Governments are playing catch-up across the world. Data privacy breaches from large tech companies, such as Nintendo and Marriott, are becoming more commonplace—and as a result are putting pressure on authorities to introduce stricter compliance policies to safeguard the public. As such, IT pros who live in countries that have implemented policies, such as GDPR, PCI DSS, HIPAA, and DPA, are now impacted on a day-to-day basis.
Today more than ever, IT pros are being forced to think about data governance and the assets that need to be protected. Despite the headaches that might come with it, IT pros see the value in regulation. The SolarWinds IT Trends Report 2020: The Universal Language of IT revealed that 52% of participants see security and compliance as a major influence on staffing requirements. In addition, nearly half said regulation has resulted in reduced risk for their IT department.
There are many ways to comply with regulation, which is increasingly revolving around the zero-trust philosophy. But whatever the approach, compliance requires detailed access monitoring, particularly for those with access to critical and sensitive data. And beyond this, automated solutions can turn compliance from an inconvenient box-ticking exercise to a slick and simple part of IT operations.
Hackers are the foremost threat to compliance?
May 25, 2018, will forever be etched into the IT history books as the day when the European General Data Protection Regulation (GDPR) was finally implemented. Some believed it would be the end of the world as we knew it, but life goes on, and businesses can’t hide under a blanket pretending it’s not real.
Enterprises have been encouraged to scale up their cybersecurity efforts. The reputational threat of data breaches and ransomware attacks is not the only hit the business risks; if a data breach occurs, an organization could also face consequences, like a hefty fine that could be a potentially devastating blow to bottom lines. To some extent, cybercrime is a precursor to compliance, especially when it comes to targeted attacks.
GDPR has given threat actors a bargaining chip and the upper hand. In some cases, they may use the regulation to their advantage by engaging in data breach campaigns that extort businesses, with the hope companies would be more likely to pay a ransom than face regulatory repercussions. Even low-level threat actors could take advantage by conducting fake extortion campaigns, making a company believe they have been breached.
It’s been reported that these sorts of negotiations are now happening all over the world— sometimes for even significant sums of money—and that it’s is happening against the advice of law-enforcement agencies, including the FBI, Europol, and the UK’s National Cyber Security Centre.
Last year, we also saw Oxford University student, James Pavur, steal data through GDPR requests. He demonstrated at Black Hat conference in Las Vegas how he was able to gather his fiancé’s PII from multiple organizations using GDPR requests (with her permission of course).
For those organisations unsure whether compliance or security should take priority, the first step is to ensure privacy is truly baked into systems by reducing risk and blocking unlawful access to critical data.
Combat insider threats—zero trust
While it’s important to look outside for risks, it’s also crucial to look inwards. Forrester Research introduced the zero-trust concept in 2010 in response to a growing realisation—the traditional “moat and castle” defensive strategy was not working. While it made sense to bolster firewalls and point the fingers at bad actors, it became more apparent that data risks can also originate from employees having access to data they shouldn’t. According to a 2019 Data Exposure Report from Code 42, 50% of breaches came from an organisations’ own employees
In addition, Verizon’s 2019 Data Breach Investigations Report found that nearly a third of all data breaches are the result of malicious or accidental threats from within the business. This number fluctuates from sector to sector. For instance, in healthcare, insider threats account for over 60% of all data breaches, most of which are accidental.
It’s the unnecessary mistakes that end up costing businesses the most. The good news is these mistakes are avoidable. By analysing user authorisation and only permitting access to the necessary data, organisations can easily remove the threat before it occurs. And as we head into a challenging period of recession, with profits drying up in places, it’s crucial to align IT budgets—specifically security investments—to ensure the risk is mitigated, and businesses are protected against further losses.
What’s more, with so many employees working at home on existing and new devices, an increasing number of access points to data create a bigger risk than before. In many circumstances, this is exacerbated by multiple family members using the same device, including children during periods of home schooling.
More than just box-ticking
It can become easy for businesses to adopt a culture of box-ticking, conducting the bare minimum to simply get by and be compliant. However, not only does this leave the business open to potential vulnerabilities, it also discounts many benefits.
By taking a truly strategic approach and aligning compliance with business objectives, organisations will hold much better control of data. This model will enable businesses to realign their people, processes, and technology to maximise both the protection and value of information. Not only will this help reduce burden on the business, it will also shift the perception of compliance from a box-ticking exercise to a value-add for the business.
Make compliance an asset
In the first six months of this year, businesses around the world, across all sectors, have had a huge amount to contend with. While it’s difficult to predict what’s coming for the remainder of 2020, one thing is certain—security remains top of the agenda. Ensuring compliance must remain a priority. A working-from-home culture is set to continue for many organisations—at the very least, we’ll see a hybrid approach. For this reason, IT teams must have full visibility of employee access rights and data management. Only then will IT pros understand how to leverage compliance for the betterment of business.
Ultimately, this will help prevent IT pros from having to play catch-up. Regulation will change and is likely to become even more stringent. The EU are already battling with big tech to impose international digital taxes and accountability for what they do. Given that it’s inevitable, it’s time to view compliance as an asset. IT pros should consider repositioning themselves as compliance experts and consultants. It’ll be this approach that transforms the view of compliance from a burden into benefits for the business.
Contributed by Sascha Giese, Head Geek™, SolarWinds
