Data is the new fuel that drives business. The immense benefits it can bring make it a valuable asset - one that needs to be traceable, accountable and, most of all, protected. This increase in awareness of data security, the inconsistencies in data policy across EU member states and the rapid changes in technology have led to the General Data Protection Regulation (GDPR) – coming into force on 25 May 2018.
With GDPR, organisations must now focus on a new set of compliance challenges to ensure they meet the new requirements. And, if this isn’t taken seriously, then companies expose themselves to risks in the form of large financial penalties and substantial brand damage.
The introduction of GDPR is now less than five months away, and levels of readiness vary, many businesses are still only in the initial stages of preparation. However, there’s no need to panic. For most enterprises, GDPR doesn’t mean starting from scratch, it means assessing current systems and processes, finding the gaps and filling them.
In order to address these gaps effectively, analysis is needed to identify where organisations currently are, what elements are missing and to fully understand the risks that they face. Only then they can adopt a clear strategy to effectively address GDPR.
What’s the biggest challenge that companies face? We've identified four key areas that we believe businesses need to look at before lift-off.
Locate and search: what data have I got, where is it, and who can access it?
Data is now critical to how companies make business decisions, but the volume produced can make it difficult to know what is held, and where and crucially, who can use, access, delete or manipulate it.
Today, data doesn’t just sit on physical servers or desktops. The number of devices, platforms and apps is growing and there are ever more places that personal data can reside. Communication happens over a growing number of devices, platforms, and apps. And while these developments are great for business, they also make the chance of data loss more likely.
All organisations need to ensure they know what data they have, where it is, how they can access it – and, ultimately, how to best use it, to not only protect it but get real value from it.
There are lots of products available that can help companies, whatever the complexity of their network, to:
- Determine what data they hold and where it is - even if it’s held within forms or images
- Control who can access it, even from unmanaged locations or devices
- Police what level of access a user has, monitor and revoke access to sensitive data
- Identify risky behaviour or security compromises
- Manage data loss policies
Minimise: control and refine the data you have
Under GDPR, any personal data held must be accurate and up to date, and organisations must be able to demonstrate that they have consent and for what purposes. However, having multiple records for an individual can make this difficult.
This is where using a de-dupe product can help to ensure records are accurate and up-to-date, even when someone appears multiple times, across multiple platforms - potentially with slightly different spellings.
Using de-dupe products can also have other benefits. As data explodes, storage needs grow and keeping up with demand can be costly. Storage management and de-dupe technology can help to reduce the demands on an already stretched infrastructure, while also keeping data safe and making sure you know what is where, whenever you need it.
Although, the key to controlling data is to have a disaster recovery plan in place to ensure the business can restore the data that it holds and that the system will meet the required standard.
Protect and ensure trust
Once you have a view of the data you have, where it is and how to access it, then it’s time to look at protecting it. After all, despite the best laid plans, disasters can, and do, happen.
News reports of cyber-attacks are increasingly frequent and can have a serious impact on how customers perceive a company. The way a business responds to, and handles a breach, can make a big difference. And with the introduction of GDPR, public exposure is likely to increase, as breaches will need to reported within 72 hours.
The key to stopping hackers getting into the system and getting their hands on your data is to prepare for the worst. The sheer complexity of today’s security landscape means that many companies should focus on when they get hacked, not if.
Organisations should focus on proactive network security, that provides more protection than firewalls, malware protection and encryption such as:
- Managing passwords
- Keeping devices and data secure if lost or stolen using multi-layer encryption
- Automatically encrypting or blocking sensitive data in emails
- Protecting encryption keys
- Stopping malware and ransomware
- Stopping attacks at the network perimeter
- Keeping individual files secure even when they leave the network or devices
- Ensuring that only authorised recipients can access sensitive files
Monitor and manage: identify what’s gone wrong - and how - as soon it’s happened
Having security tools in place creates its own set of data, but that data is only useful if it can be analysed and understood. Security and behavioural analytics products help to make sense of the information created and provides teams with the ability to rapidly discover advanced persistent threats.
Log Management or Security Information and Event Management tools help enterprises to test, assess and evaluate data security effectiveness. These tools are important for monitoring all users and system activity so that companies can quickly identify suspicious or malicious behaviour; it’s also important to monitor data stored, or processed in cloud environments.
With a 72-hour time limit on notifications of breaches, it’s vital to have a programme in place that identifies and flags breaches if they happen. The right product can gather real-time log data from distributed applications and infrastructure in one place to enable powerful searches, dynamic dashboards and alerts, and reporting for real-time analysis.
And finally, asking for expert support
To set up and reinforce the best practices, it’s key to speak to the specialists. Although hiring a compliance officer or partnering with a third-party organisation is a substantial cost, in the long run, this move could save businesses a lot of money.
Individuals who understand data compliance - how it’s used and stored - and, the technology used will be crucial in the preparations for GDPR. By not appointing someone who understands the role of data and the compliancy issues that surround it, organisations are at a higher risk of breaches.
Furthermore, channel organisations can work with compliance officers at businesses to offer a technical solution as part of a full security and networking offering. Companies would most benefit from a 24/7 GDPR support system that is continually available, rather than using a security solution that provides GDPR support occasionally.
The new regulations require all parts of an organisation’s infrastructure and IT solutions to be as secure as possible, and that includes protecting against breaches from within, as well as attacks from outside. And while there is no one size fits all solution – overall, a proactive and positive approach to compliance and security will be a key factor in complying with GDPR.
David Fearne is UK Technical Director for Arrow ECS
Image Credit: StartupStockPhotos / Pixabay