide. You can select the slide format that works best for you, from content only to a mixture of content and pictures. If you aren’t sure or don’t have the right elements to create this slide, simply choose the blank slide and move on. It can act as a placeholder until you’re ready.

Adding media and other elements

Many of the slide layouts include small icons that make it simple to add a chart, table, picture, video, or smart graphics. Clicking on one of these icons will open the appropriate element, such as a table or chart properties. Remember that if you don’t like what you created, simply click on it and press delete or backspace to remove the item. PowerPoint allows you to get as creative as you like or collaborate on your slideshow with someone else. You may have someone in your office who does all the charts and graphs for a given project.

Notice that when an area with media in it is highlighted, the “Drawing Tools” are available. These tools work exactly as those found in Word. Choices such as changing the text fill, outline and effects are shown on this tool bar. You can rotate a box of text or pics. You can also group or align objects in the text box.

Making Changes

As mentioned above, it’s easy to make changes to a slideshow. If you want to change the text, then click in the box containing that text so that it’s highlighted. On each frame, you can have more than one text box. This is helpful because you might want a completely different look for your heading as your sub-heading. Once the text is highlighted, you can make whatever changes you like and they take affect instantly. You can change the color, size, style, and add elements like bolding or italics.

Sharing Projects

If you want to share your project, send co-workers a link to the PowerPoint file. You can give each collaborator either viewing or editing permissions. Comments on the presentation are visible to everyone. Your team can make whatever changes they like and return the project to you with a newly saved title. Each iteration requires its own unique file name. So that there’s no confusion on which is the current rendition, it can be helpful to save the project by name and date.

Presenting your PowerPoint to an audience

In Presenter View, the announcer has access to their notes, as well as the current and next frame. To begin your slideshow, simply set it up with the monitor or TV you’re going to use, then go to Slideshow>From beginning. This action will start the presentation. Watch how each frame is shown and then dismissed.

If you have set up Transitions, then each new frame will use motion effects to move through the slides. Frames will appear and disappear according to the transition type you have set up. For advanced users, Microsoft has developed a method of applying and customizing slide transitions so that your PowerPoint is clean and professional-looking, but unique from all the others.

PowerPoint is an excellent tool in today’s business world that brings every story to life.

Compliance Manager

Introduced by Microsoft, Compliance Manager is a data tracking system designed to ensure companies adhere to General Data Protection Regulations (GDPR). Organizations can sign up for paid Compliance Manager or subscribe to a free Compliance Manager via Microsoft tools such as Microsoft Azure, Dynamic 365 or Microsoft Cloud Services. Microsoft recently released the long-awaited office 365 GDPR Compliance Manager with a few upgrades. Professionals are eagerly trying it out and giving their opinions about this exciting new product. The compliance management tool is expected to attain general availability on different platforms in the course of 2018. Here’s a sneak peek at the basic attributes of this highly anticipated GDPR data protection compliance tool.

Relevance of the new Office 365 GDPR Compliance Manager

Microsoft finally unveiled their much-awaited General Data Protection Regulation program that experts have been so excited about. Shortly after, they announced its features in a blog post and details of the new features to help users get started. Most users do look forward to new office products, but this one has been designed to make compliance to the new GDPR regulations much easier. That makes it a valuable tool that every business needs. Most business owners confess that they don’t know enough about the new GDPR rules and they are not ready for the May 25 deadline.

One key attribute of the new Office 365 is that it will include the compliance manager which was first previewed in November 2017. To date, the compliance manager is available on Azure, Dynamics 365, and Office 365 Business. Plans are also underway to have it available for Enterprise Customers via public clouds in the near future.

So what’s all the fuss about the new Office 365 GDPR Compliance Manager?

Customers have complained about difficult-to-understand compliance challenges and the GDPR is admittedly a complex document. Microsoft has attempted to take some of the complexity and mystery out of these regulations so that business owners can comply without having to hire outside help.

The most common challenge has been the lack of in-house employees who understand how to prepare and fulfill these new regulations. Office 365 GDPR Compliance Manager is tailored to ensure end-to-end regulation compliance. It also effectively empowers your business to manage the three key components of compliance. As your business uses this product, it will continuously provide you with a risk assessment and score that can alert you if you aren’t in full compliance in some areas.

Advanced GDPR Compliance

Microsoft’s Compliance Manager was developed to track an organization’s IT systems in specific regard to the requirements of international standards for data protection. One major issue has been that many company owners have simply not taken steps to be ready for the May 25 deadline, when all web sites who do business with European companies must adhere to EU’s General Data Protection Regulation (GDPR).

To help with this problem, Microsoft has unveiled a special GDPR template which will effectively detect and categorize personal information in your data base relevant to GDPR. This is important because many companies are still somewhat careless with their customer’s personal data. According to GDPR, companies failing to provide adequate protection for customer data could face penalties of up to €20 million.

The Compliance Manager has two features that customers will use to scan and assess data risk:

1. Compliance Score- Users are now able to assess data risk on an interactive dashboard on the new Microsoft 365 GDPR.
2. Azure Information Protection Scanner- This feature identifies, classifies, labels and effectively protects both on-premises and hybrid user data. It periodically scans sensitive data on emails and attachments based on the organization’s policies.

New Admin Role of Compliance Manager

Along with these two outstanding updates to Microsoft Compliance Manager is a unified labelling tweak on the admin dashboard. Microsoft cited protection of documents as the main reason for unified labeling, which it denotes as information protection administration. In the past, security admins and global admins could access the systems as separate entities to the Azure data protection service. With the new Compliance Manager, the option of additional management access permission is missing on the Azure portal and PowerShell unifying security and global admin roles.

With this new set up, the compliance manager ensures consistency in the labeling of information for easy protection of data records. However, the unified admin labeling role is still on a preview phase. At the moment, it allows the admin to apply a data protection setting which differentiates security functions from general global admin functions on a single interface in line with GDPR. Microsoft’s compliance manager is now available for customers on a paid program and or a trial option for users of Microsoft cloud services.

The Future of Data Compliance

The number of customers and companies worried about cyber theft is growing. Consequently, there’s a rising need for tools that can help protect customer data. The GDPR attempts to do this. As long as data stays scattered across an organization’s systems, there’s a greater risk that it will be stolen or compromised in some way. Compliance with GDPR guidelines seeks to eliminate many of these risks. Though it will constitute a huge challenge for most website owners, the alternative is unacceptable. Hopefully, the new Office 365 GDPR Compliance Manager can take some of the confusion and apprehension out of the equation.

This Ransomware Survival Guide will help your employees master the skills to prevent downloading or linking to malicious ransomware threats.

It will help them recognize phishing emails, malicious links and what to do when they find them. It will help you protect your organization and:

• Prevent ransomware attacks.
• Ensure your employees can continue working after an attack.
• Store your data securely, so it’s safeguarded from ransomware threats.

You’ve surely seen the results of ransomware attacks in the news. These attacks are escalating, sophisticated and often successful. Ransomware attacks are increasing, and so are the ransoms to recover your data and get your network back up and running.

“Ransomware is the fastest growing malware threat, targeting users of all types—from the home user to the corporate network. On average, more than 4,000 ransomware attacks have occurred daily since January 1, 2016. This is a 300-percent increase over the approximately 1,000 attacks per day seen in 2015. There are very effective prevention and response actions that can significantly mitigate the risk posed to your organization.”⁵

If you think your small or mid-sized business won’t be attacked, you’re wrong. Hackers target organizations like yours because most aren’t armed to defend against ransomware attacks. It’s essential that you and your employees are educated and prepared to prevent becoming a victim of ransomware attack.

This Ransomware Survival Guide will arm you with the facts you need to defend against an attack.

Topics

• WHAT IS RANSOMWARE?
• TYPES OF RANSOMWARE
• HOW RANSOMWARE IS DELIVERED
• WHAT TO DO IF YOUR FILES ARE ENCRYPTED
• HOW TO PROTECT YOUR BUSINESS FROM A RANSOMWARE ATTACK
• THE RIGHT KIND OF BACKUP SOLUTION – HOW TO PROTECT YOUR DATA
• WHAT ELSE YOU CAN DO TO DEFEND AGAINST A RANSOMWARE ATTACK
• ADDITIONAL TECHNICAL DEFENSES YOUR MSP CAN DEPLOY

WHAT IS RANSOMWARE?

Ransomware comes in many different forms. It’s a type of malware that prohibits access to your computer devices unless you pay a ransom. Ransomware malware encrypts your data so you can’t use it. Once it does, it can travel throughout your network and encrypt other mapped and unmapped drives and bring your organization’s productivity to a halt.

You’ll know that ransomware has entered your computer because the hackers display a screen or webpage explaining how much you should pay to unlock your files (the ransom payment). These typically run in the $300-$500 range, but today some organizations are paying upwards of $1,000 per computer.

To avoid being caught by the FBI, the criminals demand that you pay the ransom with a form of cryptocurrency like Bitcoin. Once your payment is verified, the hackers may send you decryption software to unlock your files. (Sometimes they don’t.)

With over 2,900 new forms of malware being reported, it’s hard to keep up with them all.  The FBI urges business owners and individuals not to pay the ransom. However, if you do decide to pay, there is a chance that you still will not get your files back. ⁴

According to the FBI, businesses paid “more than $209 million in ransom payments” in the first three months of 2016 compared to $25 million in all of 2015.” ³ And they’ve established a pattern of attacking not only businesses (large and small) but:

• Hospitals
• Police stations
• Schools

TYPES OF RANSOMWARE

Encrypting Ransomware

This is the most common type of ransomware. It encrypts your files and demands payment, typically in the form of Bitcoin to send you a decryption key.

Leakware (also called Doxware)

This is an upgraded version of encryption ransomware where the criminal threatens to release your confidential data on the web. This has the potential to create financial and data loss, and expose your trade secrets, source codes, and other confidential information. It typically causes reputational damage.

Mobile Ransomware

Ransomware is no longer constrained to desktop computers. Mobile ransomware is malware that steals sensitive data or locks a mobile device permanently and then demands payment before unlocking it. The incidence of mobile ransomware is increasing rapidly.

Wiper

This is a new form of ransomware that encrypts your system and completely deletes all of your data. Its motive is to erase your data, but it will still display a message asking for a ransom payment.  NotPetya, first discovered in 2016, was wiper ransomware.

Locky

If your computers are infected by Locky, it will rename all of your important files and prevent you from opening them.  It does this by encrypting files with the extension locky. You must purchase the decryption key to retrieve your files. To do this, you have to go to the Dark Web and pay $400+ in Bitcoin.

Cryptolocker

CryptoLocker infects computers that run Microsoft Windows. Like other forms of ransomware, you must pay the hackers to decrypt and recover your files.  CryptoLocker spreads via fake phishing emails designed to mimic the look of those from legitimate businesses.

Cerber

This ransomware encrypts your files using Advanced Encryption Standard (AES) encryption. It demands a ransom of .059 Bitcoins (worth $500) and communicates via a text-to-speech voice message, a recording, a web page, or a plain text document. You can’t decrypt files unless you pay the ransom.

Ransom32

Ransom32 is a “ransomware-as-a-service” that lets criminals create their own type of ransomware.  It uses JavaScript and can target computers that run Windows, Mac OS X, and Linux.

FakeBsod

FakeBsod locks your web browser.  It tells you to go to a particular webpage (that contains the ransomware). The message says to “contact Microsoft technicians” about an “Error 333 Registry Failure of the operating system – Host: Blue screen Error 0x0000000CE”. When you call the phone number, you’ll be asked to pay a fee to fix the problem.

Non-Encrypting Ransomware

This type of ransomware doesn’t encrypt files. Instead, it blocks access to them and shows frustrating messages when you attempt to access them.

Here’s what the FBI tells us about ransomware: “The FBI and our federal, international, and private sector partners have taken proactive steps to neutralize some of the more significant ransomware scams through law enforcement actions against major botnets that facilitated the distribution and operation of ransomware.” ¹

The FBI wants you to contact them if you’ve been victimized by ransomware or other forms of cyber fraud. You can do this via the FBI’s Internet Crime Complaint Center.

HOW RANSOMWARE IS DELIVERED

Hackers primarily use the following attack vectors to infect computers: phishing emails, unpatched programs, compromised websites, poisoned online advertising and free software downloads. The infection begins when you or one of your employees opens an email attachment that contains ransomware. Once they do, the malicious virus automatically installs itself on the computer and encrypts all the files.  If the computer is linked to others on your network, additional computers can be infected as well.

Phishing Emails

People are the weakest link in security because we’re trusting by nature. Cybercriminals send emails disguised as legitimate messages, hoping to entice the user to open an infected attachment or click a link that takes them to an infected website. Known as phishing, this tactic is highly effective. According to the Verizon 2017 Data Breach Investigation Report, phishing attacks continue to rise and 43% of all breaches they studied utilized phishing.⁶

Opening a phishing email isn’t enough to get a user infected with ransomware. Users must open the infected attachment or click the link that takes them to a compromised website.

This is the most common scenario. You’ll receive a realistic-looking email with a link or attachment that contains the ransomware. Hackers will often send a number of these links or attachments to hide the one with the malware. Once it’s clicked, the malicious software loads itself and the ransomware infection spreads throughout your files, locking them until you pay the ransom.

Drive-by-Downloads

If you unknowingly visit a realistic-looking website containing ransomware, it can load itself onto your computer. If you use an old browser, out-of-date software, or third-party applications, you’ll be more vulnerable. A hacker can detect a vulnerability and exploit it.

When a software vendor discovers this, they’ll release a patch to repair the issue, but by this time the criminal has already done their dirty work. Examples include unpatched versions of Adobe Flash, a bug in Java, an old web browser, or an unpatched operating system. Cybercriminals can automatically install ransomware when compromised websites are visited.

Free Software  

Many people download free software.  Some forms are legitimate, but others contain ransomware.  They are especially prominent in broken versions of expensive games, free games, porn content, screensavers, or bogus software. By convincing the user that they should download the software, hackers can get past firewalls and email filters. You might not even know that they’ve done this until the ransomware activates weeks later.

WHAT TO DO IF YOUR FILES ARE ENCRYPTED

Tell your employees to let you know if they experience the following:   

• They can’t open their files, or they get error messages saying a file is corrupted or contains the wrong extension.
• A window pops up with a ransomware program that they can’t close. This window may contain a message about paying a ransom to unlock files.
• A message says that a countdown has started for a ransom to decrypt files and that it will increase over time.
• They see files in their directories with names like “How to decrypt files.txt or decrypt_instructions.html.”

If you believe one or more computers has been infected, try these:

• Unplug the infected computer from your network. You may also need to turn off all network access for all your computers until you know the virus is contained.
• Set your Basic Input Output System (BIOS) time back if the ransomware has started a countdown. This will hopefully give you more time to recover your critical files and try to eliminate the malware. You can access your BIOS time through the BIOS Setup Utility on your computer.
• Restore your files from your last backup. This is why it’s important to regularly backup your files to an enterprise-cloud solution. Make sure your most recent backup wasn’t infected.
• You can use a disaster recovery as a service (DRaaS)

HOW TO PROTECT YOUR BUSINESS FROM A RANSOMWARE ATTACK

One of the most important things you can do is to have your IT Managed Services Provider deploy remote monitoring of your IT environment and implement a business continuity plan (BCP) and Disaster Recovery Plan (DR) in advance of an attack. Cybersecurity is all about your IT defense controls. If you can detect and block a potential infection, this is always the best defense. If you are infected, you’ll be able to continue working if you have a proper BCP in effect.

Make sure your most recent backup wasn’t infected. If you use a disaster recovery as a service (DRaaS) solution, you can do this. You can quickly “spin up” the DR image on your computer in a self-contained virtual machine (VM), so you can inspect the DR image without exposing it to your entire network.

As mentioned previously, alert the FBI.  Don’t pay the ransom. This is a mistake because you still may not get your files back and the criminals may continue to extort money from you.  

THE RIGHT KIND OF BACKUP SOLUTION – HOW TO PROTECT YOUR DATA

As mentioned above, you’ll need this if your computer files get infected with ransomware or other forms of malware. Not all backup solutions are the same, especially when it comes to ransomware.

Your business requires an enterprise-grade version of a cloud backup solution. The limits of consumer backup solutions will reduce your ability to recover from a ransomware attack.  

Many consumer-grade backup solutions save a limited history of files. When your files get infected, you’ll only have a recent backup that is probably infected as well.  So, you won’t be able to restore your files.

The right enterprise-grade cloud backup solution will copy a complete version history of your data. Because you might not know that your files are infected until possibly weeks later, you can go back to a version before the infection occurred and restore your files if you use an enterprise-grade cloud solution.

Talk to your IT Managed Services Provider about this. They can help you use the cloud backup solution that’s best for your business.     

WHAT ELSE YOU CAN DO TO DEFEND AGAINST A RANSOMWARE ATTACK 

The good news is that there are best practices you can adopt to protect your business. Your IT Managed Services Provider can help you with these.

1. Implement an awareness and training program. Because end users are targets, employees should be aware of the threat of ransomware and how it is delivered.
2. Enable strong spam filters to prevent phishing emails (an attempt to obtain sensitive information electronically) from reaching employees and authenticate inbound email using technologies like Sender Policy Framework (SPF), Domain Message Authentication Reporting and Conformance (DMARC), and DomainKeys Identified Mail (DKIM) to prevent email spoofing.
3. Scan all incoming and outgoing emails to detect threats and filter executable files (used to perform computer functions) from reaching employees.
4. Configure firewalls to block access to known malicious IP addresses.
5. Patch operating systems, software, and firmware on devices. Consider using a centralized patch management system.
6. Set anti-virus and anti-malware programs to conduct regular scans automatically.
7. Manage the use of privileged accounts based on the principle of least privilege: no employees should be assigned administrative access unless absolutely needed and those with a need for administrator accounts should only use them when necessary.
8. Configure access controls—including file, directory, and network share permissions with least privilege in mind. If an employee only needs to read specific files, the employee should not have write access to those files, directories, or shares.
9. Disable macro scripts (toolbar buttons and keyboard shortcut) from office files transmitted via email. Consider using Office Viewer software to open Microsoft Office files transmitted via email instead of full office suite applications.
10. Implement Software Restriction Policies (SRP)s or other controls to prevent programs from executing from common ransomware locations, such as temporary folders supporting popular Internet browsers or compression/decompression programs including the AppData/LocalAppData folder.
11. Consider disabling Remote Desktop Protocol (RDP) if it is not being used.
12. Use application whitelisting, which only allows systems to execute programs known and permitted by security policies.
13. Execute operating system environments or specific programs in a virtualized environment.
14. Categorize data based on organizational value and implement physical and logical separation of networks and data for different organizational units. ²

Your IT MSP Can Provide Security Awareness Training for Your Employees.

Even if you use all the right technology solutions to safeguard your business data, your employees can still click on malicious links or visit websites containing ransomware.  Cybersecurity Awareness Training should be conducted regularly as ransomware changes and is a moving target. All new employees should undergo this training, and it should be repeated once a year.

The FBI, U.S. Computer Emergency Readiness Team, and the Federal Financial Institutions Examination Council have put out guidance and best practices on how to help protect your systems from this growing threat.

Some of the basic defenses against ransomware include:

• Educating all staff on the risks and how to use email and the web safely;
• Making sure to regularly back up critical systems and data;
• Maintaining up-to-date firewalls and anti-malware systems and protections;
• Limiting the ability of users or IT systems to write onto servers or other systems;
• Having a robust patch-management program;
• Using web- and email-protection systems and software; and
• Removing any device suspected of being infected from your systems.

ADDITIONAL TECHNICAL DEFENSES YOUR MSP CAN DEPLOY

Encrypt Your Data

If you have systems where users enter credentials, ensure this data is encrypted.

Multi-Factor Authentication

Require multi-factor authentication for all remote access to sites where your users must log in.

Block Websites

Ask your MSP to block “unrated” sites. This will reduce your exposure to ransomware.

Restrict IP Addresses

Ask your MSP to block outbound traffic that you have no business with, such as hacker-havens in Eastern Europe, Russia, etc.

Threat Detection & Alerts  

Have a system for early detection and confirmation. In today’s threat environment, signature-based detection is not enough. Organizations that employ detection tactics experience improved speed and accuracy of response to ransomware threats.

Restrict Dangerous Software

Employ software “whitelisting” policies to block execution from suspicious \ProgramData and \Users.

Make Sure System Restoration Solutions Are Available Offline. This includes your backup software and license keys. Your MSP should refresh your backup tools every quarter.

Test Data Restores Offsite Every 3 Months. Make sure you can restore your systems from scratch.

Ask Your MSP To Make Sure Monitoring And Alerting Solutions Are Working.  Log the right events on your perimeter devices, as well as on all your servers. This way your MSP will have the information you need to respond effectively.

Conduct Regular Penetration Tests.  This is performed by simulating malicious ransomware and other attacks from your organization’s internal and external users.

The increased incidence and rapid evolution of ransomware have raised concerns and stakes for both small and large businesses. Of everything we’ve discussed here, the two most important things to do to protect your business are to use a solid, enterprise-grade cloud backup solution and to provide professional Security Awareness Training for your employees.

In any case, your IT Managed Services Provider is your best friend. They’ll help you fight and prevent ransomware and cybercrime of all kinds. Don’t wait to contact them.

References:

1. https://www.fbi.gov/news/stories/ransomware-on-the-rise
2. https://www.sba.gov/blogs/14-tips-protect-your-business-ransomware-attacks
3. https://www.ncua.gov/newsroom/Pages/ncua-report/2016/october/ransomware-serious-growing-threat.aspx
4. https://www.fbi.gov/audio-repository/news-podcasts-thisweek-ransomware-on-the-rise.mp3/view
5. https://www.justice.gov/criminal-ccips/file/872771/download
6. https://www.verizondigitalmedia.com/blog/2017/07/2017-verizon-data-breach-investigations-report/

With the increase and diversification of consumer goods in the world today, there is a constant need for more manufacturing firms. Most manufacturing firms work around the clock and still can’t meet the needs of their customers. These companies play a big role in ensuring that the desires of consumers are met. Because of the urgent nature of manufacturing products, many manufacturers face numerous challenges.

These include:

Evolving consumer needs

Consumer’s tastes and needs are constantly evolving. Consumer needs are affected by factors such as the entertainment industry, the latest fashion trends, the weather, and even the environment in which the consumer lives. Manufacturing firms must constantly be scrambling to meet the ever-changing needs of consumers. This can be a daunting task. For most companies, it’s time-consuming and expensive to change the manufacturing process. Changes in consumer needs can either be systemic or abrupt. While systemic changes are predictable and somewhat easier to deal with, changes which occur abruptly pose the greatest challenge to manufacturing firms. Firms are forced to make unexpected modifications to their products and the process of production.

Technological changes

Like consumer needs, technology is constantly changing. Changes in technology are viewed positively in most circumstances. New technology can make doing certain jobs simpler while improving accuracy. Machines can now do the work of dozens of humans, reducing the number of people employed.

Technology, however, may have adverse effects on businesses in various ways. First of all, with technology comes the risk of cybercrime. Cyber-attacks are a constant threat that manufacturing firms have to be aware of. These attacks can have negative effects on the firm, including revealing their trade secrets or exposing their client list. This, in turn, can result in a loss of revenue and the company may be at a disadvantage in the marketplace.

Another problem associated with technology is the rate at which technology changes. Today, you may have the most modern equipment available, but all that could change with some new invention. Keeping up with changing technology in the world of manufacturing can be an expensive affair. Sometimes equipment can be modified and sometimes it must be replaced. This means that a manufacturing company must constantly be on the outlook for new and advanced technology and must have both the willingness and the money to purchase or upgrade their machinery. This can be costly.

Compliance with rules and regulations

Without a doubt, the manufacturing industry is one of the most regulated industries in any given country. Most governments exercise a lot of power in this area because of the effects that these firms’ products can have on consumers. Some rules and regulations affecting manufacturing firms include taxation, standardization rules, and consumer protection regulations. Manufacturing firms are also required to ensure that their premises are safe for workers. Accidents in large, busy manufacturing plants are common, but they do slow down the workflow. In some cases, the plant can be fined for not following the set human safety standards. Most of the time, compliance with these regulations is costly.

Competition

This has been a common problem for firms since time immemorial. Growth in the number of manufacturing firms is bound to increase competition. Competition in the world today, however, is not the same as in days past. With the fast adoption of the World Wide Web, it has become increasingly easier for competitors to market their products in a global marketplace. Manufacturing firms in China, for example, are extremely hard to beat on their prices and turnaround times. The Chinese do not have wage or safety laws. They can work their people around the clock and many do. Competitors in the United States will have a hard time matching the low prices of Chinese manufacturers. In the US, companies must observe OHSA safety laws and they must pay workers a minimum wage. This has led to most companies going overseas for their products and manufacturing needs.

Lack of adequately skilled personnel

One of the biggest problems faced by employers in the world today is the number of baby boomers attaining retirement age. Upon retiring, baby boomers leave a vacuum in the field, having taken their numerous years of experience with them. People taking over from the baby boomers, on the other hand, are not adequately prepared or skilled enough to fill in the gap left. Firms are thus spending a lot of money training the new workforce.

Inflation

Money is generally hard to come by for most people in the world today. Poor economic policies and poor implementation of sound economic rules has caused a rise in inflation rates over the years. When there is an improvement, it is usually by a rather small margin, which does not make much of an impact in the lives of most people. Manufacturing firms are hard hit by inflation. Firstly, the cost of raw materials that they depend on is likely to rise as a result of inflation. The cost of production, generally, also rises. This means a rise in the cost of the finished product. But because inflation affects everyone, consumers may not have enough money to purchase these higher priced items. Consumers can now surf the web and find cheaper products from all over the world.

Final thoughts

Manufacturing firms play a big role in every country’s economy. They ensure that there is always a supply to meet the growing demand. However, the problems they face each year make their work much more challenging. Juggling all the various components required for success can leave some manufacturers out in the cold.

The government, as well as other stakeholders and interested parties, have emphasized the importance of following the laws and regulations on cyber security. With the ever-growing increase in cyber security threats, these regulations have become imperative.

All organizations, both large and small, must ensure they take the necessary steps to prevent, reduce the risk, and mitigate the effects of cybercrime. The terms ‘risk analysis’ and ‘gap analysis’ are used often when considering appropriate steps to take to ensure cyber security. An analysis of the definition and impact of these terms is therefore important to understand their difference and applicability.

Definitions

It is currently a legal requirement, pursuant to the Health Insurance Portability and Accountability Act (HIPAA) and the accompanying Privacy, Security, and Breach Notification Rules that cover entities and their business associates to protect electronic health information. These institutions are required to put in place appropriate measures to ensure the security of this information.

Risk analysis, as the name suggests, consists of steps taken to analyze the risks that an organization or an industry faces. In terms of cyber security, risk analysis is composed of researching and discovering the risks associated with a particular organization or industry; for instance manufacturing firms. After discovering the specific risks, the person conducting the analysis looks at the level of exposure. In this regard, the person will examine the likelihood of each specific risk affecting the organization and grade them in ascending order, from the most serious threat to the least serious. The aim of risk analysis in this regard is to make users aware of the greatest risks they face. The ultimate goal of risk analysis is to empower organizations at risk to protect themselves from cyber theft with the goal of reducing risks to a reasonable and appropriate level.

Gap analysis, on the other hand, takes place mostly after risk analysis has been conducted.  The aim of gap analysis is to determine the level of preparedness and protection that an organization has in place. This piece of information is then analyzed so as to reveal whether adequate steps have been taken to completely protect these organizations from cyber-crimes. Gap analysis is thus geared towards discovering the shortfalls of the procedures in place. This gives the organization a picture of where they’re at in terms of best practices. They can then take steps to adopt better procedures.

Requirements for risk analysis

Risk analysis, while required by the rules, does not have to be conducted using any specific method. This means that those affected are at liberty to choose whatever techniques they deem appropriate. Whatever the method, risk analysis must consider all the potential dangers that electronically protected health information (ePHIL) might be exposed to.

Entities are required to identify all the locations and information systems where the data to be protected was created, received, maintained and even transmitted. This list takes into consideration the mobile devices, electronic media, and communications equipment. The risk analysis system is also required to identify and to document potential threats and vulnerabilities.

The next step to be taken by the risk analysis is to access the current security measures that have been put in place by the organization. In so doing, the firm is required to document how effective the firm’s current controls are. This is to be followed by an assessment of the current risks facing the firm or the organization. This will enable the entity to gauge which risk is greatest and to what extent the entity is protected against the risk. The firm conducting the risk analysis should then document these findings. This provision is not a requirement under the security rules. However, for future reference, it is important the information obtained from the risk analysis be documented. Finally, the entity should ensure that it conducts frequent periodic reviews and updates.

Conducting gap analysis

Gap analysis is not a requirement under the HIPAA rules. Entities, however, are advised to conduct periodic gap analysis as a follow-up to the risk analysis or at the same time with the risk analysis. Gap analysis, if well conducted, enables the entity to discover the extent to which the protective measures it has undertaken are effective. Having explained the difference between gap analysis and risk analysis, it is important to note that while gap analysis is critical for proper protection, conducting a gap analysis does not satisfy all requirements under the security rules. Organizations are required to conduct a risk analysis, but a gap analysis can provide helpful information.

Final thoughts

In this day and time, an organization can’t be too careful with their data, especially those who hold sensitive health information for patients. The news laws include serious penalties for those who are not careful enough. In addition, patient confidence can be diminished when an organization is careless with handling health records.

A critical skill that an aspiring lawyer must possess is commercial awareness. One particularly important aspect is to demonstrate a comprehensive understanding of the market in which these law firms work. At the end of the day, any firm is just a business like all the others and therefore, it should react similarly to the changes made in the industry.

A law firm should capitalize on new opportunities that pop up while also working on overcoming the obstacles so that it can stay ahead of other law firms. The year 2018 brings about a new set of challenges that law firms should work on if they wish to thrive in this globally competitive sector. Below, we cover three of the major issues that law firms will be facing this year:

Cybersecurity

Cybersecurity is becoming a big issue, and hackers have started to target an increasing number of institutions. For instance, there was a ransomware hack back in 2017 that threatened numerous organizations in more than 150 countries across the globe.

Hackers target law firms since they possess exceptionally confidential and valuable information that hackers can use for monetary purposes. Sensitive information that law firms possess include patents, bank information, trade secrets, and in some cases, government secrets as well. One key task for law firms is to make sure that the client’s data is protected at all times. However, with the increasing number of threats, as well as the complexity of the attacks, security has become a great challenge.

Failure to protect the data adequately can cause two major problems. Firstly, law firms can face claims of negligence and claimants can argue that law firms are negligent about taking care of data. They can also argue that law firms have breached the contract that stated they would carry out services with reasonable care and skillfulness.

Secondly, when looking from an economic and business perspective, it can undermine the reputation of the firm.

The solution to this challenge is to choose only top-of-the-line security. This year, firms should make security their top priority. An attorney must make sure that the firm itself, as well as third-party vendors, adhere to advanced industry standards to guarantee that a secure environment is maintained. They should follow practices such as conducting training with users regarding best security practices, never storing data on personal devices, and multi-factor authentication.

Incorporating technology

Technology also plays a big factor in determining how employees work in law firms. Due to technological advancements, efficiency has increased such that the time lawyers spend on a task is reduced.

While technology that enables lawyers to become more productive has been evolving for a number of years, the underlying problem is that firms usually have many people working for them that may not be well-trained. This failure has led to data breaches and ransomware attacks when employees take certain actions that allow cyber thieves inside. Training for all employees must be ongoing. People get busy and forget, then make careless mistakes. Monthly training sessions can raise awareness.

Though some security solutions promote unrealistic and lofty expectations, simple monthly training has proven to be very effective.  Human error is most often the reason why a law firm’s network is infected with a virus or worm.

The easy solution for this problem is mandatory monthly security training. People can be readily taught exactly what to look for in emails. A security professional can explain how phishing scams work. Better informed employees are far less likely to click on a suspicious link that downloads a deadly ransomware attack.

Helping users accept change

Implementing change is difficult because humans are just naturally resistant to change. Research suggests that 70% of initiatives taken for organizational change do not achieve their target. While there are numerous factors that can be blamed for this failure, employee resistance is the biggest one, contributing to 39%. While change is often not welcome, it is definitely possible. Employees must understand the reason for these changes. They must fully grasp the cost of one single breach.

Employees once resisted new technology as well, but today, people seem to enjoy learning about all the new robotic gadgets being invented. Users of new technology or changes to security should be fully involved from the beginning. The key is to keep it simple. The management is responsible for communicating their expectations and explaining to the staff why the change is critical.

Once employees understand why new security measures have been put in place, they should be fully on-board. After all, if a law firm experiences a huge breach that costs millions, it will affect everyone that works at the firm. Jobs could be lost, along with damage to the firm’s reputation.

Each year brings new challenges with it. Though new technology is often viewed with some trepidation, the end result is that law firms will be able to get more done with fewer resources. This can improve the bottom line and help a firm move ahead of the competition. Whether you’re dealing with new security challenges or a new content management system, face the challenge head-on.

What Is It?  What Do We Need To Know?  What Should We Do?

First step:  Watch our training session on GDPR – Click Here

If you don’t know what the GDPR is, and if you’re not ready for it, you’re going to get caught short because this is a legal deadline and it’s coming up fast. The General Data Protection Regulation goes into effect May 25, 2018.  It’s a privacy law that the European Union is enforcing to protect the personal data businesses collect. Even if your business is outside of the EU, you must comply.

What is the GDPR?

The GDPR affects all internet business worldwide. It’s a very complex law, so we can’t explain everything here. We’ve provided some resources below that you should check out.  Keep in mind that there are many gray areas where this law is concerned. So, you should do some research to determine how the law affects your organization’s unique situation.

The GDPR is an internet privacy law. All businesses, small or large, and even entrepreneurs who do business on the Internet with consumers located in the European Union need to be aware of how the law affects them.

It doesn’t matter if your company is inside the EU, or anywhere else in the world– If you do business with anyone in the following countries, you must comply with this new law by May 25th:

1. Austria
2. Belgium
3. Bulgaria
4. Croatia
5. Cyprus
6. Czech Republic
7. Denmark
8. Estonia
9. Finland
10. France
11. Germany
12. Greece
13. Hungary
14. Ireland
15. Italy
16. Latvia
17. Lithuania
18. Luxembourg
19. Malta
20. Netherlands
21. Poland
22. Portugal
23. Romania
24. Slovakia
25. Slovenia
26. Spain
27. Sweden
28. United Kingdom

The GDPR is a consumer data protection law. It ensures that individuals can:

• Access their personal data.
• Export their personal data.
• Correct errors in their personal data.
• Object to the processing of their personal data.
• Erase their personal data.

The GDPR applies to the acquisition, processing, and storage of personal data – from initial gathering to final deletion of this data and every point in between. It applies specifically to personal data and anything that pertains to identifiable data such as:

• Names
• Email Addresses
• Physical Addresses
• Phone Numbers
• Birthdate
• Age
• Sex
• Race
• ID Numbers
• Nationality
• Citizenship
• Marital Status
• Family Data
• Health Data
• Physical Characteristics
• Profile Pictures
• Occupation
• Employment History
• Income
• IP Addresses
• Cookies
• (and more)

This could be information you collect automatically from Google, an opt-in, or other collection methods online – anything that would identify an individual.

How Will The GDPR Affect My Business?

If your business has a website or an email list, you may be affected.

The GDPR affects any business relationship or transaction whether commercial or free where one or more of the entities are in the European Union. It’s not based on citizenship, rather location.  Any business within the EU must comply with the GDPR across its entire audience. If your business is in any of the 28 European Union Member States, you must comply with the law if you conduct a transaction with anyone located anywhere. If your business is located in the U.S. and you collect data about any business or person in the EU, you must comply with the GDPR.

How Should We Prepare For The GDPR?

There are three requirements you must meet before May 25th.

Controls and Notifications

• Protect personal data using appropriate security.
• Notify authorities of personal data breaches.
• Obtain appropriate consents for processing data.
• Keep records detailing data processing.

Transparent Policies

• Provide clear notice of data collection.
• Outline processing purposes and use cases.
• Define data retention and deletion policies.

IT and Training

• Train privacy personnel and employees.
• Audit and update data policies.
• Employ a Data Protection Officer (if required).
• Create and manage compliant vendor contracts.

Some Examples

Before the GDPR:

Let’s say you offer a whitepaper or free video to people online. Before the GDPR, your prospect provided their information, you gave them the freebie, and the consent was assumed because they accepted your gift.  Pretty easy, right?

After the GDPR:

You can no longer assume that their consent is given if they accept your gift. Now you must specifically obtain their consent. It must be given freely, specifically, and be unambiguous. Nor can you require them to give their consent to receive the gift.

Note: This new standard applies to all of your existing lists. Beginning May 25th, you can no longer send marketing emails to anyone who hasn’t given their precise consent for you to keep their personal information.  Plus, you cannot go back and ask them for their consent. You’ll need a stand-alone system to do this.

What Can We Do To Comply With These Strict Rules?

This is important. You must do this BEFORE May 25, 2018.

Compliance/Preservation

Step 1. Segment your email mailing lists into two parts.

• Non-EU subscribers
• EU-based subscribers and any unknowns

You want to continue to build goodwill with your Non-EU contacts so reach out to them as you would have before.  The EU-based and unknowns you’ll need to re-engage with. Here’s what we mean:

Step 2. Re-engage EU-based and Unknowns.

• Before emailing them, add additional value and content to your website.
• Then send them a link to your website and request their specific consent to keep their personal information.
• Set up a system to migrate those who give consent over to it.
• On May 24, 2018, you must delete anyone in this group who hasn’t consented. 

Remember, storing and deleting their information is considered processing. That’s why you must do this BEFORE May 25th.

Breach Notification Requirements

The 2018 GDPR replaces the old Data Protection Directive of 1995. The most recent GDPR breach notification requirement was enacted in April 2016.  It set a higher compliance standard for data inventory, and a defined risk management process and mandatory notification to data protection authorities.

Breach notification is a huge endeavor and requires involvement from everyone inside an organization. In-house tech support and outsourced Technology Service Providers should have acquired a good understanding of the consequences a data breach causes and the data breach notification requirements for their organization.  They must be prepared in advance to respond to security incidents.

The Following Are Additional Steps You Should Take To Prepare Your Technology Before May 25th  

Your Technology Solutions Provider Can Help

• Perform a thorough inventory of your personally identifiable information, where it’s stored–in onsite storage or in the Cloud. And determine what geographical locations it’s housed. Don’t forget about your databases. PII is often stored in databases.
• Perform a Gap Analysis. This is a process where you compare your organization’s IT performance to the expected requirements. It helps you understand if your technology and other resources are operating effectively. By doing this, your Technology Solution Provider (TSP) can then create an action plan to fill in the gaps. The right TSP will understand the GDPR regulations and how your IT must support your compliance efforts.
• Develop an Action Plan. Your TSP should document a detailed action plan for how to use technology to meet the GDPR if you experience a data breach. This should include individuals’ roles and responsibilities. Conduct tabletop exercises to practice how the plan will work with specific timelines and milestones.
• Ensure data privacy. If you don’t have a Technology Solution Provider, then you need one for this. Data protection is key for any-sized organization. Consumers have the right to have their data erased if they want. This is called “the right to be forgotten.”  This is a concept that was put into practice in the European Union in 2006, and it’s a part of the GDPR. You won’t be able to do this if their data is stolen.
• Be sure to document and monitor everything that you do that’s related to GDPR Compliance. This includes any changes or upgrades that your Tech Company makes to your IT environment. You may need to demonstrate that you’ve done your due diligence when it comes to protecting citizens’ private information and that you practice “defense-in-depth” strategies where you use multiple layers of security controls when it comes to your technology.

Resources To Check Out For More Information

The European Commission’s website regarding the GDPR:

https://ec.europa.eu/info/law/law-topic/data-protection

Wikipedia

General Data Protection Regulation

https://en.wikipedia.org/wiki/General_Data_Protection_Regulation

Information from the service vendors you use:

• Mail Chimp
• Salesforce
• Google
• Microsoft

These and other services have GDPR-centric web pages with helpful information that impacts your relationship with them, how they handle processing, and how they can help you comply with the new regulations.

Get going now. There’s a lot to do before May 25th!