Tech firms are still ill-prepared for GDPR
With just weeks to go to GDPR, it seems that enterprises across Europe have still not got their security stance organised for new data laws
Imminent and tougher data regulations have not spurred businesses to improve their security stance, according to a new report.
The General Data Protection Regulation (GDPR) comes into force across Europe on 25 May 2018 and toughens up the laws and requirements around personal data significantly. Part of the regulation specifies new and increased fines, which range from up to €10 million or 2% of the company’s global annual turnover of the previous financial year, whichever is higher, or up to €20 million or 4% of the company’s global annual turnover of the previous financial year, whichever is higher.
However, this significant increase in financial penalties appears not to have had an effect, with just 51 per cent of surveyed companies making investments in security products to prepare for GDPR. This in spite of the fact that 25 per cent of them complained about a lack of sufficient protection and data security.
Ilia Kolochenko, CEO, High-Tech Bridge said: “Compliance is crucial – a fine for repetitive GDPR violation may even exceed a disastrous data breach in some cases. Cybersecurity should start with a well thought out risk assessment and risk-based cybersecurity strategy. Security policies, processes and procedures should be in place to properly enforce the strategy. Security testing of the most crucial systems needs to be performed in a 24/7 manner, otherwise hackers will almost unavoidably outrun you. Continuous monitoring for new risks, threats and vulnerabilities is quintessential to survive in the extremely hostile Internet environment today.”
Application security is a key area where personal data can be exposed accidentally by a host of issues such as shadow IT, abandoned APIs, test subdomains, abolished corporate applications suddenly reanimated to production during DRP testing to name but a few.
High-Tech Bridge operates a vendor-independent application discovery service to uncover these applications, as well as domains and web systems attributable to your company or its subsidiaries. Once identified, legacy, internal or otherwise inapposite applications can be protected with a two factor (2FA) or strong authentication, firewalled for a specific range of IP addresses or a GeoIP of a country which can quickly and easily secure them significantly against attack. If the applications contain personal data, then this could be the first step in avoiding a significant GDPR fine.
The report, from Trend Micro, also found that less than a third of companies (31 per cent) plan to invest in improved encryption, while only 33 per cent of firms have invested in data loss prevention systems. Shockingly, less than two-thirds of organisations (63 per cent) have integrated breach notification systems for customers, breach notification being a key plank of GDPR.
Even notifying regulators of a potential breach has not been accounted for in many cases, with a mere 21 per cent of respondents having processes in place to notify regulators and customers about a breach within the mandated 72-hour timeframe, and a lackadaisical six per cent have no notification process at all. The survey by Trend Micro involved more than 1,000 IT leaders across Europe.
The importance of GDPR to enterprise has been thrown into stark perspective by the recent revelations around Facebook and Cambridge Analytica, a scandal that may have far-reaching results in terms of consumer data awareness.
Mark Zuckerberg has apologised for elements of the scandal, telling CNN, "this was a major breach of trust and I'm really sorry that this happened". Facebook stock has plummeted over recent days, knocking around $50bn off the value of the company.
A study from PwC back in 2017 found that 87 per cent of customers would take their business elsewhere if they didn’t trust a company to behave responsibly, a premise that may well be tested more than once in the coming months.
Of course, it is not just customer-facing social networks that need to be aware of GDPR - one recent analysis found that businesses spent $50bn on data and analytics in 2016, which means that if one third of those consumers invoke their right to be forgotten (an element that is baked into GDPR) then businesses would lose data to the value of more than $16.5bn.