A storm is coming, one that will affect your margins if you decide to sit on the fence. It is the storm of cyber regulation, namely the European Union’s new General Data Protection Regulation (GDPR), which will dole out penalties to companies who are not doing enough to prevent data breach and loss. It may be a force for good, and in the below, I will advise how businesses can get ahead with smart data protection tools.
When you know your business is potentially under threat, you are most likely to follow these three steps: assess the risk, draw up an action plan and implement as soon as possible. However, when it comes to businesses defending themselves against cyber crime, those steps often go out the window, replaced by slapdash measures that struggle to keep up with modern methods utilised by cyber criminals. Cyber security in the corporate sphere is often too little, too late—despite the best laid plans and intentions of security teams.
What businesses need to know
The key reason behind the European Union’s decision to bring in the new regulations is to try to ensure—even if it is rather forcefully— a consistent defence against cyber threats. Until now, the region has lacked one central body of regulation, with the privacy and data protection directives across 28 European Union member states best described as a patchwork of rules. The new General Data Protection Regulation (GDPR), which comes into force in 2018, aims to be the one-stop shop for compliance, alongside imposing penalties to encourage adherence. The measures also extend to organisations based outside the EU if they process the personal data of European citizens.
So, what does the GDPR entail for businesses? Should a breach occur and client data is compromised, the European Data Protection Board (EDPB) will evaluate whether the company has been negligent in its data protection operations to determine the level of compensation the business must pay the affected parties. The increased fines for serious violations can run up to €100m or between two to five percent of the company’s annual global turnover––whichever is greater.
Big enterprise is already clocking on and drawing up necessary precautions, even hiring personnel solely focused on ensuring compliance with the GDPR. This is understandable, as the larger your business, the more you stand to lose should you fail to follow the new regulations. However, the GDPR will affect businesses of all sizes and sectors. At the end of the day, regardless of the categorisation of your business—if you have an inadequate cyber defence strategy, coupled with tactics that potentially put customer data at risk, claiming innocence will not hold up against the regulations and potential fines—no matter how small your business.
Pre-empt the regulations
So, how do you make sure your cyber security strategy safeguards your data and meets European Data Protection Board requirements? For the Chief Information Security Officer (CISO, the first priority is to ensure a quick and sustainable way of circumventing obvious threats like viruses, malware and password vulnerability. However, with 90 percent of large businesses and 74 percent of small businesses this year being subject to cyber attacks, it is generally only a matter of time when, not if, a data breach occurs. It is essential that in such situations, businesses can identify and report the breach quickly. This is especially important as one of the major directives of the GDPR is the need for a business to report any data breaches within 24 hours. The quicker the discovery, the quicker you can address the attack, heal your battle wounds and strengthen defences.
CISOs and their security teams will need to harden their data repositories with a focus on traditional layers of security, e.g., firewalls, intrusion detection systems and intrusion prevention systems. Also expect increased attention on the correlation of system events and the addition of new detection tools as part of a data security model. Part of this focus includes validating access to requests, data parsing activity and understanding why requests are denied. But paramount to all data security models is the need for a backup strategy that provides continuous file backup across multiple platforms with high reliability and ease of use.
It is not only regulation that is changing. Modern employees treat and access corporate data more flexibly than ever before, and your cyber defence strategy needs to keep up. According to the Enterprise Strategy Group, more than 50 percent of corporate data is now stored outside the traditional firewall and data centre. Endpoint devices––mobile phones, laptops and tablets––act as miniature computers for a workforce keen to be connected anywhere and anytime, but they can be a nightmare for protecting sensitive corporate data. Any security strategy you build needs to be open-minded and address how your employees access corporate information. It has to have data protection at its core. Placing all your trust on a well-protected data centre is now equivalent to keeping your head in the sand.
What should you do? Pre-empt the regulations. Otherwise, the GDPR will soon be here to get businesses up to speed and building appropriate cyber defence structures—but it may have cost them a heady fine first.
By Rick Orloff, CSO at Code42