Code42’s Nic Scott looks at how businesses should seek to revise their security strategies in order to avoid fines following the GDPR implementation.
If UK CSOs and CISOs approach 2018 with the assumption that their security strategy is fine, the consequences may be just that — specifically an £11m fine for the enterprise, and £13,000 for SMEs on average. In fact, the total financial penalty for organisations that fail to implement adequate data security measures could reach £122bn once the General Data Protection Regulation (GDPR) comes into force in 2018, according to the Payment Card Industry Security Standards Council.
What is more worrying is that these staggering figures are a conservative estimate.
They are based on data breach rates from 2015, which, if current trends continue, will have increased markedly by 2018. The predictions are based on the laws set out in the GPDR, which states that organisations can expect a fine of up to €20m or 5% of annual turnover if they fail to adequately safeguard customer data against a breach, or fail to report it to the supervisory authority within 48 hours. But businesses have been aware of the upcoming GDPR for months, and still have years to prepare, so why are the predicted non-compliance rates so high?
Banking on Brexit
Although the implementation of the GDPR has been pending for some time, it is an EU ruling that will affect member states only. As a result, it seems that the UK’s decision to ‘Brexit’ may have caused confusion amongst businesses as to whether the legislation will still apply to them. The answer is a resounding ‘yes’.
Regardless of the eventual terms of Brexit, the UK may not split from the European Union entirely until as late as 2020, depending on when Article 50 is invoked. During the transition period, the UK will still adhere to EU laws. This means there will be a crossover of at least one year (2018) where Britain is still bound by EU legislation, including the GDPR.
Furthermore, the UK is highly likely to negotiate a new trade deal with the EU once Brexit has been completed. In doing so, it is almost certain to require adherence to data protection standards of at least GDPR level. Therefore, making the requisite adjustments to a data security strategy represents a wise investment for any UK organisation.
It is also noteworthy that any initial outlay on improving data protection would be minimal by comparison to the financial and reputational costs that a breach can incur — prevention in this case is always much cheaper than a cure.
Solidifying data strategy
According to Code42’s 2016 Datastrophe Study, in which over 400 UK IT decision makers (including CIOs and CISOs) were surveyed, 50% of them acknowledged that the security measures they have in place currently will not be enough to meet GDPR standards. Therefore, the first thing that CIOs and CISOs need to do in order to become GPDR–compliant is to identify vulnerable areas of their security stack, and upgrade them accordingly.
A truly comprehensive security implementation is comprised of a range of solutions providing complementary functions, such as anti-virus programs, breach detection solutions, deception technology, encryption tools, and endpoint backup and real-time recovery systems. Any weak link in the chain can dramatically increase the chances of a breach, so it is essential that organisations utilise best-in-class solutions in each area.
Be prepared for the worst
Unfortunately, given the rapid evolution and widespread nature of online threats, most businesses will suffer a breach at some stage. This means that security professionals must be prepared for the worst. In such a worst-case scenario, IT departments must be able to identify, mitigate, recover, and report breaches within 48 hours, in order to be GDPR compliant.
The ability to identify breaches and mitigate damage is complicated by modern working habits, and the ways in which employees access corporate data. Much if it is now stored outside the confines of the traditional data centre, on endpoint devices such as laptops and tablets. In an attempt to streamline working processes, employees frequently make use of third-party cloud sharing solutions (often referred to as ‘shadow IT’). As a result, the enterprise’s cyber defence strategy must reflect this shifting trend towards mobile computing.
So how best to avoid potentially crippling fines? The GDPR is inevitable, so roll out the right solutions, and educate your employees to be security-savvy. Pre-empt shadow IT by developing internal policies that promote accessibility and flexibility. And ensure you have complete visibility over your data, wherever it resides.