The value of legislation – avoiding the cost of a breach
March 14, 2017
With data breaches still in the news and GDPR coming ever closer, Teiss guest blogger, Jon Fielding, MD (EMEA) at Apricorn, provides some very practical advice about how to keep your organisation cyber secure.
Data breaches continue to make the headlines with news of lost or stolen devices a regular occurrence. While data protection is not a straightforward task, companies are trusted by their customers to follow basic best practices.
Despite this, however, a recent survey by Apricorn and Vanson Bourne, found that 38 per cent of respondents believe they have no control over where company data goes and where it is stored. Organisations can struggle with enforcing data protection, putting confidential data at risk, but regulations can provide a framework for process, policy, implementation and audit to compliance.
GDPR: Are you ready?
Compliance regulations are critical to safeguarding confidential data and the lack of awareness surrounding legislation is a common theme. To add to the already taxing list of compliance mandates, businesses now have just over 1 year to prepare for the introduction of the General Data Protection Regulation (GDPR): the European Union’s new data protection legislation will be implemented in May 2018.
The new laws will apply to any company, whether within the EU or not, if it is processing the personal data of EU citizens. And after Brexit, most industry experts expect that UK legislation will adopt GDPR in its majority, if not totality, to avoid any conflict for UK businesses.
Unfortunately, it would seem many businesses are still unaware of the impending regulation. Our survey found a distinct lack of awareness among UK companies when it comes to the GDPR requirements with 24 per cent of the surveyed organisations not even aware of the GDPR and its implications.
On top of this, 17 per cent are aware of the regulations, but don’t have a plan for ensuring compliance.
Until the GDPR comes into force, the EU will continue to rely on the 1995 Data Protection Directive, which suffers from varying levels of enforcement across the EU. The GDPR will aim to ensure all countries comply with the same comprehensive controls so personal data of European citizens has an equal level of security and protection across each country processing that data.
Under the new rules, EU citizens will have much more control over their personal data:
The request for their consent must be explicit
The reason for collection of their data and how it will be used and stored must be clear
They have the right to demand their data in a portable format
They have the right to request that all their data is deleted from the system
Businesses must have systems and processes in place to comply with citizens’ rights and many will need to appoint a dedicated data protection officer.
Employees will also need educating about their responsibilities as they are often unaware of their role in protecting sensitive information, and unwittingly put confidential data at risk. Employees require adequate training, and necessary policies should be created and enforced, particularly when the data is taken beyond the network perimeter.
The cost of non-compliance
Whilst there is no immediate need to panic, the challenges UK businesses face with the GDPR are just around the corner. It would be prudent to start to prepare now and address areas we know will be required so that the foundations are in place once we have absolute clarity.
The onus of GDPR on businesses is significant. Non-compliance can come at a huge cost with fines up to 20 million Euros or 4 percent of a company’s annual global revenue. Once confidential data is deliberately or unwittingly leaked, it can not only be a costly experience, made more so by the threat of additional fines from the Information Commissioner's Office (ICO), but it can cause irreparable reputational damage, and fines of this magnitude could easily put companies out of business.
Organisations must get their houses in order, but this is not a simple process, and the ownership of data is often an issue.
As part of the new GDPR requirements, businesses must demonstrate that they are limiting who is authorised and has access to certain information, and why. Employees require adequate education and necessary policies should be created and enforced to avoid putting company data at risk.
Businesses also need to consider how data is protected outside of their central systems, both on the move and at rest. If data is being transferred outside of the company or between systems, they need to research, identify and mandate a corporate-standard, encrypted mobile storage device and ensure its use is enforced company-wide through policies – such as locking down USB ports so they can accept only approved devices.
The IT department may also need to be able to automatically pre-configure and mass provision those devices to comply with their security policy, such as password strength, to facilitate fast roll-out to a large number of users.
Organisations should analyse the data they house and remove anything identified as unnecessary. They will also need to document exactly how data is processed, stored, retrieved and deleted through its lifecycle to pinpoint where data may be unprotected and/or at risk. This thorough analysis will then enable them to identify technologies, policies and processes that can remedy any shortcomings.
The combination of employee education, data encryption, policy definition and enforcement, which includes the deployment of corporate approved devices, are all crucial steps in the move towards GDPR compliance and will help businesses avoid the true cost of a data breach.
Jon Fielding is the Managing Director of Apricorn in EMEA and brings extensive experience in growing companies in the EMEA market. Jon is responsible for the sales & operations strategy, driving revenue growth and establishing the channel network in the region.
Jon is CISSP certified and has been focused on Information Security for the past 18 years, working with a variety of organisations from IBM to security start-ups such as Valicert and Tumbleweed.
Jon joined Apricorn from IronKey where he worked exclusively in the secure USB market having established the Ironkey office in EMEA 8 years ago as the first in the region. During his tenure, Ironkey was acquired by Imation and then by Kingston.
Photo of Berlaymont copyright artJazz under licence from Thinkstockphotos.co.uk