When we are faced with a company owner who has to comply with the GDPR regulations, in 80% of cases we hear the same sentence repeated: “…But who knows what data I will have to protect! We don’t know things about private individuals…”. In these cases, we are able to make people understand that it is important to protect information by bringing the interlocutor to level the value of the company’s assets (Know-How) – typically of greater interest to the entrepreneur – with the value of the personal data, so well protected by the regulations.
When it comes down to it, even the most anachronistic industrialist activates particularly sensitive receptors.
Thus, a few simple questions (“where is your data?”; “who can access it?”; “who has control over access or distribution?”; “who guarantees its continuity?”; “who guarantees its security?”) begin to take on importance. Until we get to the question that was generally the most ironic: “What would happen if tomorrow, suddenly, without any warning, your company, your people, no longer had access to your systems or your data that you work with every day?
Then came the times we know, and that question became, unfortunately, topical. Today we talk about “smart working”, de-localised tools, VDI systems and the cloud.
But, as usual, those who are not working continue to ignore the same questions as before. The questions have not changed, the themes have not changed. Adding variables to a hard-to-solve equation doesn’t simplify it: it complicates it. And insiders need to emphasize to their clients that physically moving data and company assets out of the company does not automatically mean “safe”.
So, we start again: “where is your data, who can access it, who is in control… etc”. And, yes: even the most ironic question of all. Because reading the contracts of those who provide services in the cloud, it turns out that in 99% of cases the service is guaranteed. The service. Not the data. Data is not a problem for the service provider.
If you have it on a cloud system and you don’t have a copy, it’s not the service provider’s fault. If the computer that your employee is using at home in “smart working” contains a virus (perhaps taken from his or her child on the internet) that accesses your information, makes a copy, or worse, slowly destroys it, it is not the fault of the service provider… Nor is it your employee’s fault if you have not trained him or her properly.
So it doesn’t matter where the data is. It doesn’t matter where the tools are and it doesn’t matter if we are talking about personal data or company know-how.
On the contrary, it is important to understand, if you don’t want to take risks, that you have to rely on real IT professionals, who know how to ask questions that may even bother us, who have an eye on the data and not on the tools. And above all, it is important to understand that the guarantee costs money.
Today you can no longer improvise. A serious company must budget for IT security and data management processes. Yes, but with what values? For statistics (Kaspersky IT Security Calculator) a European manufacturing company with 10 employees should invest at least €30,000 per year in IT security, because the risk of information loss is 60% with an average damage of €55,000.
Any value invested today is better than any milk paid tomorrow. How much is the right value I cannot tell you: only every entrepreneur who really knows what the value of their information is can know.
SOURCE: FEDERPRIVACY