In just over a year, the new European General Data Protection Regulation will come into effect yet much of the recent research suggests that organisations remain unprepared.
If this unpreparedness results in a data breach that could have been avoided, those organisations could be in line for a huge fine. So now is the time to ask how these data breaches could occur and to understand how to protect against them. Breaches can take many forms but ultimately, much of any organisation's sensitive data is stored on, or travels through, the organisation's network so securing that network is a good place to start in the bid to secure the organisation against those hefty fines.
The new rules
The European General Data Protection Regulation (EU GDPR) will replace the current Data Protection Directive which was introduced in 1995. Once it comes into effect on March 25th 2018, it will apply to any organisation that retains or processes the personal information of a European citizen. It doesn't matter where the organisation itself is based, or where the data processing takes place, only that the data belongs to a European citizen, making the regulation highly relevant to most, if not all, international organisations.
Should an organisation find that they have been breached, under the new regulation, they are required to report it within 72 hours to the data protection authority in their own country; for the UK, this is the ICO. The national data protection authority will then decide what to fine the organisation for the breach; this could be up to 4% of the organisation's global annual turnover or 20 million Euro, whichever is the greater.
Where organisations are today
Every week, another survey or poll finds that UK organisations are not prepared for the EU GDPR. One of the latest polls from Apricorn says mobile workers are a weak link. Almost half of the 100 IT decision makers they polled expected mobile workers to expose the company to a breach and more than half claimed it is simply too complicated to manage all the different technologies that their employees now use.
What are the threats to the network?
Of course, a network can be compromised a variety of ways and a mobile worker can be construed as a risk but to cut off access to mobile workers is asking them to light a fire without any matches; they'll get the job done but it'll take much longer than it should have. At the moment, hackers can get onto the network with brute force attack, unleash phishing scams to try to get employees to unwittingly give them access but there are also insider threats from employees, either malicious or just foolish. The organisation has to protect itself against as many of these eventualities as possible; it's the organisation's responsibility to do so, and an organisation that protects itself correctly should be able to allow mobile workers the access to the network they need to continue to be productive.
Mobile access is not a choice
Access to the network for mobile workers is non-negotiable for an organisation that wants to attract the best workers and keep its mobile workers as productive as possible. And there is also the issue that not providing secure access to mobile workers means an organisation won't have any control over the data accessed as workers find ways around restrictions in order to get the job done. But it's not just mobile workers who need access to the network. These days, many desk-based employees expect to be able to access information from any device, at any location and at any time they need it. This could equally result in remotely accessing the network on a corporate or personal device.
Minimising the risk of BYOD
Today's employees expect to be able to bring their own personal devices to work so organisations need to put a robust BYOD policy in place in order to avoid the risks associated with it. Creating a BYOD policy involves ensuring that all industry-specific regulations are met, for example in the healthcare, financial or public sectors as well as the broader, upcoming EU GDPR. Of course, any policy needs to ensure that employees will get the right access to the right information and at this point, it is a good opportunity to build in the principle of least privilege in order to adhere to the upcoming EU GDPR, whereby access is only made available to employees who need to have access to it. An Enterprise Mobility Management (EMM) approach will then enable the organisation to set up processes for managing issues around loss of data and what to do if an employee leaves the organisation. And ultimately, the BYOD policy must be easy to set up initially and easy-to-use for the employee thereafter or the organisation risks the policy being ignored and that's where the real risk lies.
All of the expectations around BYOD, remote working and the proliferation of the Internet of Things (IoT) has come together to result in the biggest volume of endpoints accessing the network than ever before. As well as the multiple devices per employee, contractors and partners or visitors to physical office locations expect to be able to access the corporate Wi-Fi at least, and then there are the other connected devices such as the printers and scanners which all need to be networked. For organisations, this presents a very real risk and they have to look at solutions that will offer them visibility and control of what's accessing the network. Network Access Control (NAC) solutions have returned from the brink of irrelevance to offer exactly the granular levels of control that are required by the IT departments of today.
For a NAC solution to be successful, in the same vein as the BYOD policy, it must be easy-to-use. It also has to be scalable and adaptable because the working world is moving at a fast pace and what's required tomorrow may not be visible today. But most importantly, it needs to secure your network and the data on it, in line with the EU GDPR. With so many endpoints accessing the network, the granular access policies associated with NAC solutions are exactly what's needed today. Organisations can grant permission to access based on a range of contextual information such as the employee and what access their role requires, the type of device, the location of the device and of other devices belonging to the same employee, thereby making an informed decision about what device to allow onto the network as well as what parts of the network to give that device access to, thus adhering to a range of the new EU GDPR requirements.
The explosion of data, the proliferation of cyber attacks, and this new EU GDPR coming into force next year has changed the way organisations can operate. It's simply not possible to continue as they did a decade ago. Circumstances have changed demonstrably and the organisations who embrace those changes and the right technologies to protect themselves along the way, will be the ones that will still be around in decades to come.
Image Credit: Pulse Secure