With less than 3 months to go until the deadline, only a third of all companies are currently ready for the General Data Protection Regulation (GDPR). Fundamentally, GDPR requires all organisations that do business in the European Union (EU) to protect the data and privacy of their customers, gain consent for the use of all personal data, implement security of that data, be able to delete the data on request and report a data breach within 72 hours.
At this stage, organisations are all aware of the legislation’s importance and its impact. But the reality is that many companies are unlikely to achieve compliance by the 25th May. So, what will happen to those companies when one of them will inevitably suffer a large-scale data breach?
As an example, let's use a fictional FTSE 100 corporation with offices around the world and revenues of over £1bn and run through the potential impact of such a data breach in a post-GDPR world, along with some recommendations on best practices for mitigating the risk of such a data breach.
Fast forward to July 2018. GDPR came into effect two months ago and, to date, no global company has suffered a data breach within the major news cycles. The news then breaks that a FTSE 100 business had its network compromised a month earlier and is just now notifying customers of the breach. Even worse, it turns out the company wasn’t fully GDPR compliant in the first place. Not only will this business now have to spend considerable amounts of money to take back control of their network, but both customer trust and, very likely, the business’ share price will also be eroded. GDPR also imposes significant financial penalties which can be crippling.
Failing to prepare means preparing to fail
Preparation is key to avoiding such additional financial fallout in the event of a breach. Arguably the most difficult, and first, step to GDPR compliance is to identify and locate all data assets relative to each customer. The next step is ensuring all security controls – from protection to authorisation – around that data are consistent and effective. In a large global enterprise, this is easier said than done. Particularly with FTSE 100 companies, sensitive personally identifiable information (PII) is often stored on, and accessed by a huge number of devices spread across large networks and geographies.
Compounding the issue, IoT and connected devices are expanding the attack surface exponentially. With Gartner predicting that there will be over 20bn connected devices by 2020 and 25 percent of all cyber-attacks on businesses being carried out by Internet of Things (IoT) devices, protecting sensitive data has never been harder.
Although organisations routinely update security patches and scan for vulnerabilities, these processes and tools frequently miss devices across a scaled network and are incomplete. This leaves the door to a network wide open for bad actors to exploit known vulnerabilities in outdated software. With 80% of cyber-attacks targeting known vulnerabilities, organisations need to address the challenge of being ‘right’ 100 percent of the time, not just ‘most’ of the time. Not only is it important to make sure the servers and storage that provide access to the data are hardened, but also the laptops and devices that access this data. Ensuring only authorised, patched and secure devices access critical data is a challenge many large organisations are not prepared to address due to legacy network design and dynamic environments with devices coming on and off the network.
The reality is that no business can ever be completely protected against data theft or loss. Focusing on reducing the attack surface and ensuring the devices that are both accessing and serving the data are hardened is valuable actions to take.
The fallout and GDPR scrutiny
The fallout from the breach in this example is likely going to be severe. Not only did the company fail to adequately protect themselves against cyber-attacks, they also failed to identify and report the breach within the GDPR-mandated 72 hours grace period for businesses under such circumstances. As a result, the company will likely be hit with an intense period of scrutiny from the relevant authorities, and then a fine depending on the severity of the breach, history of compliance and preventative measures that were in place before the breach.
For a large-scale breach, this could be up to 4% of global revenue or €20 million, whichever is higher. As a FTSE 100 company, it will almost certainly be the former. The average percentage profit for a FTSE 100 in Q4 2017 came in at just 5.7% of global turnover. If this corporation is then struck with a 4% fine, it has the potential to completely wipe a year’s profits from the company.
Alongside this, the impact on reputation cannot be overlooked. In the event of a data breach – many customers will want to take their business elsewhere if they feel the company did not have the proper protections in place before the breach. Add to this the public and governmental GDPR scrutiny and customers will lose trust completely. This will be enough to ruin some organisations in the long term, even without a large fine.
However, while this is a potential doomsday scenario for businesses in the not-to-distant future, the key takeaway here should be to take a risk-based approach to understanding current state of security and developing the model to reduce attack surface and exposure. A key step is to map the infrastructure, applications and people that should be handling sensitive data and put processes in place to assure the posture and consistent enforcement of your policies. If businesses take their GDPR preparations seriously and put adequate security measures in place now, the financial penalties and reputational impact can be mitigated.
Tom Dolan, VP of Global Financial Services at ForeScout
Image Credit: GlebStock / Shutterstock