Chris Waynforth at Imperva explains how, 3 years on from GDPR, visibility and control remain crucial pre-requisites for minimising risk
It’s three years since the biggest shake-up to Europe’s data protection laws in a generation took effect. The General Data Protection regulation (GDPR) is now the world’s prime privacy regime, spawning similar legislation worldwide and striking fear into the hearts of CEOs across the globe.
Yet in spite of the punitive potential fines, data breaches and leaks are still happening on a massive scale. There’s clearly a lot more work to do for corporate cyber-security and risk management leaders.
The first focus of their efforts must be securing data, especially from the impact of data breaches. But privacy tools are also needed to streamline compliance and enhance protection. Knowing what data you have, where it is, and who’s accessing it at all times is an essential first step.
A new era of data protection
The GDPR heralded a new wave of consumer awareness, of the power and value of personal data. It also sparked data protection legislation in over 100 countries, most notably the Californian Consumer Privacy Act (CCPA). Many of these new laws include rights to be forgotten, to rectify errors and to port personal data, which put extra strain on organisations’ IT systems and compliance teams. Data Subject Access Requests, for instance, are an additional burden on organisations particularly as they are an almost entirely manual process.
The PPI scandal in particular added to the sheer volume of these requests and their impact on organisations by setting a deadline for making complaints, alongside the already stringent statutory 40 day limit. Given that manually processing these types of requests can cost upwards of $240,000 per million records, this can have far reaching consequences for organisations.
Today, 83% of consumers expect to have control over how businesses use their personal information, and such expectations will only grow as awareness of these new rights does. Organisations can’t sit this one out and hope it blows over. This is most definitely the new normal.
Is GDPR working?
The new regulatory climate isn’t just forcing organisations to improve their compliance processes for data access, portability and erasure. It has shone an uncompromising spotlight on data protection capabilities. Data breaches could lead to astronomical GDPR fines, and require regulatory notification within 72 hours. That should be enough to concentrate the minds of any CISO.
Best practices in this area are well understood. Yet over the past year new challenges have complicated matters. Mass remote working brought redirected budgets, delays to IT security projects, and new threats. Rolling out cloud apps and infrastructure to support home working and new business processes also expanded the corporate attack surface. Threat actors responded with typical agility to target vulnerabilities in web applications and VPNs, steal RDP credentials, and phish distracted home workers.
The headline figures might appear to show GDPR is working. The ICO’s most recent incident trends report reveals the total number of reported data breaches fell 26% over the past two years to reach 2,425 by the end of March 2021. But this may be misleading – fines are reaching new records and the total levied is increasing year-on-year.
Other industry figures show that breaches are still occurring on a massive scale. Imperva research reveals that attacks leading to data leakage have increased 557% over the past 12 months, and are up 74% since the beginning of 2021. We also have data confirming that personally identifiable information is the top target for attackers, accounting for more than 75% of data stolen in breaches.
The problem with bad bots
The ubiquity of malicious automated scripts known as “bad bots” is also compounding the challenge. Our latest Bad Bot Report reveals that traffic from these machines comprised a quarter (25%) of all website traffic in 2020, performing a range of activities including, particularly insidiously, web scraping. Despite being classified by OWASP as an automated threat, the practice occupies a legal grey area currently being contested by LinkedIn and hiQ. Public-facing data on an organisation’s users could be stitched together, aggregated and weaponised by malicious actors in the future.
What happens next?
Major breaches can have serious financial and reputational implications for victims. Efforts to mitigate these data security and privacy risks should begin with gaining visibility into existing internal processes, people and data.
Successful data security starts with understanding what you have, how it’s being used, and who can access it at all times, then applying the appropriate risk-based controls. Less is more—so try to consolidate providers and gain that visibility from a single platform for managing, securing and reporting on all corporate databases, on premises and in the cloud.
Look out for AI capabilities that can baseline normal behaviour to more accurately detect suspicious activity, feeding into SIEM and similar tools for proactive detection and response. Also consider ways to block automated malicious bot activity.
Enhanced data privacy programs also start with visibility and control. By understanding what regulated personal information you hold and where, and who is accessing it in real-time, you stand a better chance of spotting non-compliance. Then, aim to automate and streamline workflows for subject rights requests, removing cost and human error from what are often manual processes.
The auditor’s favourite question is about asking you to prove that privileged users have not jeopardised the integrity and/or privacy of your sensitive data. Can you confidently answer that question?
Chris Waynforth is AVP Northern Europe at Imperva
Main image courtesy of iStockPhoto.com