In the words of the inimitable Bob Dylan “the times they are a changin'”, and so are the fines companies will face if they have lax data security protection in place. In fact, according to the Payment Card Industry Security Standards Council (PPI-SSC), the total financial penalty for organisations that fail to implement adequate data security measures could reach as high as £122bn when the General Data Protection Regulation (GDPR) comes into force in 2018.
These figures are based on one of the GDPR's core tenets that organisations can expect a fine of up to €20m or five percent of annual turnover if they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 48 hours. This means that UK enterprises could face average fines of £11m and SMEs around £13,000 under the new regulation.
Delving a little deeper into the research, the industry should be struck with a sense of real concern. These already incredibly huge figures are based on data breach rates from 2015. And let's face it, these rates are only going to get higher as cyber-criminals keep making bigger profits by exploiting data. At the same time the industry is suffering security fatigue. The GDPR seems a long way off, and the UK might not need to comply to the GDPR because of Brexit, right?
Look beyond the Brexit fog
Right or wrong, it doesn't really matter. The GDPR has been a long time coming. But it will only apply to EU member states, and at this point no one is sure where the UK will fall on that spectrum given the relatively imminent triggering of Article 50, which will see the country exit the European Union (albeit after a lengthy negotiation process). The reality of the situation is that you have to look beyond the uncertainty that Brexit is causing in the market.
Whatever the eventual terms of Brexit, during the transition period, the UK will still adhere to EU laws. This means there will be a crossover of at least six months where Britain is still bound by EU legislation, including the GDPR. Moreover, the industry should be urged to forget about Brexit and the GDPR all together when it comes to ensuring their company's data security strategy is up to scratch.
Putting the right strategy into play
Every company should review carefully their approach to data security. Data is king and, in today's always connected, increasingly data-centric world, it must be protected at all costs. As such, IT professionals should identify four or five main concerns they have around data security in the next 12-24 months — from ransomware to deception technology investments, it must all be put on the table.
A comprehensive security implementation is comprised of a range of solutions that provide complementary functions, such as anti-virus programs, breach detection solutions, deception technology, encryption tools, and endpoint backup and real-time recovery systems. Any weak link in the chain can dramatically increase the chances of a breach, so it is essential that organisations utilise best-in-class solutions in each area.
Prepare, don't fail
Ultimately there are two types of companies. Those that have been breached and those that don't know that they've been breached. IT departments must be able to identify, mitigate, recover, and report breaches within 48 hours in order to be GDPR compliant — to keep the trust between them and their customers.
The ability to identify breaches, mitigate damage, and perform real-term recovery operations without sacrificing productivity is complicated. Employees are no longer office bound, and neither is their access to corporate data. A lot of valuable data is now stored outside the confines of the traditional data centre. According to Code42's 2016 Datastrophe Study, almost 47 percent of it resides on endpoint devices such as laptops and tablets. In an attempt to streamline working processes, employees frequently make use of third-party cloud-sharing solutions (often referred to as ‘shadow IT'). As a result, the enterprise's cyber-defence strategy must take data mobility into account.
The best way to avoid potentially bankrupting fines is to roll out the right solutions. IT professionals should also focus on creating internal policies that promote accessibility and flexibility with approved solutions without locking the enterprise down to the point of stifling productivity. Failing to do this in the porous enterprise where there is no perimeter will only result in increased risk from insider threats as employees will find ways to work around the walls that are built.
Contributed by Nic Scott, MD UK & I, Code42