Cyber-crime is dominating today's headlines and digital criminals are continuing to exploit valuable consumer data for profit.
Outraged by the continued growth of data-related crime, governments are looking to tackle the problem with ever more stringent legislative solutions.
The most widely reported of these is the EU's General Data Protection Regulation (GDPR). GDPR will replace pre-existing EU data regulation and will include much greater personal control of data, more granular processes around breaches, compulsory data protection officers and hefty fines for non-compliance.
While GDPR doesn't take effect until May 2018, it requires substantial changes to organisational and IT infrastructures that won't be quick nor easy to accomplish.
GDPR compliance seems like a tall order. And it is. However, there are solutions to the challenges. With this in mind, below are five issues faced by those under GDPR's jurisdiction, and the technological ways in which businesses can combat them.
In today's working environment, employees expect to be able to work remotely. However, each mobile device dramatically increases the opportunity for intrusion into the network. This is already a problem, but trying to eliminate points of weakness from mobile workers is a necessity to ensure GDPR compliance.
To take the fight to mobile vulnerabilities, organisation's need to employ context-aware security including policy controls such as identity management and permissions based on location, role, time and other criteria. With these controls in place, IT can easily track worker access and flag anomalies – all the while creating audit trails that assist in meeting GDPR compliance requirements.
Taking back control
In any organisation, privileged access controls often translate to general access controls – meaning it's not just IT administrators that have full access, but almost all employees looking to download apps or access files. After all, governing access more cautiously can be a highly taxing task and one that can create disgruntled employees.
However, this is a threat, as every privileged access user could provide hackers with full access to networks, systems and applications. When GDPR comes into force, it will require much stringent access controls.
To be compliant, companies can adopt dynamic access controls, which will elevate and reduce access as needed, based on roles and needs. This way, employees can continue their work uninterrupted with full access to the files they need –and without creating security holes.
Barricading against threats
Ransomware and other malware will have zero impact on your organisation – if they can't get in.
With GDPR the cost of a breach will escalate beyond just the ransom as regulators will impose hefty fines on any victim. To avoid this and provide the best line of defence against these sophisticated attackers, companies need to utilise proactive security measures. These include whitelisting and blacklisting applications, websites and files; allowing or blocking files from executing downloads and managing access based on granular contextual conditions.
Education is also vital. Hackers prey on unsuspecting employees who can't spot the difference between a genuine email from the CEO and one sent from an intruder. To combat this, companies should invest in education, so that when an attack does slip through the cracks it is shut down by a wary worker.
Automating the hellos and goodbyes
Another area which opens up companies to attack and further GDPR sanctions is the onboarding/offboarding process. It's often the case that employees are granted access when they join, but access is not revoked when they leave. This creates a security blackhole, which can be exploited.
There is a simple solution to this: automated provisioning. Companies can employ automatic provisioning and de-provisioning to ensure that as soon as a worker leaves, their access is revoked. The automated provision process can then be integrated with an existing human resource app or project management system for seamless access control for everyone.
Forget the filing cabinet
Finally, as well as protecting data, GDPR wants to see that it is safely stored and audited to satisfy compliance. And a filing cabinet just will not do. Therefore, data protection officers will need to provide extensive digital reports and audits on data-based changes, usage, devices, apps and configurations.
To achieve this, organisations can implement logging technologies to track what data is used and by who – and be able to prove that controls have been implemented to secure personal data. Failure to do so could be extremely costly.
Ultimately, timely GDPR compliance for companies doing business with EU-member countries isn't an option. They will need to look across their business and manage their data holistically, ensuring the above points are carried out to ensure their organisation is compliant and won't face any sanctions. The stakes are high. And the time is right to set your company in good stead to face the challenge.
Contributed by Jason Allaway, VP of UK & Ireland, RES