The data protection goalposts have shifted: has your security strategy moved with them?
The data protection goalposts have shifted: has your security strategy moved with them?
Whilst the protection of data has always been an important priority for the CIO and CISO, the impending General Data Protection Regulation (GDPR) has injected newfound levels of urgency and heightened concern. With the GDPR due to take effect in May 2018, many executives are well aware of its requirements and rapidly working towards updating their security strategy in order to ensure compliance.

Businesses not yet up to speed with GDPR, on the other hand, should be prepared to face financial consequences. The legislation clearly sets out penalties should they fail to adequately safeguard personal data against a breach and report the breach to the supervisory authority within 72 hours. Penalties can range up to €20 million or four percent of an organisation's global annual turnover, whichever is greater. 

Given the potential severity of these fines, it is essential that businesses comply in advance of the May 2018 deadline. However, with the continued advancements in cloud platforms and a more mobile workforce causing shifts in the way data is created, shared and stored, the route to compliance has become far more complex. The question becomes “How can businesses up their game and quickly increase data visibility and security in time to meet the GDPR deadline?”

Data has shifted out wide
The first step towards meeting the new challenges of data protection is simply: You must know where your data resides. In the past, enterprise security technology operated on the assumption that company data was stored in a central location such as a server room or data centre, and this was predominantly on-premise. In recent years, however, data has moved outside of traditional perimeters. Today, it has made its way to the cloud and traveled across the organisation on endpoint devices, such as laptops and computers, as well as applications. 

In fact, Code42's recent CTRL-Z Study showed that IT decision makers globally believe that as much as half (and in the US, as much as 60 percent) of corporate data is stored on endpoint devices. Like the data centre, endpoint devices have become data stores for vital – and now more vulnerable – company information. The reality is, when data is on the move and you don't have full visibility to where it is and how it is being used, it is harder to protect.

The changing nature of today's workforce also is adding to this data visibility and protection challenge. At least one in ten companies employing 500 or more employees revealed that 60 percent of their workforce is now made up of knowledge workers. Knowledge workers are those employees whose main capital is knowledge. In other words, it is their job to “think for a living”, which compounds the volume of data being created and stored outside of traditional security perimeters. For organisations, which now need complete visibility over the movement of data at any time, this scenario has created even higher security stakes.

Defensive formation
To gain complete visibility into where your data resides, it quickly becomes obvious that traditional methods of data security on their own are no longer sufficient. For example, an attempt to deflect external threats by ‘building a wall' around enterprise data through the implementation of a preventative antivirus solution is not enough. Whilst AV tools can certainly help block threats, the modern enterprise contains so many potential access points and storage locations for data that they will not provide comprehensive cover when operating in isolation. An effective defence strategy must adequately cover all zones in which data can be accessed. 

For complete visibility of data, both in the enterprise and on employees' endpoint devices, a multi-layered approach to security is required. This should include antivirus, deception technologies, breach detection solutions, encryption tools, endpoint backup and real-time recovery solutions. Most importantly, the security plan must enable IT departments to identify threats and mitigate them as quickly as possible. 

In the case of a data breach, this would involve finding weak points within the data defence and ensuring that these vulnerabilities are shored up for the future. World-class solutions should allow businesses to identify issues within a matter of minutes and alter their security approach accordingly.

With GDPR on the horizon, companies must ensure that data protection stands up to scrutiny in post-breach analysis, otherwise hefty fines (and reputational damage) will ensue. To keep their most important stakeholders onside, they must communicate clearly and make a robust statement of intent regarding data protection. Fortunately, with the right tools in place for data security and visibility, an effective GDPR compliance strategy is within reach. 

Contributed by Richard Agnew, VP UK, I & Northern Europe at Code42

*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.