As a responsible body in the sense of data protection, one has to comply with various requirements of data protection with regard to the Data security to consider. Often, one is dependent on service providers that one trusts. This trust can lead to expensive violations due to a lack of insight / understanding of the activities of the service provider and the absence of service contracts.
In practice, it has been shown that it is necessary to Closely review implementations for data security, because often there is a lack of clear responsibilities and requirements, typical scenarios are the following examples:
- The IT service provider only provides services as commissionedWhat is not commissioned is not implemented. There is no consulting obligation, the IT service provider only advises what he wants to sell. So it often happens that only selective concepts and implementations are created, such as backup concepts that do not exist or are incomplete or whose effectiveness has never been tested. In this case, data loss is inevitable. Examples for this are that large e-mail stocks of a company were lost forever because these existed only locally on a PC in Outlook archive files, because Outlook was set up in such a way that it deletes after retrieval on the e-mail server. Thus e-mails are stored only locally in a PST file. Since the PC was not backed up because all employees work on network drives, the PST file was lost when the PC was replaced and deleted.
- Often there are rudimentary Data security concepts which, in the course of time, have been by for example server moves or IT restructuring get lost. This means that after a server move the rights concept is lost, with the result that every user can suddenly enter all folder structures and see everything, such as personnel documents.
- Backup Concepts that no longer work after years because the storage space was not sufficient or which produce faulty backup data which cannot be restored or which produce no backup at all because folder structures were too strongly nested and could no longer be backed up because the backup program can only process a limited number of character lengths. Backups that only saved a part of the data etc.
- Security updates only once a year for cost reasons.
- Lack of encryption or breaking the encryption chain are other examples.
- Backups in the same building that are destroyed with fire or other disasters.
- Individual software or webshops that make their personal data available on the Internet in an unsecured manner or are vulnerable due to the use of outdated software stacks. In test as well as in production environments, e.g. MySQL databases that are accessible from the Internet with standard passwords or copies of all data that are accessible in Redis caches or Elastic Search instances without authorization mechanisms, as these services would have had to be decoupled from the Internet.
- Often, corporate networks are a large whole, which means that if any network device catches malware, it can attack all network participants. Nowadays, network-bound devices such as routers, cameras, printers, beamers and building control centers are also frequent gateways. Here there is the possibility of separating production and administration with network segmentation, for example, with the consequence that an infection in production can also only spread there.
It has been shown time and again that a lack of IT security and data security can lead to expensive or even annoying loss of data.