What’s in a name? When it comes to cyber security and public policy specifically, the answer appears to be: quite a lot. It announces opinion and cements commitment. The most recent example is of course “Privacy Shield,” the new regulatory framework struck between the EU and the US this month.
For background, Privacy Shield is the replacement deal for Safe Harbor, the longstanding data agreement between the two trade blocks — until the European Court of Justice struck it down in one fell swoop in October 2015.
In many ways, Privacy Shield is the opposite of Safe Harbor. While the latter permitted the transfer of data from European citizens to the US without much regulation, Privacy Shield aims to make US tech giants responsible for how they handle Europeans’ data. This means more regulatory bodies, an open complaints process for citizens and ultimately more legal scaffolding for US companies operating in Europe.
However, it’s also a rushed agreement, put together by regulators while under constant pressure from tech companies. Data transfers will still be allowed, but under the promise of regulation. Whether Privacy Shield comes into force or not is in the hands of data protection bodies for EU member states, who will decide whether to accept the framework, probably by the end of April.
While the introduction of Privacy Shield is positive, businesses need to look beyond this and take a broader approach to data protection. The name “Privacy Shield” smacks of a “superhero.” It brings to mind a hefty piece of armour, hovering over the Atlantic Ocean to protect European citizens’ privacy. But it does suggest that businesses believe that cyber data — which is by nature virtual, mobile and slippery — can be protected like a physical object.
Yet, not all shields can protect company data. It is important for businesses to remember that their commitment to data protection does not end by regulating the movement of private data across countries and continents. With 71 per cent of UK companies already low in cyber resilience according to a recent survey, there is a clear need for organisations to review their data protection processes and standards.
Effective cyber security is not only about the physical location of data. In a real working environment, data breaches occur precisely because information is permeable and mobile. A huge amount of sensitive company information can be found on the laptops, smartphones and workstations of employees who are susceptible to the ever-changing tactics used by cybercriminals. This makes customers more exposed and companies more vulnerable. So, while it’s important to ensure compliance with data residency regulation, that is not enough to protect your business. CIOs and CISOs also need to work with the business to secure the unsecured endpoints in their organisation.
This is particularly important when looking at the other side of the regulatory fence: the General Data Protection Regulation (GDPR). This EU-wide framework comes into effect in 2017 and will make companies responsible for data breaches within Europe. The heavy fines that can be levied will certainly nudge many businesses to rethink their cyber defence.
Keeping corporate data safe requires a significant investment — not just in budget, but also in strategy. Businesses need to understand what effective security in the modern enterprise means, all within the context of how today’s employees work. This means not just thinking in compliance terms, but also thinking about securing and encrypting data wherever it resides, in global data centres, on-premises or on endpoint devices themselves.
While this new regulation may contribute more awareness from management, businesses also need to ensure that cyber security is a board-level issue. After all, cyber attacks and the data breaches that arise as a result of them will soon have an impact on the bottom line. Finally, employees need to be educated on cyber security policy and procedures. As impressive as a “Privacy Shield” might sound, businesses must remember that regulatory compliance may not always be enough to protect their data.
Rick Orloff, Chief Security Officer at Code42