Greg Day, chief security officer for the Palo Alto Networks EMEA business, outlines a clear four-point strategy for businesses to prepare for GDPR in 2018.
As we’ve long passed the 12-month countdown for organisations needing to be ready to comply with the European Union’s General Data Protection Regulation (GDPR) in May 2018, it is vital that businesses across Europe are aware of the implications this legislation will bring across their entire business, beyond just the security teams. Not only that, but they must also understand what can be done right now to be compliant in time, and avoid the hefty administrative fines associated with non-compliance.
With less than a year to prepare, there is an increasing pressure to review, change and test systems to make sure your organisation has the visibility it needs, and a robust set of controls and processes in place. There are several ways in which businesses can prepare themselves ahead of May 2018.
1. Understand the legislation
GDPR is significantly different to the previous 1995 Data Protection Directive, with much more stringent rules being implemented to protect the personal data of EU residents. It has widened its scope to include companies that are based outside the EU too, if they offer goods or services to EU residents or monitor the behaviour of EU residents that takes place within the EU. This means there are many more companies that need to understand exactly what is involved.
Data security is the cornerstone of GDPR; securely processing personal data and being able to act the moment a data breach has occurred means legacy security systems just won’t cut it anymore. These security systems, made up of cobbled-together point products, have proven inadequate to prevent the rising volume, automation and sophistication of today’s cyberattacks. Organisations must take into consideration more modern technologies and practices when deciding how to mitigate the risks associated with needing to ensure data protection.
The need for a more comprehensive approach to cybersecurity has never been greater as this new regulation raises the bar on corporate responsibility. Taking a fresh view of state-of-the-art security technology can help with organisations’ security and data protection efforts related to regulatory compliance by assisting in securing personal data at the application, network and endpoint level as well as in the cloud. It can also assist in understanding what data is compromised if a breach does occur but, above all, it will help organisations prevent successful data breaches from happening in the first place.
2. Understand personal data within your business
Start at the beginning. Before you can make sure your personal data management, collection and processing are in line with the GDPR’s requirements, you need to understand how that data is currently being used within your organisation. Inevitably, your business will have been gathering a huge volume of personal data, just through its day-to-day operations. As well as the value this can bring to your business, it also carries risks. If any personal data that you hold relating to EU residents is lost, stolen or compromised, that will need to be reported in most cases.
‘Take advantage of GDPR as an opportunity to do a thorough spring clean. Validate that everything is not just fit for use today, but that you have capacity and the ability to adapt to future threats’
Data security is central to GDPR and you can’t protect personal data without keeping it secure. Make sure you understand how personal information is processed throughout your business as well as the applications employees use to do this. Only then can you have a clear picture of what controls are necessary to secure and protect this data.
GDPR requires companies to make sure their cybersecurity capabilities are “taking into account the state of the art” (Article 32). Cybersecurity leaders need to take the time to establish that this is the case within their organisation and, if it isn’t, they need to understand how they can get this up to scratch. Given the complexity of modern networks, you need to make sure this is true at the application, cloud, network and endpoint levels.
A good place to start is with legacy systems, which should be reviewed carefully to determine if they meet the state of the art. Remember that, with GDPR, the onus is on the business to implement the right technology that is capable of dealing with a modern, super-dynamic threat landscape. Take advantage of GDPR as an opportunity to do a thorough spring clean. Validate that everything is not just fit for use today, but that you have capacity and the ability to adapt to future threats.
3. Prioritise your people
You need to ensure that the entire IT team is equipped with skills to understand and comply with the regulatory requirements. The threat landscape will continue to evolve and the pace of change isn’t going to slow down. You need a team that has the skills to maintain and apply an adaptive cybersecurity ecosystem, and work at the same speed, if not quicker, than an attacker. The challenge here is that many companies still lack skilled cybersecurity people, and finding and retaining this talent is going to get tougher.
If you can see knowledge or capacity gaps, assess how much cybersecurity technology solutions can provide the necessary automation and intelligence to make a difference.
‘From the legal department to the business team, to the marketing team and engineers, you must ensure data privacy is put into practice across the whole organisation’
GDPR will have an effect across your business, so you need to make sure that everyone is involved. From the legal department to the business team, to the marketing team and engineers, you must ensure data privacy is put into practice across the whole organisation. Get them involved in test runs and cybersecurity fire drills to make sure they are aware of their role in maintaining compliance.
4. Put prevention first
According to the latest Ponemon Institute’s Cost of Data Breach Study, the average total cost of a data breach is $3.62m. Considering that 47pc of all data breaches in 2017 were caused by cyber-criminals, similar attacks could significantly harm your bottom line as well as damage your company’s reputation, which could lead to loss of customers. According to recent Palo Alto Networks research, a European IT security professional typically deals with three cybersecurity incidents per month and, on average, one in three of these have a commercial impact on the business. So, preventing this from happening in the first place is the only strategy that makes sense. GDPR leaves no wiggle room for reactive methods.
A data breach could come from a proactive attack or an internal leak. In both cases, good cybersecurity starts with taking a strong preventative security posture. Maintaining state-of-the-art cybersecurity capabilities means that organisations need to understand the threats out there and the cybersecurity capabilities that can counter and prevent them.
You may be called upon to demonstrate compliance with the security requirements of GDPR. If you’re asked to, can you prove to your own business and others that you are effectively aligning current best practice to the risks you face? Can you show that you have accounted for the state of the art? What processes, metrics and technology exists in your business to be able to show this? There is a huge amount of threat research out there that you can use to take action against known threats. You need to make sure that users only have access to the applications they need to reduce your attack surface.
Strict but not impossible
GDPR is undoubtedly strict, but becoming compliant isn’t an impossible task. It’s vital that the importance of personal data breach prevention – one of the key tenets of GDPR – is understood across your business, and you can’t comply without the full support of all the teams across the organisation. You need to secure personal data across the application, cloud, network and endpoint levels or you won’t be able to prevent breaches.
GDPR applies to any company that controls or processes the personal data of EU residents, and the strength of the legislation absolutely makes compliance a board-level concern. If you fail to comply, there could be a very hefty fine on the line. By following the above steps, you can prepare for key aspects of the new law well ahead of the deadline of May next year.
By Greg Day
Greg Day is vice-president and chief security officer, EMEA, at Palo Alto Networks. Day oversees the regional security operations of Palo Alto Networks and is responsible for regional cybersecurity strategy and the development of threat intelligence, security best practices and thought leadership across EMEA. With 25 years’ experience in the area of digital security, he has helped organisations to understand risk posture and put strategies in place to manage it.