The protection of personal data is a topic that gets much interest nowadays. Many countries are planning or implementing new data protection laws. The new rules are designed to make sure that sensitive data – as processed and stored by companies and organizations – are properly secured against theft and modification.
Perhaps the best example is the General Data Protection Regulation (GDPR) which was approved by the EU in 2016 and will become valid in 2018. As it is not a directive – which can have differences in its implementation per country – the same law will then be implemented in all EU member countries.
Data protection is important when data can be used to identify or disclose information about a specific person. In fact, personal data can be anything. It is not just about names or addresses, but also about financial documents, medical records or family pictures. And in many laws, it is not just applicable to the data owner. Also other parties – for example cloud providers – who process the data on behalf of the owner have to follow the regulations. Which means that data protection laws typically cross international borders. As an example, the EU GDPR is applicable for all organizations and companies who process private data of European citizens.
But what do these data protection regulations really mean?
It means that companies have to register which data are stored where in the company systems. And that includes also local spreadsheets filled with customer data. It also means that customers can demand that their data will be erased. Above all, the design of the IT systems and processes has to guarantee that the protection of data against theft and abuse is secured, something which is called ‘privacy by design’. And if anything goes wrong, if for example data is stolen, the regulator and customers have to be informed immediately about the data breach. Also, the penalties in these scenario’s are serious and can have a dramatic financial impact for a company.
Warning, this is not just about traditional data storage and data communication
Everything is data nowadays. Even voice communication is a data service since many companies and organizations deploy VoIP services and networks. Still, the core focus of most data security initiatives is on the traditional ICT services and infrastructure. VoIP telephony is often ignored.
While voice communication causes substantial data protection risks
Many people think that their desktop telephone is…well, just a desktop telephone. While there is a serious data risk in modern IP telephones. Let’s look at medical services, for example. In many medical institutes, the contact details of patients are stored in the telephones and telephones give one-click access to voicemail systems where medical experts leave messages for each other about their patients. I don’t have to explain how sensitive messages about diagnoses, medical treatment and prescriptions can be. In addition to that, phones are excellent social engineering tools. What private information do patients disclose if they are called from the trusted number of their medical specialist? So, the telephone is a tool that can provide easy access to data that is sensitive and shouldn’t be available to others.
Are your business telephones secured?
And that is exactly where it gets tricky. Many people consider modern desktop telephones very secure since you have to log in using a username and Personal Identification Number or something like that. Only if these credentials are entered, the user has access to the contact list, the voice mail system and can make calls.
The problem, however is that logging into a desktop telephone has to be done using the old-fashioned numeric keypad, which makes it incredibly cumbersome. The immediate effect is that people stay logged in as long as possible. For example, if someone works in a flex-office but he or she uses the same desk nearly every day, he won’t log out at the end of the day. He just keeps the phone logged in and can continue his work the next day. His phone extension is open day and night. People can retrieve his contact list, listen or download his voicemails and make calls on his behalf. In some organizations, the login mechanism is entirely disabled, while I even found an advice of an IT service manager advising staff to keep their phones logged in as long as possible since it wasn’t easy to log in again.
Open telephone extensions with access to sensitive data
So, the reality is that in many offices there is an open line available with access to sensitive personal data. Not access to millions of records at once perhaps, but if the medical records of just one patient can be accessed via the tricks mentioned above, the impact for any organization may already be disastrous. So, protecting your enterprise or business telephony may be as important as your further data security plan.
photo by Mark Turnauckas on Flickr