We’re delighted to announce that Gartner has named Sophos a Visionary in the Network Firewall Magic Quadrant for 2019. We believe that this recognition confirms Sophos XG Firewall as one of the best next-generation firewalls on the market.

At Sophos we have been evolving and moving the network firewall space forward:

• Sophos has developed the ultimate cybersecurity ecosystem for management, visibility and protection with Sophos Central cloud management and Synchronized Security.
• We have positively changed the industry with Security Heartbeat and our integration of XG Firewall with Intercept X – providing the ultimate threat visibility, protection and response.
• And we have also been responsive to the emerging needs of businesses as they move their datacenters and application usage to the cloud, providing visibility to cloud application usage and cloud infrastructure protection.

We believe Gartner’s placement of us as a Visionary in the Network Firewall Magic Quadrant for 2019 is a testimony to our continued:

• cloud strategy and product innovation
• responsiveness in addressing top industry challenges
• synchronized Security and protection capabilities
• strong vision and relentless roadmap execution
• excellent customer experience.

And, we’re just getting started. New innovative breakthroughs in network visibility, protection and performance are coming very soon in XG Firewall v18 which is expected to kick off with an Early Access Program later this month.

To find out what Gartner says about the Enterprise Firewall marketplace download the complete Magic Quadrant report (registration required).

Artificial Intelligence, User Behaviour Analytics, Zero-Trust… these are the buzzwords the security industry is currently dominated by. The developments to cyber security technology which have been made over the last few years are incredible, developments that are absolutely essential in the progression towards a more secure world. A key assumption in a lot of this development is that humans are simply a risk that needs to be mitigated by technology. To a certain extent, this is absolutely the right approach. However, despite everything we can do from a technology perspective, malicious actors will always exist and people will continue making innocent mistakes. Technology cannot solve every problem. So how can we effectively mitigate this risk? I believe we should adopt a more positive approach; an approach in which the aim is to transform humans from a security risk into a security asset. In short: user-driven security.

What do we mean by user-driven security?

User-driven security is a methodology which understands how people interact with data, why people make mistakes and ways to identify and prevent innocent mistakes/malicious activity. Using these insights, businesses are able to implement a simple strategy that involves educating users to understand how to operate in a more secure way, incorporating security policy as part of their day to day workflow and using the information provided by users to enhance the cyber security technology the business already uses. This process can make businesses more secure and more efficient.

Why are people seen as a risk?

When you look into the plethora of research available on the reasons behind, and causes of, data loss, it’s clear to see why people are seen as such a risk. For example, The Information Commissioner’s Office (ICO) produces statistics about the main causes of data security incidents and in cases where they have taken action, human error and process failure tend to be the leading cause. More specifically, the reasons tend to be things such as: loss/theft of paperwork, data sent to the wrong recipient or loss/theft of an unencrypted device. It’s easy to see how and why these events can occur so easily. Let’s take a look at three of the key reasons:

1. People are busy and huge amounts of data are created every second
2. Data is becoming the most valuable asset a business has, which incentivises malicious actors to try and steal it
3. Businesses (and therefore, employees) don’t tend to understand the value of each piece of data they create

The effective use of technology does go a long way to overcoming some of these challenges. However, using technology alone still leaves gaps and in some instances has an adverse effect on productivity.

Next in this three part series, Aaron will be looking at the 3 main steps you need to take for a user-driven approach.

Sophos, a global leader in network and endpoint security, today announced it was named the 2019 Best Small Business Endpoint security solution by SE Labs in its inaugural “Annual Report.” The new report recognizes Intercept X Advanced as the industry’s best for endpoint threat protection based on strong product performance following months of in-depth testing.

SE Labs “tested more than 50 different products using over 5,000 targeted attacks. These attacks were run in a realistic way using publicly available hacking tools,” according to the report. “To ensure our testing is as realistic and useful as possible, we monitor real-world breaches from a technical point of view. This allows us to adapt and change our testing in a similar way to how real attackers operate.”

Intercept X Advanced consistently ranks best at detecting and stopping attacks. It achieved 100 percent Total Accuracy Ratings for enterprise and small business endpoint protection in SE Labs’ 2019 endpoint protection test reports. It’s also earned AAA ratings in every SE Labs test to date.

“Cybercriminals are constantly evolving their methods, launching new attacks in attempt to go undetected,” said Dan Schiappa, chief product officer at Sophos. “Automated, active attacks targeting businesses of all sizes are on the rise, and organizations need advanced endpoint protection now more than ever. Sophos is committed to stopping never-before-seen, zero day cyberattacks, plus ransomware and other attacks that cybercriminals are persistently using. This award is validation that we’re helping organizations stay one step ahead.”

Intercept X Advanced is the industry’s most sophisticated endpoint prevention solution, offering multiple layers of security to deliver unparalleled protection against advanced attacks. Leveraging deep learning and anti-exploit technology, Intercept X Advanced stops the widest range of threats by employing a comprehensive defense-in-depth approach to endpoint protection.

News hit this week that 22 government organizations in the Lone Star State were recently hit by coordinated ransomware attacks. It’s a stark reminder that as attacks continue to evolve, it’s crucial that your defenses evolve even faster.

Ask about these three big, protective layers against advanced attacks

So how can you help ensure your organization isn’t the next ransomware victim?

For starters, does your solution have industry-leading anti-exploit technology to ensure attackers can’t use unpatched, vulnerable software programs to distribute and install ransomware?

Sophos Intercept X Advanced blocks more exploit techniques than any other endpoint protection product on the market. It’s not enough to just have exploit protection: the number of exploit techniques a product protects against is also extremely important. Luckily, if it can be exploited, Intercept X Advanced has the best chance of neutralizing it.

Should that not stop an attack – or should an exploit not be leveraged – how will your solution stop attacks it’s never seen before?

Our award-winning deep learning engine can identify unknown, unseen, and previously unidentifiable executables with greater accuracy than – you guessed it – any other vendor on the market.

And finally, should the unthinkable happen – should ransomware find its way onto one of your endpoints and start executing – how will your solution deal with it?

The second-to-none CryptoGuard anti-ransomware technology found in Intercept X Advanced not only offers the best ransomware protection on the planet to stop attacks in their tracks, but also uses proprietary shadow-copy technology to roll affected files back to their previously-safe states, and cleans up affected registry entries – all in the blink of an eye. It’s not enough to just stop a ransomware attack: it needs to be reversed and cleaned up as well, so you can get on with your day.

These are just three of the ways that Intercept X can thwart an attack, all backed up by a very long list of pre-execution, runtime, and post-execution features.

Seeing is believing

Here’s a closer look at what happens when a popular ransomware variant tangles with Intercept X technology:

Take it for a spin

Of course, the best way to experience the power of Intercept X Advanced is to try it yourself. Download a free 30-day trial, and you’ll be up and running in minutes. Evolve your defenses today!

You can read the original article, here.

Data breaches are on the rise – it’s a fact. In times like these, it’s important to ask yourself – are you being vigilant? And crucially, are you in the know?

The following statistics have been taken from the recent 2019 Verizon Data Breach Investigations Report and identify those behind the breaches, as well as the victims. The report looked at 41,686 security incidents, of which 2,013 were confirmed data breaches.

The victims

Looking at the victim demographics and industry analysis specifically, of the 20 industries covered in the report, only the Public Sector ranked higher than Healthcare and Finance for the number of known recorded breaches…

• 16% were breaches of Public Sector entities
• 15% were breaches involving Healthcare organisations
• 10% were breaches of the Financial industry

These industries remain in the top three for victims affected, and unsurprisingly, are the three industries that hold the most PII (personally identifiable information) and sensitive consumer data. Indeed, according to the report, internal data, credentials and personal information ranked highest in the top data varieties compromised in breaches.

Healthcare organisations specifically carry huge amounts of PHI (protected healthcare information), that if found its way into the wrong hands, could be detrimental for all involved. According to HIPAA Journal’s April 2019 Healthcare Data Breach Report, April was the worst month for healthcare data breaches since reports began back in October 2009. For example, Gulf Coast Pain Consultants, LLC d/b/a Clearway Pain Solutions Institute recently announced that their Electronic Medical Record System was accessed without authorisation, exposing approximately 35,000 records of patient data which included social security numbers and insurance information.

The culprits

So who is responsible? The report identifies that outsiders remain the principal threat through use of hacking and malware, among others. But crucially, privilege abuse and data mishandling still rank highly in the top misuse varieties in breaches…

• 69% perpetrated by outsiders
• 34% involved internal actors
• 15% were misuse by authorised users

From the figures above, it is clear to see that insider threat is proportionate to that of outsiders, and not something to be ignored. Recent reports suggest that long before Facebook, Twitter and Instagram, Myspace employees were abusing their access rights by using a specific tool to spy on its users. And just the other month it was announced that Snapchat employees had been doing the same to access location information, saved Snaps, phone numbers and email addresses.

The importance of being vigilant

It’s important to recognise that when breaches occur, sometimes they can lie unnoticed for a substantial amount of time. Verizon’s report highlights that 56% of breaches took months or longer to discover; something to make you think given recent changes in global data protection regulations. The result of discrepancies such as this can lead to potentially devastating fines and irreparable reputational damage for your organisation, among other detrimental consequences.

It’s crucial to get employees on side and playing a part of the security team within the organisation, as they really are one of the greatest assets in the security ecosystem. This “security first” mentality in users helps with practising good vigilance: being aware of potentially suspicious behaviour, as well as handling sensitive data responsibly.

Alongside vigilant staff, data classification software can also play a crucial part in preventing data breaches by improving user awareness and data control to protect business critical data, as well as offering built-in reporting tools such as Boldon James Classifier Reporting, to monitor and report on classification events, and the handling of classified data within the organisation.

You can read the original article, here.

You can read the original article, here.

Ransomware has recently vaulted to the top of the news again, as devastating attacks continue to impact government, education and business operations in many jurisdictions, particularly in the United States.

These attacks start in a number of ways – some start with a phishing email, others begin with hackers leveraging vulnerabilities in networking stacks to gain a foothold and move quickly to other systems on the network. The most famous network vulnerability exploited in a ransomware attack was EternalBlue a couple of years ago. But since then, new vulnerabilities like BlueKeep have been discovered (and patches made available), but there are still many networks out there that are vulnerable.

Unfortunately, many of these network stack vulnerabilities are ‘wormable’ which means that hackers and malware can exploit these holes in an automated method with no user interaction, enabling the infection to spread quickly and easily to a wide group of systems.

Of course, deploying an industry leading anti-ransomware endpoint protection product like Sophos Intercept X, and maintaining a strict patch management strategy are top best practices. But there are also other best practices you should consider to help keep ransomware, hackers, and attacks off your network in the first place.

Your firewall provides essential protection against exploits like EternalBlue and BlueKeep by closing up or protecting vulnerable ports, as well as blocking attacks using an Intrusion Prevention System (IPS). IPS looks at network traffic for vulnerabilities, and exploits and blocks any attempt for attackers to get through your network perimeter or even cross boundaries or segments within your internal network.

While we have a full guide on how to protect your network, here are the essential firewall best practices to prevent ransomware attacks from getting into and moving laterally on your network:

• Reduce the surface area of attack: Review and revisit all port-forwarding rules to eliminate any non-essential open ports. Where possible use VPN to access resources on the internal network from outside rather than port-forwarding. Specifically for RDP, ensure port 3389 is not open on your firewall.
• Apply IPS protection: Apply suitable IPS protection to the rules governing traffic to/from any Windows hosts on your network.
• Minimize the risk of lateral movement: Use XG Firewall and Synchronized Security to protect against threats moving laterally on your network and consider segmenting your LANs into smaller subnets, assigning those to separate zones that are secured by the firewall. Apply suitable IPS policies to rules governing the traffic traversing these zones to prevent worms and bots from spreading between LAN segments.

XG Firewall and Synchronized Security are your best protection against the latest threats with industry leading protection and performance. Stop the latest hacks and attacks dead in their tracks.

Download the guide to learn more.

You can read the original article, here.

A corporate data security policy that sets out how valuable information should be handled will be ineffective unless it’s consistently and accurately enforced. Organisations often have a written policy that’s available on their company intranet and handed to new starters. In practice, however, employees are rarely sure how to apply it to their daily activities.

The security policy needs to be made actionable – and the best way of doing this is with the classification of data. This is the first of the two steps that involve actively securing data, with the second being the implementation of technology solutions that will protect it downstream. Classification makes those solutions more effective.

Data classification is the categorisation of data according to its level of sensitivity or value, using labels. These are attached as visual markings, and also embedded into the metadata of the file. When classification is applied in association with downstream security solutions, the metadata ensures that the data can only be accessed or used in accordance with the rules that correspond with its label.

It’s possible to completely automate the process, but our clients get the best results when they combine human input with the use of software toolsets to support successful implementation. This is known as user-driven data classification.

With this approach the employee is responsible for deciding which label is appropriate, and attaching it at the point of creating, editing, sending or saving. The user’s insight into the context around the data leads to more accurate classification decisions than a computer could ever make.

Defining the classification policy

First, be clear on who should have access to each type of data. The work you did in step 1 and step 2 will prepare the ground for this. Next, decide how many categories you’ll have. Aim for three or four – the fewer the options the simpler it is for users. Labels that indicate Confidential, Internal only and Public are a good start, with perhaps a fourth category relating to information that’s subject to regulatory controls – such as EU GDPR, ITAR controlled or HIPAA/HITECH restricted.

Selecting your classification tool

The right technology will help your users to consistently apply the classification scheme, and will also add the all-important metadata. The most effective tools make classification a seamless part of business-as-usual; integrating the labelling process into the standard applications employees already use. Ensuring breadth of coverage across operating systems and application types is vital to future-proof your investment.

See recent reviews on Boldon James Classifier Foundation Suite here.

Rolling out data classification in your organisation

Start by classifying your ‘live’ data – the emails, files and documents that are being created and handled right now. If you’ve followed steps 1 and 2 you’ll know exactly what and where it is. By doing this, you’re ensuring that all your ‘crown jewels’ will be safely locked up from this point forward. When that is established decide how to label the existing and legacy data that is stored and held around the organisation. This process usually works well in combination with a discovery agent or tool.

Once you’ve labelled your data, it’s time to turn your attention to the enterprise security solutions and information management technologies that will control and protect it throughout the remainder of its journey.

Next steps

Download our whitepaper: The 5 Steps To Effective Data Protection – this will guide you through the 5 steps to implementing effective data protection within your organisation, and detail how data classification can also enhance previously implemented tools, such as data loss prevention tools (DLP), data discovery tools, data governance tools and more.

By classifying data according to its value or sensitivity, organisations can reduce the risk of security breaches by ensuring that appropriate protections are implemented and consistently enforced. Having identified your ‘crown jewels’, and other data that needs safeguarding, it’s time to carry out a discovery exercise to find out exactly what you’ve got, where it is and who might have access to it.

Unknown data makes you vulnerable to attack. The best thought-out security policy is ineffective if you’re not certain what you hold and, therefore, what controls you need to put on it. Data governance, compliance with regulation such as the EU GDPR and ITAR and – just as importantly – demonstrating that compliance are also impossible when you don’t know where key documents reside and who has access to them.

A discovery exercise will give you visibility of your data and how it’s being accessed and used. This enables the protection strategy and solutions to be built around the types of data you have. It provides an opportunity to cut retention costs, too, by disposing of redundant data; mid-sized organisations spend £435k per year on storing and managing obsolete data, according to the Vertitas Databerg report. Discovery also makes it easier to use data as a resource, deriving insights that will inform strategies and improve operations.

You need to establish:

• what data you hold
• what is being collected
• what is being created
• where it’s stored or located
• why you have it
• how sensitive it is, and
• who is accessing, using or sharing it.

Getting a grip on this is a challenge. Alongside structured data held in on-site databases, companies typically have huge volumes of unstructured data such as emails, PowerPoint decks, Excel files and PDF documents.

Information is also stored and shared across an expanding variety of systems, devices and platforms, including the cloud, collaboration tools like Microsoft SharePoint, file share sites like Dropbox and OneDrive, and ‘shadow IT’ (unsanctioned tools and apps not designed for enterprise use).

Data discovery tools and software provide an efficient and accurate way to find assets you can then classify. They examine file stores and databases, scanning for certain types of information, key words, criteria and classification metadata. This enables you to see what your data is, its location, and who has access. According to Forrester 44% of North American and European technology decision-makers use data discovery tools.

Once you’ve defined the data within your business you’ll be able to home in on the most valuable and confidential information and make accurate decisions about how it should be handled, and who is allowed to access which files. You’ll then be ready to classify it according to its importance or sensitivity to ensure data is appropriately controlled.

Using data classification as part of a strategy to secure corporate data assets is sometimes referred to as ‘locking up the crown jewels’. But data security neither starts nor ends with the act of controlling access to information. Nor should a security policy be limited to protecting only the most valuable data; even less critical information can damage the business if it’s lost or leaked at the wrong time.

First, you need to build a strong foundation of knowledge around your data, to understand exactly what you hold and the potential risks to its security. Picture your organisation as the Tower of London. If you don’t know where your crown jewels (and less sparkly assets) are you’ll end up locking every door – or leaving the wrong doors open, exposing them to risk.

This process begins with identifying the types of data that are of greatest importance to the business, so you can pinpoint where you need to focus protection and controls.

Your most valuable and confidential data (your crown jewels) might include:

• Data assets – such as the information on a CRM database
• Business-critical documents including strategic plans and agreements
• Documents or information that are subject to regulations
• Intellectual property (IP), such as product designs and technical specs
• Personal information – for instance employees’ details.

More often than not, however, a company’s most vulnerable point will not be its crown jewels; it’s likely they’ll already have been recognised and heavily protected. It’s the more everyday sensitive data that people don’t think about, like customer lists, contracts, or time sensitive documents such as company results and press releases that are most likely to be leaked or lost. This data must also be identified and protected.

A helpful way of determining the value of a piece of information – and the risks to be managed – is to think about the impact if it was leaked or lost. Would it harm the business, for example by damaging the brand, incurring a fine from the regulators (for breaching the EU GDPR, for example) or eroding competitive advantage? If it got into the public domain, would it expose your customers, partners or suppliers? Would it put an employee’s security or privacy at risk? Would you be breaching a contract?

Once you’ve defined the data that is most at risk, you can start to find out where your sensitive data is located.

Despite the past year’s global focus on GDPR and other data privacy regulations designed to give consumers more power over their data, more than half (55 percent) of consumers still don’t know how brands are using their data, according to the Acquia survey of more than 1,000 U.S.-based consumers.

On top of that, 65 percent don’t even know which brands are using their data.

Additional key findings from the survey include:

• 59 percent of consumers wait at least a month before sharing any personal data with brands
• 49 percent of respondents are more comfortable giving personal information to brands with a physical store presence
• 65 percent of respondents would stop using a brand that was dishonest about how it was using their data

California’s CCPA data privacy law and Maine’s Internet privacy protection bill, some of the most restrictive in the nation, are standing behind the consumers who want to understand and control their data – and other states are following. Brands trying to reach those consumers will need to act accordingly, and the stakes are high.

Acquia’s research found that consumers are not willing to give brands a second chance to protect the integrity of their data. This means that businesses have only one chance to make sure their customers know that their personal information, and their privacy, is in safe hands.

The recent focus on data privacy legislation globally puts a spotlight on brands who are also facing consumer demands for personalized online experiences. This requires brands to perform a balancing act of delivering hyper-personalized experiences while also being more careful than ever with consumer data.

Consumers are typically waiting at least a month before sharing any personal data with brands. This underscores their desire to build relationships, taking time to get to know brands before trusting them.

With this in mind, transparency will be key for brands looking to earn this trust; proposed U.S. legislation requiring Internet giants to disclose the value of user data indicates the growing demand for transparency when it comes to personal data.

The organizations who answer this mandate with clear policies on data usage will be most effective at building the trust of these consumers.

In addition to being hesitant to share their data right away, almost half of respondents said they are more comfortable giving personal information to brands with a physical store presence — that’s how much they distrust the Internet.

It’s now up to digital brands to re-earn that trust — even if they aren’t responsible for creating the concern in the first place.

“Brands have a responsibility to educate consumers about data usage, proving that they can trust the Internet again,” said Tom Wentworth, SVP, product marketing, Acquia. “Allowing consumers to opt in or out of data sharing will become more common over time as brands recognize that giving consumers back control of their data is not only the right thing to do, but it will also benefit their business in the end.”

You can read the original article, here.

Not long ago on the CyberArk Conjur blog, our DevOps community manager and evangelist John Walsh explored the history and evolution of open source software. It’s a great read that highlights the clear relationship between open source adoption and DevOps success in the enterprise, along with the power of community engagement and information sharing.

We’ve embraced this team player approach with CyberArk Conjur and our fast-growing CyberArk Marketplace, which features community contributions. Furthering this commitment to collaboration and transparency, today we published our product documentation library online, making it freely available to everyone – no login required.

Featuring newly simplified and enhanced documentation on CyberArk version 10.10, CyberArk Docs makes it even easier to get your questions answered – fast.

Considering a privileged access security solution? Whether your organization is just getting started or already focused on implementing advanced privileged access security strategies to align with digital transformation initiatives, CyberArk Docs is a good place to start. Get to know CyberArk by browsing documentation by product: Core Privileged Access Security, CyberArk Privilege Cloud, Endpoint Privilege Manager and Application Access Manager. On each of these product pages, it’s easy to find information on security fundamentals, how to get started with a deployment, how to configure or manage your environment and how to install or upgrade components. The site is easy to navigate, offering documents organized by functional role with information for end users, administrators and developers.

CyberArk Docs is also part of our broader CyberArk Technical Community site, available to current customers and partners, where you can connect and engage with peers and subject matter experts on CyberArk products and services. Through the Technical Community you can now browse and download helpful documentation from CyberArk Docs, take advantage of our comprehensive knowledge base, access a wide range of online training courses and post integrations and reviews on the CyberArk Marketplace. There’s also a simple way to submit support cases and enhancement requests.

CyberArk Docs is just one of the many ways we’re extending value to the broader cybersecurity community. Inspired by open source, our goal is to make it easier for end-users, admins, developers and security professionals alike to access the information and tools they need to collaborate, innovate, build and succeed.

Check CyberArk Docs out today.

You can read the original article, here.

The recent attack by China on Cellular companies – called Operation Soft Cell – is part of an espionage campaign that leverages privileged access in privileged accounts. Compromising credentials remains the weapon of choice for attackers and a top attack pattern.

We first encountered this pattern when Edward Snowden revealed Operation Socialist, a CIA and British Global Communication Headquarters (GCHQ) campaign that allegedly attempted to take control of one of the most widely spread telecommunications networks in the country – Belgian telecommunications company Belgacom. Access to Belgacom would allow intelligence agencies to obtain the metadata required to track specific target individuals. Aside from this new attack coming from a very different quarter, China’s APT 10 rather than the GCHQ, the attacks are very similar.

Operation Socialist, like the recent Soft Cell operation, leveraged privileged access and privileged accounts to take control of telecommunication systems and persist while remaining in the shadows. Neither of these attacks needed to exploit vulnerabilities or reveal sophisticated and aggressive tools, which cost a lot to develop. In both cases, the groups compromised the organization’s privileged accounts – namely domain admin accounts. Domain admin accounts have administrator rights over an entire domain, making them extremely useful to an attacker.

Domain admin accounts and other well-known privileged accounts are usually tightly-controlled and monitored. However, there were still vulnerabilities to exploit. The attackers probably went after shadow admins, which are privileged accounts that aren’t members of the privileged Active Directory group, letting them fly under the radar and often go overlooked by organizations’ security teams.

These type of accounts have special privileges that allow an attacker to gain control of a complete network control without being a member of a privileged group. Consequently, the attack leaves little trace, while still providing the attacker with flexibility. In the Soft Cell operation, the attackers launched a VPN service to allow them shadow access to the network – possibly based on shadow admin accounts.

Using shadow admins to gain access isn’t the only short cut that the attackers from Operation Soft Cell and Operation Socialist used. In both of these cases, the attacks on the telecom companies targeted the supply chain.  Just like hardware manufacturing facilities, software companies that provide product updates or internet traffic backbone servers are vulnerable to supply chain attacks.

This has become common with many attackers redirecting their efforts from well-defended organizations to their less-secure supply chains. Attackers who want intimate and persistent access to a company’s data and IP can replace sending phishing emails to vast numbers of employees with bugging the company’s hardware. Attackers who want access to an individual’s metadata, location and calls for a longer period of time, can replace exposing a costly WhatsApp vulnerability with compromising a specific individual’s phone.

You can read the original article, here.

In the last week both British Airways (BA) and Marriott Hotels have hit the headlines because of eyewatering GDPR fines – $229 million for BA and $123 million for Marriott.

The fines show that the GDPR (General Data Protection Regulation), has given enforcers like the UK’s ICO (Information Commissioner’s Office), some serious teeth. BA’s fine is almost 400 times larger than the ICO’s previous record fine – a $645,000 penalty handed to Facebook for the Cambridge Analytica scandal.

With these new fines in mind, it’s a good time to make sure you’ve minimized your risk of being next in line.

GDPR is focused on protecting European Union citizens and it applies to anyone who holds personal data on an EU citizen, wherever in the world you are based. Marriott, a U.S. organization, is a case in point.

Here are five best practices we recommend all organizations follow to minimize the risk of a GDRP data loss fine:

1. Patch early, patch often. Minimize the risk of a cyberattack by fixing vulnerabilities that can be used to gain entry to your systems illegally. There is no perimeter, so everything matters: patch everything.
2. Secure personal data in the cloud. Treat the cloud like any other computer – close unwanted ports and services, encrypt data and ensure you have proper access controls in place. And do it on all your environments, including QA and development.
3. Minimize access to personal data. Reduce your exposure by collecting and retaining only the information you need, and making sure the only people with access to it are the people who need it to do their jobs.
4. Educate your team. Ensure that everyone who might come in to contact with personal data knows how they need to handle it – this is a GDPR requirement.
5. Document and prove data protection activities. Be able to show that you have thought about data protection, and have taken sensible precautions to secure personally identifiable information.

Sophos can help

First up, to minimize the risk of attackers getting to your data, we offer a complete portfolio of cybersecurity solutions, including Intercept X endpoint protection and XG Firewall. Check them out with our free online demos today.

If you’re using Amazon Web Services (AWS), Microsoft Azure, or Google Cloud Platforms (GCP), take a look at our guide to Securing the Public Cloud: Seven Best Practices. It explains what you are (and are not) responsible for, and how to protect data and workloads in the public cloud.

When a laptop goes missing, you need to be able to show it was encrypted. Sophos Central Disk Encryption is the easiest way to centrally manage BitLocker and FileVault encryption, and to prove that you have it deployed.

Think about how much personal data you have on your work mobile phone – it’s just as much a security risk as your laptop. Sophos Mobile enables you to remotely lock and wipe a lost mobile device – and also demonstrate that it is encrypted.

Sophos Disk Encryption and Sophos Mobile are available through Sophos Central. If you’re already using Central you can start a free trial in a couple of clicks from within your console. If you’re not, download a free trial today.

You can read the original article, here.