1 June 2018
The European Union’s General Data Protection Regulation (GDPR) is now in effect, GDPR has been a source of continuing difficulty and discussion for businesses around the world. But ready or not, the regulation has arrived and companies are now obligated to meet new data handling, disclosure and compliance standards. Here’s a look at some of the top GDPR stories published this May.
While enterprises may not be fully prepared for GDPR, there’s no time like the present to gear up for potential compliance challenges. Cindy Compert, Distinguished Engineer and IBM Security’s chief technology officer (CTO) of data and security and privacy, suggests that companies can shore up their GDPR compliance outlook by considering the following:
Pre-GDPR, the ICANN WHOIS database provided readily accessible information about registered domains, including owner contact information, availability and registered company. Under current interpretations of GDPR, however, access to this database will be significantly restricted for both security professionals and automated processes associated with security, making it harder for security researchers to track threat origins and discover causal links.
Even with GDPR now in force, many companies struggle to secure critical data. In fact, nearly one-quarter of all internal work folders are accessible by all employees within an organisation — and almost half of companies surveyed had 1,000 or more sensitive files open to everyone on staff.
What’s more, many “ghost” users, employees who leave the company or move to a new department with different responsibilities, can still access critical files. Under GDPR compliance rules, this is a problem. Enterprises need to know who has access and demonstrate that this access meets new privacy expectations.
In addition to “ghost” users, more traditional insider threats remain a critical concern for organisations. Under GDPR, however, the stakes are much higher. If staff maliciously or accidentally expose consumer information, the disclosure requirements alone could cripple corporate finances, to say nothing of assessed penalties and fines.
As a result, it’s critical to evaluate two key areas:
Despite insider threat worries, privacy concerns and issues with WHOIS, IBM Security and the IBM Institute for Business Value’s new report, The End of the Beginning: Unleashing the Transformational Power of GDPR, found that the majority of business leaders see the new regulation as an opportunity for innovation. Eighty-three percent of business leaders agree that security and privacy are now key business differentiators and companies on the leading edge of GDPR believe it will create new opportunities for data-led business models and data monetisation.
This dovetails with the findings of the IBM Cybersecurity and Privacy Research survey, conducted by The Harris Poll on behalf of IBM, which reported that 75 percent of consumers would not buy products from companies they don’t trust to properly secure their data.
Put simply? While complex and time-consuming, the shift to GDPR may drive long-term business benefits as public privacy perception shifts.
Indeed, many companies see GDPR as a benefit rather than a burden. Why? Because you can’t protect what you don’t know. Companies can’t defend critical data if they don’t know where it’s located or assure regulators that systems are secure when they aren’t sure if applications are patched or hardware has been updated — and the GDPR provides ample incentive to clean house.
The result is a need for improved cybersecurity strategy. This starts with auditing corporate networks to determine what’s working, what isn’t and what needs to change.
For enterprises, GDPR offers a chance to take stock of current data-handling practices and implement changes that enhance both overall compliance and long-term ROI. While some regulations, such as the approach to WHOIS data, are still a work in progress, the GDPR compliance show puts subpar practices on notice and has the cybersecurity world watching to see what happens next.