GDPR – What Went Wrong?

By   Spencer Young
RVP EMEA , Imperva | May 27, 2019 01:30 am PST

A year ago, it seemed as if you couldn’t open a newspaper or business magazine without encountering the dread letters GDPR. So you’d expect businesses to have heeded the warnings, and implemented the systems and technologies they needed to avoid the swingeing fines applicable under the new regulations.

Not a bit of it. In fact, in the first six weeks following the imposition of GDPR, data breaches rose by 160 per cent. Teething troubles? Hardly. Recent research found a big spike in the number of cyberattacks in the year to-date, with 55 per cent of organisations around the world facing an attack – up from 40 per cent last year.

What went wrong? GDPR was one of the best publicised pieces of regulation in recent years, so no business can plead that they were ignorant or didn’t understand the risks of failing to prepare. Were those who gave warning modern-day Cassandras?

A more likely explanation is that organisations simply didn’t understand how best to keep corporate systems and data secure, or simply lacked the IT budget to put effective measures in place. This is certainly supported by the report’s evidence from the UK, where there was a significant fall in the number of organisations scoring top marks for cyber security. And little wonder: British firms had the lowest budgets of all the countries we researched, spending less than $900,000 on average compared to almost $1.5m across the survey, and joint-least likely to have a defined cyber security role.

How, then, can organisations protect themselves from future breaches and bring them in line with the provisions of the GDPR? The answer isn’t as simple as throwing money at the problem. Businesses must understand why they remain at risk of breaches and non-compliance, even when they’ve made significant investments in cyber security.

Often, the problem is one of mindset rather than technology. Organisations bet the farm on protecting the perimeter and neglect to look at threats within it. This is a double failure: it means they are slow to spot the warning signs of suspicious behaviour in corporate networks, and that they struggle to identify and report the breach within the 72 hours mandated under GDRP.

Without comprehensive, real-time oversight into nefarious activity within their networks, breaches can go undetected for weeks or months. This gives hackers free rein to plunder your data while also exposing your organisation to the maximum applicable fines for failing to report who’s been affected and how it happened.

Important as endpoint and perimeter security is, organisations must not neglect the data itself. They need the ability to identify and monitor every activity associated with enterprise data and thus to provide the context for any data breach that occurs.

This might seem like a Sisyphean task, and it is without the right tools. But the IT security industry has been focusing on just this problem in recent years, and has developed a huge range of tools to address it. These include database monitoring technologies, machine learning, data access processes and analytics.

Together, these systems enable any organisation to process many billions of different access events across their IT estate, and provide security teams with instant visibility into suspicious patterns of behaviour – crucial for identifying an attack that has managed to evade the perimeter. What’s more, they provide all the information needed to fulfil the requirements for reporting under GDPR, such as the nature of the breach and the likely impact it will have. Finally, they make it much easier for IT to take the necessary measures to address the breach and mitigate the effects.

Perhaps the biggest lesson from the last two years was that fear, uncertainty and doubt aren’t enough to nudge organisations into taking the measures they need to keep data safe. Instead, let’s focus on the solutions that will make all of us safer.