The looming General Data Protection Regulation (GDPR) poses a significant concern for U.S. firms, given the high standards outlined. The Gartner research predicts less than 50% of all the US companies that will be held to the rules will be fully compliant by the May 2018 implementation deadline.
Within the upcoming GDPR requirements, companies will be required to safeguard data within their IT environments, including networks and various cloud resources. In order to fully safeguard their data, they will need strong encryption that covers multiple activities involving files and hardware, everything from sending sensitive content via email or using a USB drive. In any case, the encryption should provide ample protection because an unauthorized person will not be able to break the encryption without the proper key.
Today’s technology for encryption is both mature and readily accessible. Not utilizing encryption to combat the risks of data breaches is inexcusable. Many IT managers and high-level executives still feel if their organization employs a firewall and anti-virus solutions that they’re completely protected. While these measures have been proven highly useful, to fully comply with the GDPR provisions companies need the extra layer of protection provided by an enterprise encryption strategy.
The primary problem with encryption strategies is that they largely do not exist. Companies often do not see encryption as an essential need, despite the risks of storing and utilizing sensitive data within various systems. News articles aren’t filled with reports of hackers stealing encrypted data. Firms that do not encrypt sensitive information are simply easier targets.
Breaches of sensitive data are usually linked to human error or insiders, not dedicated hackers that break firewalls or sophisticated antivirus protections. These errors can be a phishing scheme that prompts an employee to download a file, a problem in system implementation, or simply a lack of knowledge or training that opens a gateway to intrusion.
Uncovering the Roadblocks and Misconceptions
There is a perception problem with encryption, where companies consider it to be a time-consuming process that is not worth the effort when compared to the perceived risk of being hacked. The “it won’t happen to us” mentality is pervasive, despite the industry predictions that cybercrime damages will cost the world $6 trillion annually by 2021 (according to Cybersecurity Ventures). Whether a firm believes their current safeguards are sufficient, or that hackers won’t target their business, they avoid encryption until it’s simply too late. They are not performing the usual risk/reward that organizations should consider when weighing the value of data and the downsides of a breach.
Encryption is also not as mysterious and complex as many believe. It simply involves taking data and translating it into a different form that requires an access key to read, share and edit. The most advanced encryption methods will use data segmentation and multilayer, multi-algorithm technology that provide significantly more data protection than a single algorithm and key. It’s important for organizations to find providers that offer such future-proof strong encryption that can combat increases in compute power and hacker sophistication. When this hardened encryption processing is combined with strong multi-factor authentication, it makes data a very uninviting target for any cybercriminal.
Another misconception besides the time required for implementation is that encryption will slow down usage and environments, making it difficult for teams to access needed data in a timely manner. An experienced encryption provider will offer technology that layers and segments existing encryption to make it many factors stronger, without causing a network slowing. Encryption should be viewed as part of an organization’s overall cybersecurity strategy and simply the “cost of business” similar to many other essential services.
Handling the Regulations
Companies are naturally adverse to change. In the financial sector there’s been slow usage of the “chip” on credit and debit cards despite its security advantages. Movement to a more secure data environment that requires encryption and better training will take time, but it’s a must for any company that wants to protect its brand.
Managing the current and upcoming regulations such as GDPR requires subject matter expertise that’s best pulled from managed services providers. Utilizing an outside vendor allows firms to focus on business strategy, marketing, and other efforts, without constant worry about protecting intellectual property or sensitive customer data.
The best-of-breed providers offer solutions that are designed to work within the existing environment operated by the customer. When the solution itself is agnostic then it fits into any constraints and will not slow down the data. Firms that use encryption are simply taking extra steps to protect the data and network with an additional layer that is processor friendly and will not have any adverse effect on speed.
Improving Awareness and Training
Companies that want to improve their data security efforts should implement encryption and shore up their training efforts. Many breaches are exposed through human error, and in many cases the employee or vendor is not acting maliciously; they just have a lack of awareness. Frequent training sessions are essential to show staff the full range of steps they should take to improve data security. This includes password generation and best practices, as well as guidelines on what they should click, create, and download within the network environment.
Every large organization should employ a managed services provider to conduct training and perform a periodic audit of how well the staff is following established security processes. The creation of an “awareness test” that scores staff on their understanding of the security protocols is a sound way to ensure compliance and competency.
Employees are trained to put sensitive papers in a vault or locked filing cabinet, and the last employee to leave is expected to lock the doors for the night. These are basic rules and requirements, but often nothing is being done to protect a company’s intellectual property. Cybersecurity preparedness should be extended the same level of attention and awareness within the enterprise.
Moving Forward
Many IT managers and executives are likely panicked by GDPR and compliance with regulations; however, it’s important to see regulations as well-researched guidelines that provide companies with helpful roadmaps on what they need to do to protect the business and customers. Enterprises have unfortunately become lazy about managing their data and understanding whom has access to the information in their environment. They move too fast to develop analytics and other solutions that expose data, and then experience a breach that often is not detected for months. Compliance regulations will continue as long as companies don’t proactively do it for themselves. Hardened encryption and authentication strategies can help break this cycle and provide firms with future-proof compliance that protects their business.
[su_box title=”About Richard Blech” style=”noise” box_color=”#336588″][short_info id=’103677′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.