Technology over the last two decades has advanced exponentially. It has become a massive enabler and, more often than not, a source of competitive advantage for the enterprise. It has made business more efficient, and with the proliferation of cloud services, accessible from anywhere. Across the globe workforces are now more mobile – able not only work from any place but also from an almost endless number of devices. However, the devices that provide ease of access and improved productivity are also increasingly identified as major security risks.
This is because sensitive data stored on them, away from the traditional confines of the secure data centre, can, without adequate protection, be unscrupulously downloaded, ransomed or deleted. It is fast becoming clear that CISOs and CIOs need to rethink their data protection strategies. They have to protect the endpoint – whether that is in the form of a laptop or traditional work station – just like they do the data centre; but finding a sustainable answer to this burgeoning security risk is a complex matter, especially in Europe.
Regulating the regulations
By the end of 2015, it is very likely that the EU will be subject to the new General Data Protection Regulation (GDPR). For businesses in all 28 EU countries, along with any other countries that hold data in Europe, this will mean adhering to new rules around how data is handled and stored. Beyond that, it is suggested that should a data breach occur, and a company subject to the GDPR is found to have not done enough to initially mitigate and then compensate the affected parties, it can expect a fine of €100m or a fine of between 2-5 percent of its global turnover. This poses a risk beyond just data security, it goes to fiscal security and also to a company's ability to protect its brand from bad publicity, should its failures be exposed.
Today, every EU country has its own varying rules regarding data security, but the general consensus is that the GDPR will be stricter, as well as amalgamating many existing rules. It will also likely extend beyond the data centre, in terms of how information is stored and handled on the endpoint. Therefore, pre-empting the shift sooner by protecting data now, rather than later, is key.
For those European organisations that store any of their data with an American company, there is additional incentive to redefine data protection strategies. Due to US security legislation, agencies such as the NSA can request access to data beyond its borders. Whilst a company may have nothing to hide, sensitive corporate data, around which competitive advantages are built, may be open to scrutiny. For many businesses' CISOs this is an unsettling thought. But varying legislative and regulatory requirements for data are by no means straightforward, and can leave even the most accomplished CISO struggling to know where to turn.
Proactive not reactive
Finding and implementing the right data protection strategy is critical. CISOs should be focused on finding quick and sustainable ways of circumventing the most obvious threats, and building a better overall data protection practice within their organisations. The easiest way to do this is by focusing on endpoint data protection. By joining forces with the right vendor – one that understands and has solutions to the risks, both internal and external, that unprotected data on the endpoint poses – CISOs will be in the best possible position to defend their businesses against future legislative fallout.
CISOs should focus their attention on vendors that centre their strategies on safeguards such as adequate encryption, system visibility and intelligent tracking of all endpoint data. This will give them and their teams the ability to quickly remediate a breach, should the worst happen. It will also give them the ability to track the movement and access to data effectively; an added advantage with so many devices touching potentially sensitive corporate information.
The increase of technology within business has allowed for organisations to flourish, but it has also unfortunately caused reasons for concern. Society is moving towards transparency, but this does not mean that sensitive company and customer information should be left at risk. Ensuring the appropriate endpoint data precautions are taken now should be a high priority for any CISO, CIO and company in this time of transition. This will not only allow an organisation to garner complete control of its own information, but ensure that its CIO's focus is on increasing profit and expanding technological reach, rather than worrying about the safety of the 0s and 1s.
Contributed by Andy Hardy, EMEA Managing Director at Code42.