New Regulations Present an Opportunity to Improve Overall Security and Optimize Business Processes
Privacy has been top of mind recently-especially as we near May 25 when the General Data Protection Regulation (GDPR) goes into effect. Companies that do business in Europe will now be on the hook for damages caused by data breaches and are doing everything they can to remain in compliance.
According to Gartner, European companies are expected to spend an average of $1.4 million on ensuring compliance while U.S.-based businesses are setting aside $1 million each. And with good reason-being in breach of GDPR’s requirements could cost organizations many times more than that as well as increased legal fees, additional insurance and damage to brand reputation.
Given the cost and effort involved in trying to become compliant, not to mention the risks of penalties if they experience a breach, businesses are understandably apprehensive about preparing for their new reality.
GDPR doesn’t have to be anxiety inducing. Instead, organizations should view the new regulations as an opportunity to enhance business processes and better protect themselves from damaging breaches and cyberattacks. It’s also an opportunity to put in place measures that strengthen the overall security and compliance posture of organizations, using GDPR’s requirements as the pivot point.
Here are three key business benefits that GDPR can deliver to enterprises:
1. Dedicated brand protection – The massive cyberattacks on Equifax, Yahoo and other major enterprises the past several years have severely dented those companies’ brands and reputations. These effects would be accompanied by strong penalties if they occurred under the new regulations, leading enterprise security teams to take additional steps to protect their company’s public image. This is a good thing, as it forces companies to consider security when building out, changing or scaling business processes.
2. Think about security across the business – GDPR creates an opportunity for security teams to develop and enforce robust processes to detect, investigate, respond and report on threats–and then roll these out across the business as whole. Building security into business processes from the outset rather than adding them on as an afterthought delivers better protection against both internal and external threats while streamlining operations.
3. Saying yes to innovation – securely – GDPR compliance will improve the handling of data and detection of threats, allowing enterprises to accelerate innovation and collaboration both within the business and with external partners. This will be possible due to increased confidence in the integrity and security of their processes across the business.
Given these benefits, how can organizations go about updating their networks, security processes and practices to ensure that they can take full advantage of the opportunity GDPR presents? Here are three key steps that enterprises can take.
1. Getting visibility of what you need to see – GDPR is fundamentally about the types of data that can be collected and recorded and how that data is handled and stored. Organizations need complete visibility throughout their infrastructure and in every business process so data can be effectively monitored and protected within the EU while offering a comprehensive perspective across the organization’s networks globally. However, irrespective of environment, a fundamental part of GDPR is that data should always be pseudonymized, which can also limit how much data should be seen.
The need for widespread visibility while obfuscating sensitive information could be seen as a contradiction. However, there are tools and methods that make this possible. Data masking, originally developed to secure Personally Identifiable Information (PII) data, is ideal for GDPR compliance and is a feature in some advanced network packet processing engines. This allows IT and security teams to set any data pattern or offset for masking – credit card records, social security numbers, IP addresses, etc. Furthermore, a strong visibility architecture that supports geo-location of user data can help identify traffic originating in the EU. When combined, data masking and geo-location (with or without encryption) can help facilitate GDPR compliance.
2. Encryption matters – Encrypting data is also critical for protecting data. The trend toward a totally encrypted internet continues, and under GDPR, data encryption is explicitly mentioned as a legitimate way to address security of personal data while offering some protection from prosecution in the event of a data breach.
However, some organizations have concerns about threats that may be concealed within SSL-encrypted data traffic, as some traditional security appliances and monitoring solutions are not equipped to process encrypted traffic. However, advanced network packet brokers can decrypt packets once and send the plain text data to security and monitoring solutions, allowing them to sniff out threats and malicious payloads before re-encrypting the data and forwarding it on. Together with data masking, encryption protects both data at rest and in motion.
3. Ensuring integrity, availability and resilience – A comprehensive visibility architecture doesn’t just monitor data; it’s also critical in defending an enterprise against increasingly advanced cybersecurity attacks. Unless an organization has complete visibility into all traffic crossing their networks, cybercriminals can take advantage of vulnerabilities and blind spots to infiltrate the network and steal data. Visibility helps security teams to shrink their overall network attack surface and to plug any gaps in defences.
Security resilience is also key to GDPR, and visibility helps to ensure this by enabling anomalies or developing attacks to be quickly identified and addressed. This delivers an accelerated response to potential breaches, limiting damage and minimising risk.
GDPR is one of the most far-reaching and complex compliance regimes that we’ve seen in a long time, and effecting the necessary changes within organizations to meet its demands will not always be easy. However, if enterprises take the right approaches to strengthening their security processes, they will gain clear advantages that go far beyond simply ticking the compliance box.