EU business leaders must act now before new security law takes effect

Jason Hart explains why EU businesses need to evaluate their security practices now before the new law takes effect.

Jason Hart, CTO of data protection, Gemalto
Jason Hart, CTO of data protection, Gemalto

The recent announcement by a European parliamentary committee to back a proposal that will require critical infrastructure operators and digital service providers, such as Amazon and Google, to maintain appropriate security measures, and more importantly report major data breaches, is a defining moment for businesses in the EU. Business leaders should think of it as an early warning to evaluate their security practices before the proposal is approved by the EU Parliament and European Council. So, what is the current status in the EU at the moment and what steps do business leaders need to take to avoid falling foul when the law comes into effect?

Currently traditional security is dominated by a focus on preventing a breach through firewalls, antivirus, content-filtering and threat detection. However, if we are to learn anything from history, it's that breaches are inevitable and attackers will get past that perimeter wall eventually. Once this happens customer data or even a company's IP could be compromised, as was the case with Volkswagen and the design of its Passat. Consumers entrust their vital information to companies that gather this data and must be confident that it is being kept safe and secure. Once that trust is broken, it can be very difficult for companies to get that back.

Why has there been this sudden change?

Security has always been a hot topic, but with recent hacks of companies like TalkTalk generating headlines and companies collecting more and more data about us online, the issue of protecting data and securing consumer trust has never been higher. In the EU, companies are not yet obliged to report data breaches that have occurred  and many don't. With this new law due to be implemented within two years, companies will be forced to reveal these breaches and must now consider a change in strategy. But this isn't a new policy, the US has been adhering to this practice for a long time now and it is the main reason we hear more about breaches over there than we do closer to home. Now is the time to review what has already taken effect in the US and analyse what lessons can be learnt.

Instead of focusing purely on protecting the perimeter wall, businesses should instead turn to a layered approach that protects the data at every level should criminals get past that first defence. This also means focusing on the data itself and ensuring it can't be accessed or used by anyone that is not authorised to do so. Surrounding the data with end-to-end encryption, authentication and access controls provides that additional layer of security which is vital to protecting customer and corporate information. With encryption tools in place, this means that any data that is taken is rendered useless in value to anyone not authorised to access it. Authorisation can be secured using keys to only allow those who are allowed to access the data the ability to do so. All this means, should the worst happen and a breach occurs, the customer data should still be secure.

Telling customers

Once these security measures are in place it's important to tell customers. To build that trust, customers will want to know the processes have been put in place to protect their data. If businesses can show them they are going the extra mile, this will establish them as a credible innovator and trusted company. Security must be a two-way street though, just as customers should be informed of what is being done to protect them, they should also be told how they can protect themselves. A better-educated consumer will help to create a safe consumer service all-round.

Companies have the opportunity to get ahead of the game and show their customers they are taking protecting their data seriously. No longer can companies simply look at security as a compliance mandate, but rather as a responsibility that is crucial to their success. Consumers are becoming far more educated and aware of the sensitive data they are releasing to organisations, and the responsibility that entails. As this education increases, consumer demand will rise on what is expected of the security credentials of the companies that house their data. Failure to take this seriously could result in not only a big impact should a data breach occur, but also on the trust of the consumer. Lose this and face watching customers go to more trustworthy competitors.

Contributed by Jason Hart, CTO of data protection, Gemalto

Sign up to our newsletters