The clock is ticking. Eighteen months may sound like a long time, but to rethink and enhance an enterprise’s security measures, it is not long at all. Since the European Parliament approved the enactment of the EU General Data Protection Regulation (GDPR) on the 14th April 2016, every CSO and CISO in the UK needs to be acutely aware that failing to follow it can be a very costly mistake. Breaking the GDPR rules could quite easily break the bank, with fines of up to €20m or 5% of the company’s annual turnover.
Recent research from The Payment Card Industry Security Standards Council states that once the GDPR comes into effect in May 2018, the total fines for organisations in breach of the regulation could reach a total of £122bn. These figures are based on the assumption that breach levels will remain the same as 2015, and would result in average fines of £11m per affected enterprise and £13,000 per affected SME.
While the government debates the enactment of Article 50 and prepares the final plan for Brexit, big companies and financial institutions are reconsidering their future in the UK. However, regardless of the wobbly political stance, UK organisations should not lose sight of an equally as pressing issue—information security–and prepare for the GDPR deadline sooner rather than later. Organisations that bury their heads in the sand and hope the GDPR will not apply due to Brexit will be disappointed, as the current likelihood is that Britain will still be part of the EU when the legislation is introduced.
Those organisations relying on the £1.9bn budget announced by George Osborne last year to fight cyber crime might have to think again and not perceive this as a safety net. The Office of National Statistics suggests that there were still 2.46 million “cyber incidents” in 2015, with 90% of large organisations supposedly suffering a security breach in 2015, while among SMEs the figure was 74%. With 2016 looking to be on par, if not higher than this number, it is truly a matter of when, not if, an organisation is breached. If the GDPR succeeds in reducing this number, there is a strong possibility that it will be taken into account when preparing future British legislation for the handling of sensitive data, once the UK finally leaves the EU. In short, the GDPR, or legislation like it, is around to stay.
Better safe than sorry
As Brexit’s terms are still being discussed, EU rules for the here and now continue to apply. Therefore, it is important for CSOs and CISOs to develop a comprehensive security strategy, built around the responsible handling of data, to reduce the risk of losing both customers and profit should a breach occur.
Unfortunately, there is still a demonstrable lack of interest or concern in GDPR-compliant data security from an organisational perspective. The 2016 Datastrophe Study highlights that 50% of 400 surveyed UK IT decision makers (including CIOs and CISOs) confessed that the their company’s security measures are not fit to pass GDPR legislation. Much of this has to do with the time that it takes to address IT security breaches. It can be a stressful undertaking to identify and report the root cause of a breach within 48 hours as the GDPR stipulates.
Solutions — everything is within reach
In today’s highly mobile work environment, it is vital to ensure that all corporate and customer data is safe, wherever it resides. Fortifying employees’ endpoint devices with a dedicated endpoint backup and real-time recovery solution is a great way for the IT department to help identify the source of a breach quickly, with advanced endpoint monitoring tools. This will go a long way to hitting that all important 48-hour window.
The flexibility of mobile working brings benefits, but also can also widen the open door for ransomware and other malware. People working from home or on their way to the meetings often connect to corporate networks from a variety of locations and devices, which leaves them vulnerable to malicious actors. The IT department cannot entirely compensate for human error. People might connect to an unsecured network or accidentally download malware that looks like a harmless attachment. In these instances, with an endpoint recovery solution in place, users adversely affected by ransomware or malware have the capability to revert back to the point in time before the breach and access their restored files quickly and easily.
This kind of identification, the analysis of threat patterns and swift remediation undoubtedly requires work but with the right combination of an advanced suite of security tools, coupled with a forward-thinking information security policy, businesses won’t have to fear the GDPR, but can simply embrace it instead.