Data protection regulations such as HIPAA, PCI-DSS and SOX, have unquestionably made an impact on the way organizations protect their sensitive data. However, unlike the GDPR, the average person has probably never heard of them.
Since the advent of the EU General Data Protection Regulation (GDPR), business executives have been under increasing pressure to get their house in order and clean up their data security practices. After all, a failure to comply with the GDPR may prove to be very costly.
Some recent examples of fines include Google, who was fined €50 million for a “lack of transparency, inadequate information and lack of valid consent regarding ads personalization”. British Airways received a fine of £183 million for a data breach involving 500,000 customers, and Marriott International was fined £99.2 million after data belonging to 339 million hotel guests was exposed.
It is still early days for the GDPR, and we will no doubt see many more fines like these to come.
Regulations Don’t Stop Cybercriminals
Most data protection regulations provide frameworks and guides to help businesses strengthen their security posture and achieve compliance. However, satisfying the compliance requirements is one thing, but preventing a data breach is another. Let’s face it, data protection regulations are not going to stop cybercriminals, or even deter them in any way.
Cybercriminals are constantly looking for more sophisticated ways to gain access to sensitive data, and there’s no way for any governing body to compete with them through legislation alone. These frameworks will only cover the bare essentials – enough to ensure that organizations are able to satisfy the relevant requirements but offer no guarantees that their data is actually secure.
The Positive Effect of Regulations
The good news is that the conversation is starting to change as a consequence of these regulations. Business leaders are waking up to the fact that data security is no longer the sole responsibility of the IT department, but the responsibility of all staff members, including themselves. After all, business executives can, and will, be held accountable should a serious incident unfold which compromises the privacy of their customers.
Under the GDPR, businesses are required to notify the supervisory authorities of a data breach within 72 hours after the breach has been identified. They must provide a report detailing the type of data that was breached, where the data was located, when the breach took place, why and how the breach occurred. They will also need to provide information about the impact of the breach, including who was affected, and information about their remediation plans.
Prior to the implementation of the GDPR (and other data privacy regulations) many businesses would have either struggled to answer these questions or would have been too complacent to even try. Don’t get me wrong, even with these regulations in place, many firms are still failing to keep track of their sensitive data.
62% of companies don’t know where their most sensitive unstructured data resides. This highlights the importance of data classification. Naturally, in order to effectively classify our data, a formal risk assessment will need be carried out to determine the type of data that is stored, the financial impact of exposing this data, and the level of protection required. Following that, access privileges must be setup to enforce “least privilege” access, and an activity monitoring solution must be installed to ensure that the above questions are answered in a timely manner.
A sophisticated, real-time change auditing solution can detect, alert and respond to events relating to privileged account access, and access to any files and folders containing sensitive data. They will provide a detailed summary of events via an intuitive console, which will give them the visibility they need to answer questions pertaining to who, what, where and when, important changes are taking place. Additionally, most auditing solutions can automatically generate a wide range of pre-defined reports, which can be presented to the supervisory authorities on request.