With consumers’ personal data being compromised on a near daily basis, it is unsurprising that the EU is preparing to get tough on businesses that do not protect their customers. The result is that as of May 2018 any company handling the data of EU citizens must comply with EU General Data Protection Regulation, which demands that companies collecting, using and storing personal data must have adequate protections and controls in place.
However, despite it being more than 12 months before the regulation comes into play, companies are already being urged to ready themselves. Indeed, there has been a huge uplift in the number of Google searches for GDPR over the past 12 months and it is no wonder with fines large enough to kick any enterprise into action. Businesses that fail to comply with the terms of GDPR will face fines of up to €20m or 4% of their global annual turnover – whichever is higher.
Unfortunately, the reality is that right now, companies do not have the security systems in place to meet GDPR requirements. Not only that, it’s actually the entire approach to security that needs to change. To put it into perspective, let’s consider how some of the companies that suffered the biggest hacks of 2016 would have fared had GDPR been in force.
Anything but fine
The Tesco Bank breach brought home to UK consumers the reality that even banks are susceptible to cyber criminals. As if the task of regaining the trust of their customer base wasn’t enough, under GDPR they would have faced fines of up to £1.9bn.
Telecom operators are a gold mine for hackers. Not only do they sit on a mountain of customer data but offer hackers an opportunity to see their work hit the newspaper front pages. Three suffered at the hands of hackers just a few months ago, and had GDPR been in effect its parent company, Hutchinson Whampoa, may have been forced to write a cheque for $2.2bn as a result.
Before those with operations outside the EU breathe a sigh of relief, any company handling the data of EU citizens will need to comply with GDPR, which would have been particularly bad news for Yahoo! Having revealed it fell victim to the biggest cyber-security breach of all time, it would have seen fines of up to 4% of its global revenue – $198 million. As if that wasn’t enough, it is no wonder Verizon is now seriously considering its acquisition of the internet giant, as had the merger gone through, it would be looking at hypothetical fines of $5.2bn.
Need to know
So, with fines large enough to put the fear of Jean-Claude Juncker into the heart of every CISO it follows then that businesses are asking how do they go about protecting themselves.
The key to safeguarding data in line with GDPR, is that security needs to move away from trusting every member of an organisation by default, and instead operate on a ‘need to know’ basis. The unfortunate reality is that, maliciously or otherwise, people are the weak link in the security of every organisation and offer the most common in road for hackers. As part of the move to prepare for GDPR enterprises need to move towards a ‘zero trust’ mentality, which assumes that every user could be compromised. As such users must be granted access to only the information they absolutely ‘need to know’ to do their jobs.
The second part is to ensure that all data, from end to end, is protected. Using data-in-motion encryption an organisation ensures that even if they are compromised, a hacker is severely limited in terms of what they can access and how they can move across the network. This vital process is currently missing from the cyber security strategies of even the largest enterprises and is why we continue to see data breaches that affect millions and millions of consumers.
There is no doubt that the next 12 months will see conversations about GDPR increase in frequency and urgency as organisations prepare. However, it is vital that enterprises understand the shortcomings of the current cyber-security model and look to address them. Failure to do so will have a profound and costly impact on their business.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.