In the final lead up to 28th May 2018, there is a tendency for CISOs and IT departments to panic. Failure to comply with the EU's new regulations could, after all, result in fines of up to four percent of annual turnover or €20 million for businesses operating in, or with, customers within Europe. The penalties are certainly significant but, for certain organisations, the opportunities are also substantial – particularly for the channel.
There is no escaping the fact that preparing for GDPR is an uphill climb. Businesses spend years building up customer records and information, creating intricate data management systems for a vast amount of information that will now need to be completely uprooted. To gain full visibility of where personal data is located through an organisation's network, IT departments need to discover exactly what data exists in that organisation in the first place. For any business which planned to do this manually, the process is especially time-consuming. For the savvy organisations that automated the process instead, the procedure will have been much more cost effective, and will now mean that the business can easily adapt to any further regulatory changes and implementations in future.
There is also no quick fix for GDPR, but most businesses have already realised the potential to change their reputation for the better through GDPR. Facebook, for instance, which was recently sued for its improper use of a user's personal data announced last month that the company has already adjusted its privacy settings in anticipation of GDPR's implementation. Similarly, for the channel, there is an opportunity for vendors, in that businesses must implement numerous different security solutions and products to become compliant before 28th May.
One of the biggest challenges facing large organisations in the run up to GDPR is to secure the plethora of mobile devices being brought onto enterprise networks. Bring Your Own Device (BYOD) compounds the issue as employees use their own devices to access corporate networks and data. It is reported that almost 70 percent of employees will use their own devices regardless of company policy. Given that organisations have much less control over BYOD devices and their vulnerabilities, it is highly alarming that approximately half of organisations that allow BYOD, do so without any BYOD security policy in place! It's perhaps not surprising that 37 percent of organisations have experienced a breach or data loss directly attributed to their mobile technology.
Keeping machines and data secure has become increasingly challenging as computing infrastructure becomes less centralised; meaning that there is greater potential for malware entering devices that are used remotely and corrupting the company network. This inevitably increases the risk of data being lost.
Mobile devices are more vulnerable to data leaks, given that they can be lost or stolen. This is possibly the greatest danger of all – if not backed up correctly, the use of mobile devices can often result in lost or deleted data, and the legal ramifications for this are the same as with any other device under the GDPR. Similarly, the financial, legal and reputational impact of these data losses can be immense. It is important to use the tools recommended by your provider to prevent this from happening – dependent on your mobile, this could be Google Drive, Google Cloud, or iCloud - so that your data can constantly sync to a safe source. Businesses will need to employ very thorough security controls and visibility if they hope to pinpoint when EU personal data is at risk of being exposed on mobile devices and address any vulnerabilities quickly.
Implementing effective policy is the first step to ensuring mobile security. By understanding who has access to what, when, and through which device, visibility on your network will ultimately lead to visibility of your data.
The rise of major hacking scandals in the last year has meant there has been a growing feeling of mistrust in UK businesses – and GDPR ultimately provides a way to address that mistrust and build a new relationship with customers and an impeccable reputation. GDPR is therefore extremely significant both in terms of ensuring that channel providers themselves are compliant, as well as helping their customers on the journey to compliance. This, in turn, can lead to fantastic business opportunities for those who handle the journey to GDPR – and their customers' journey – seamlessly and professionally.
Contributed by David Ellis, director of security sSolutions, Europe, Tech Data.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.