If you were to ask most IT executives (CIOs, CSOs, CISOs etc.) whether their businesses have adequate security measures in place to defend against online threats, it is highly likely that they would reply in the affirmative. After all, safeguarding company data is a key component of the CXO's role. Most will state they have a combination of “best-of-breed” solutions coupled with less than optimal solutions blended to protect their corporation.
But now that Brexit has been decided, has the definition of “adequate security measures” changed? While the current political debate includes the exact extent of severance in the UK-EU relationship, the aim for British businesses should be to continue to conform to EU regulations, as it appears that post-Brexit, the UK will be looking to join the Single Market. This will mean that, like Norway, the UK will have to conform to many of the EU regulations, in particular data policy, which is quickly becoming a staple condition for intra-EU trade relations. It is also projected that the “policy-bar” will be set higher for the UK rather than lower.
Yet according to Code42's Datastrophe Study conducted late last year, 21 percent of IT decision makers (ITDMs) did not believe their businesses would be affected at all by the upcoming General Data Protection Regulations (GDPR), 90 percent believing they had already taken adequate steps to comply. After all, CXOs have been working to protect against data breaches and anticipating regulatory hoops for years.
Given the new legislative tussle, this confidence could be misplaced. Having some security measures is not the same thing as being fully compliant. So what must be done to make sure that a business is GDPR-ready in two years' time?
Becoming GDPR compliant
The GDPR has been widely hailed as a key milestone in unifying the fragmented, country-specific laws that currently govern data protection across the European Union. The revised regulations will apply to all of the EU member states, and will impose tougher penalties on companies that fail to safeguard customer data to a level that is deemed acceptable.
In particular, there are two fundamental aspects of the GDPR that all businesses operating in the EU must be aware of. Firstly, companies that are judged by the European Data Protection Board (EDPB) not to have protected customer data adequately will face significant fines—€20 million or up to four percent of global annual turnover, whichever is greater. This represents a serious monetary incentive for organisations to make the comparatively small investment in shoring up defences, rather than risk paying a large penalty.
Another major compliance factor that the GDPR introduces is the requirement for companies to report any data breach within 24 hours. This means that IT must be focused not only on the first line of data defence, but will also need to provide complete visibility over all company data and access points. As the last ten years has seen much of this data migrate away from a centralised repository, with 42 percent of data now held on endpoint devices (laptops, tablets, etc.) outside of the traditional security perimeter, this can pose a significant challenge.
The Brexit reality
It is unknown when the UK will initiate the formal withdrawal process from the EU by triggering Article 50 of the Lisbon Treaty. Some UK businesses may be tempted to wait before addressing the GDPR, but this would be ill-advised, because the chances of Britain adopting a more lax approach to data security after departing from the EU are slim. To ensure trade carries on as usual and that the UK remains part of the Single Market, any adequacy assessment of new regulation would almost definitely reflect the new GDPR regime and not the EU directive that is in place today. To stay ahead, resuming compliance with the GDPR is essential, while keeping an eye on any additional UK regulations that may come into force.
Another possible alternative would be that UK-centric organisations would face even more stringent regulations as the consequence of a revised trade agreement with the European Economic Area (EEA). Either way, businesses would be far better served by ensuring that they are well prepared to face the potential outcomes of a post-Brexit Britain and EU.
So how can companies ensure that they comply with the GDPR? Unfortunately, as cyber-attacks continue to evolve in sophistication and frequency, we have now reached the tipping point where a breach is almost inevitable at some stage. Therefore, whilst it is not an exact science, (as it will be judged on a case-by-case basis by the regulatory board), companies will be best served by implementing a best practices approach to minimise the risk of suffering a breach.
To do this, CXO's must be able to identify the threat vectors facing their business, and roll out the proper technology and process controls to defend against them. There should be no identifiable weak link in the chain, meaning a stack of security solutions should be in place, covering all bases—anti-virus, breach detection, multi-factor authentication, modern endpoint backup tools and data encryption.
However, a truly GDPR-friendly security strategy should not end there. It must also take steps to mitigate the potential risks caused by human error and insider threats, through a clearly communicated and comprehensive data security policy. This will ensure that all employees are well versed in storing and handling sensitive data. Finally, in the worst-case scenario of a data breach occurring, it is vital that IT and incident response teams have visibility and control over the data streams passing through endpoint devices. This will allow them to identify and report breaches quickly, freeing up time to focus on the all-important damage limitation procedures.
Contributed by Rick Orloff, chief security officer, Code42