On the 25th of May, GDPR will have been in place for two years. During this time we have seen several significant fines issued for lack of compliance, including Google’s 50 million euro (£44m) fine issued by the French data regulator CNI.
The two largest fines – £183m for British Airways and £99m for Marriott International – have yet to be collected. The Information Commissioner’s Office (ICO) has deferred payment of these fines twice already this year, most recently in order to reduce some of the financial burden forced on the firms by the Covid-19 crisis. These landmark fines were intended to be a show of the regulator’s resolve; a major warning sign to other large organisations that the authorities are not afraid to hit hard when it comes to protecting consumer data. Despite the need for compassion during this difficult period, the iron fist of the ICO and other regulatory offices could be seen to have developed a soft touch.
So, as we mark two years of GDPR, it is time to take stock of the successes and the limitations of the regulation. Have the exceptions in light of the current global situation weakened the threat of hard-line action? How has the world changed since the advent of GDPR, and how should any proposed new regulations be designed to meet current and emerging security challenges?
Is GDPR still fit for purpose?
Although tempting to do so, businesses must not view the ICO’s recent leniency as a 'get out of jail free card'. This is a measure taken in response to exceptional circumstances that aims to protect the economy and preserve business continuity within two major organisations. In fact, during a conversation earlier this year that focused on “full and strict compliance”, Google was warned to adhere to GDPR during the development of a coronavirus tracking app, with the EU’s internal market coordinator Thierry Breton saying that although, “contact tracing apps can be useful to limit the spread of the coronavirus… their development and interoperability need to fully respect our values and privacy.” Despite recent leniencies, the regulators are still more bite than bark; businesses would do well to keep this in the forefront of their minds.
Let us be clear about what GDPR is, and what it does: it is a regulation that protects consumer data. It does not provide anything close to the type of comprehensive cybersecurity strategy that organisations need to stave off the real and present threat of attack. Covid-19 has highlighted how vulnerable organisations are in a crisis to cyberattack – particularly in the public sector. The technological and malware advancements being made by criminal groups are making it easier and more profitable for them to target big names; this is a trend that is only going to increase in size and scale.
So, is GDPR still fit for purpose? In short, yes. The noise generated about GDPR around the time of the policy’s implementation wasn’t all hot air – the regulation has highlighted the importance of protecting personal data and, as a result, greater protections have been enshrined in most, if not all, businesses. While this purpose still stands, it also has limitations. Compliance and security doesn’t begin and end at GDPR: it’s just one piece of a very large and complicated puzzle.
Maintaining compliance during Covid-19
Covid-19 has spurred many criminals into action – they see that businesses now have an expanded network perimeter with the majority of employees working remotely, and they know that they may be more resistant to making large cybersecurity technology investments in the current financial climate. Phishing scams and malware attacks are rife, and cybercriminals are continuously evolving their tactics to take advantage of the current climate. Criminals are thriving in the chaos and, because of this, businesses should be doing all they can to improve their network security.
Business leaders need to have a firm grasp on their risk posture. They need to know where their ingress and egress points are, which vulnerabilities exist in their networks and how to develop rapid, robust, and relevant remediation strategies. If they do not understand the context of their risks, nor whether an exploit in the wild could negatively impact their business, it’s impossible for them to know which tools to employ to make sure they are safeguarded from attack.
If there was ever a time to get serious about implementing strict protocols to ensure continuous compliance, it is now. This may involve making decisions to limit access to only the most critical functions until a stage where more resources are available – and then only to increase access to the next highest priority business functions. If this is not possible, security leaders could decide to put time limits on when individuals can access certain resources.
This should involve gaining full network visibility, including cloud, VPN and other virtualised networks, and the ability to execute end-to-end path analysis. And it needs to involve assurance that security and networking devices, VPNs, firewalls, cloud services and more are all properly configured. If an organisation were to suffer an attack now, the heavy hammer of the regulators could turn a precarious financial situation into a devastating one.
Looking beyond GDPR
GDPR needs to be seen as a starting point for regulator-mandated cybersecurity compliance. We need to start defining what the next step should be and how it should be set-up to empower businesses to better protect their critical systems.
Regulatory bodies need to think about introducing more advanced, business-focused mandates that will help organisations to truly understand their network environment and improve security posture. And when they do so, they need to ensure that the message is conveyed in a clear and transparent way to avoid ending up as another “checkbox” exercise, which some could argue GDPR has become.
One idea that could be further explored in response to the current crisis is security stress tests, similar to those used by the Bank of England, whereby organisations across the board would be required to assess whether they will be able to cope if and when another global crisis strikes.
GDPR is a good example of a policy that forces businesses to think proactively about preventing future attacks. This is a mindset that security leaders always need to work with at all times - not just when they are made to by the government. While new regulations should be created, businesses shouldn’t wait around for them. They should work now to build network visibility, to understand vulnerability exposure. They should get themselves in a position that allows them to say that they’re already a few steps ahead of any new mandate that’s introduced.
Security teams are facing unenviable pressures right now. As they help their businesses to weather the current storm, they cannot fail to remember that maintaining compliance needs to be a top priority. Organisations need to do their utmost to stay ahead of the curve to protect their critical systems, their customers’ data, and gain true peace of mind.
Sivan Nir, Threat Intelligence Team Leader, Skybox Security