19 Dec Data protection in the age of BYOD and GDPR
We asked Daniele Màtyàs Tieghi, our CTO and Product Manager, to explain us why every organization will have to enforce security policies and prevent data leaks before May 2018.
Why are businesses advised to reassess their data protection investments?
Since 2013 companies have had to face increasing costs of cyber-attacks and data breaches. In 2015 the global cost was $ 480 million (approx. €405 million), in 2016 was of $3.1 billion and the trend is dramatically increasing (some forecasts speak about $2.1 trillion for 2019). We know companies are beginning to worry and governments are starting to focus on data protection and cyber security with new laws and legislation.
Over the past two years, we witnessed an exponential growth in cyberattacks.
Just as the phenomenon of ransomware that has gone from being unknown to overwhelming, as evidenced by the WannaCry attack this May which brought important infrastructures around Europe to its knees.
The major causes of this increased cyber security needs could be different:
- It’s always easier for malicious people to have access to information, tools and methods on how to attack and hack systems
- The attack surface of systems is continuously expanding as we adopt increasingly more complex and heterogeneous systems and environments
Just think about Bring Your Own Device – BYOD – or trends in the remote working. These are incredibly attractive to companies and users, but the advantages in mobility and cost-saving are counter-balanced by a significant fragmentation of systems, which are no longer (or incredibly hard to) under control.
What are the common pitfalls in data protection planning?
For most businesses, the most common pitfall in data protection is not a recent one, it’s inherent to human nature and we see it in many contexts. We do not think about a problem until it happens to us. Think for instance at backups. Today I like to think that almost everybody has a backup of their most important data, if not of the whole systems. However, previously backup was such a common practice: I know so many people and companies who had to learn the hard way the importance of backup, only after losing their data the first time.
Another common pitfall is thinking that “We have antivirus installed on every computer, we are secure”, but this is not even remotely enough protection. Yes, malwares (viruses, spywares, ransomwares) is the one of the most common threats, but, depending on the value and sensibility of the data and systems, there are so many more threats that it’s really hard to be prepared for them all.
Where should a business’s data protection priorities lie as cyber threats escalate?
The topic is so vast that I would like to particularly address those businesses which are increasingly developing the trends of BYOD and remote working, or anyway those businesses in which there is high need of security in mobility.
Modern organizations need to evolve their business in a hurry to be competitive and ready to market demands. Their employees constantly demand mobility and remote working, while maintaining high levels of security and privacy. At the same time, companies that can effectively and safely embrace these trends can get enormous benefits both in terms of productivity and economic.
These organizations must adopt new and innovative approaches and tools to ensure cybersecurity and privacy, manage threats and achieve competitive advantages:
- Data Encryption (in all its forms): encrypt the whole hard drive, emails and communications; connect trough VPN to the corporate’s network; browse the web anonymously;
- Open Source software: the adoption of Open Source Software gives you the opportunity to check any single line of the source code against infiltrations of “particular” organizations or fraudulent developers;
- Enforce Security Policies: adopt specific software to prevent data leaks or unauthorized copies of sensitive information being released on external drives or personal devices (if you read what happened to Heathrow Airport the 29th of this October you know what I mean);
- Segregated Environments: a very good practice is to keep sensitive corporate’s data and applications completely isolated from the user’s;
- Backup and Recovery: adopt specific software to backup and encrypt your most sensitive and confidential information on regular basis;
- Lower the costs from stolen or lost hardware: HW is a cost; a user who is unable to work is a cost; every hour that the technical staff takes to restore the normal operation of a user is a cost.
Unfortunately, the adoption of these techniques is slow and costly.
To encourage a focus on data protection in their BYOD environment, businesses are now looking for innovative solutions that enable them to achieve results easily and in a short timeframe, both in terms of increased security and privacy protection, as well as regulatory compliance.
What will happen in May 2018, when the General Data Protection Regulation will come into effect?
The General Data Protection Regulation – GDPR – will be enforce the 25th May 2018. It is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
GDPR brings a new set of “digital rights” for EU citizens in an age when cyber-attacks and data breaches are dramatically growing and the economic value of personal data is increasing in the digital economy.
This legislation compels organisations who process or hold personally identifiable information of EU residents to implement adequate security measures to protect data loss or they will have to face fines of up to €20 million or 4% of the annual global revenue.
This mean a huge business impact for every small, medium and big organisation. They will have to change and they will have to do it really fast because they will have to guarantee data security through:
- The encryption of personal data
- The ability to ensure permanent confidentiality, integrity and resilience of the system
- The ability to restore and make available personal data almost in real time in case of theft or loss or accident
- The data portability
Every company that work with information relating EU citizens will have to comply, making the GDPR the first global data protection law.