Regulatory Issues Such as GDPR Are a Process in Which Security and Privacy Challenges Should Continuously be Addressed
The deadline for the General Data Protection Regulation (GDPR) has just passed – now what? Many spent the past few months doing everything possible to update and upgrade systems, document changes for compliance purposes, analyze weak points and prepare their information protection systems to comply with regulations, spending millions in the process. Now that the deadline drama has passed, IT organizations can take advantage of GDPR and recognize the opportunity that now exists – to redefine information protection and enhance security posture over the long term.
Our research has shown that GDPR is a massive concern for nearly all organizations, and little more than a quarter were confident they would be ready by the deadline. Complying with the regulation was the immediate challenge, but now there is an opportunity to capture the good work that has been done and make data protection a top of mind focus for enterprises every day. A common thread throughout many of the recent “mega breaches” is that organizations fail to protect their sensitive data because they simply do not know where it is. Many organizations are at risk across their cloud applications, on their shared network resources and within their email – our research found that 20 percent of files in cloud applications are publicly accessible, that 1 in 50 network files is wrongly exposed and 1 in 400 emails contain confidential information that may go unprotected.
GDPR places strict regulations on organizations that collect or process personal data from EU residents, even if the data handling organization is not based there. GRPR holds all organizations that store and share such personal information accountable for their privacy and security procedures. Not knowing where data is will no longer be just a security risk, but a regulatory one that will carry steep financial penalties. Non-compliance can lead to significant fines, up to €20 million (roughly $25 million) or 4 percent of total worldwide annual turnover. This is amplified by the damage both from the breach itself and the subsequent fall in company reputation. The risk is especially perilous among consumer brands, where reputation is of the utmost importance. Regulators also have the power to stop or suspend an organization’s ability to handle data, which could cause severe operational disruption.
The new rules are designed to ensure organizations are aware of the personal data that they have, protect that data at rest and in transit, embed privacy into their processes and control transfers of that data. This regulation comes at a time when issues of privacy are on everyone’s mind, and against the backdrop of a European regulatory climate that sees privacy as a fundamental human right. As such, the EU has implemented stronger regulations than other global regions.
Questions for every IT organization
Still not sure that everything was taken care of ahead of the deadline? While May 25th has passed, there’s never a wrong time to evaluate your data protection posture. The first step is to identify the biggest risks to existing data storage and sharing applications to better understand what needs to be adjusted. Everything from wrongly exposed cloud and network files to unsecured email with confidential information is a problem, and finding all the loose threads is necessary before any real changes can be made.
Next, it’s not enough to simply protect data at rest; organizations must understand how to identify and monitor sensitive data wherever it moves. Information travels throughout an organization as a normal course of business and as such, needs to be identified, classified with a rule-based approach focused on compliance and sensitivity, and protected throughout its lifecycle regardless of its resting place.
Data protection is incomplete without considering access rights management. Organizations need to question how they define access and ensure that only authorized users can view certain information. This has the potential to be the greatest challenge for GDPR compliance beyond the basic blocking and tackling, as it is critical to the privacy aspects of the law. Individuals are gaining new rights, including the right to understand how data is accessed and the right to be forgotten, all of which must be accounted for in any data protection strategy.
It is also critical to recognize that data protection strategy goes beyond files. It is not a matter of securing spreadsheets and business documents, it is an enormous challenge that encompasses data and metadata within logs, data at rest in files stored on-premises and in cloud applications, customer records, cloud workloads stored in AWS and Microsoft Azure, databases and more. Everything must be accounted for in a data protection strategy, regardless of organizational complexity.
Finally, organizations must be prepared for incident response. Identifying when a breach has occurred and being able to respond within 72 hours is imperative. But, they also need to understand that there is a “new normal” in a post-WannaCry world. Proactive protection is now more critical than it has ever been, and all organizations need to emphasize a proactive strategy that is more fluid, agile and intelligent. Catching a breach early, or even better, preventing it entirely, can stop the exfiltration of large amounts of data and will minimize the damage to overall company reputation. As has been seen time and again during major breaches, the longer they go unnoticed the worse the damage is in the end.
What can IT leaders do right now
IT leaders and security officers should shift their mindset and view GDRP as an opportunity rather than a challenge. It’s a great time to engage business stakeholders and encourage them to explore an improved security posture.
Regulatory changes are not just challenges for IT, but can be impediments to business. By bringing leaders from all sides to the table, the organization can better understand the challenges and react in the most appropriate manner. In addition, once actions are decided upon, IT leaders should regularly engage business stakeholders and board members on progress.
Next, a total assessment of all personal data held by the company is imperative, as it is impossible to understand if a company is compliant without knowing what it holds, where it rests, and how it is protected, starting with the most critical data. And, finally, once that is understood, IT leaders need to identify what aspects of their data protection strategy will require new technologies, staff or partners as they work to fill gaps within their strategy.
May 25th has come and gone, but regulatory issues such as GDPR are a process in which security and privacy challenges should continuously be addressed. For those security practitioners who partner with their business leaders to create shared accountability on that journey, the result will be a sign
ificant step forward in protecting the data which both people and organizations hold dear.
Related Reading: The GDPR Opportunity