Are you GDPR compliant? It’s not too late to start developing and implementing your GDPR compliance strategy. We can now say that the compliance deadline of May 25, 2018 is less than a year away, so there is no time like the present to get started.
Earlier this year, we saw numerous news stories around the WannaCry ransomware attack and the disruption it caused.
WannaCry has caused major issues and compromised a lot of personal data around the world in a very short period of time.
You might be wondering why we are talking about ransomware in a GDPR blog. Well, data is worth a lot of money, and cybercriminals know it. This may be one of the key reasons the EU has established requirements around doing more to protect data from breaches with the impending GDPR legislation.
What if WannaCry were released on May 25, 2018?
Nobody can be sure what will happen after something like WannaCry strikes once the GDPR compliance deadline passes. If I had to speculate, I believe the governing bodies would jump into action. We all know that there will be a breach at some point after the compliance deadline. Based on the EU’s regulations, an investigation will begin to see if the organization met all the requirements and took the appropriate measures to secure the data.
For the sake of this blog, let’s say an organization that experienced a data hijacking from malware was found out of compliance with GDPR. There could be many reasons: maybe they didn’t have the right processes in place or they didn’t have a way to enforce their policies. Or maybe they didn’t report the breach within the 72-hour time limit. No matter where they fall short, it’s likely the organization will be made an example of – and it will be expensive.
GDPR has set forth some hefty fines between 10-20 million euros, or up to 2-4% of a company’s total worldwide annual revenue. Not to mention reputation damage and any disruption they already experienced from the breach itself. In the case of an attack like WannaCry, organizations would be hit hard on multiple fronts. The potential of getting struck with compliance fines on top of the breach means that organizations must take their approach to increasing data protection very seriously, and they must act quickly.
The three pillars of risk
We have heard countless commentary and advice on how to protect and lock down systems, and what should have been done by organizations to ensure they were protected from ransomware like WannaCry. However, one thing I noticed is the lack of discussions around the amount of risk that something like WannaCry presents when it comes to compliance.
Since a ransomware attack can cause this much disruption on such a large scale, it must be part of an organizations GDPR strategy. To be effective, I think every organization could evaluate their level of risk across three key areas:
- Technology: In an ideal world, you would have the latest technology updated with the latest patches and security. You would have the perimeter and the internal entry points secured, without compromising user productivity. Also, technology would enforce policies so users do not open or read files or websites from unknown senders. In this secure world, risk is mitigated though technology. But many organizations are still utilizing legacy systems because they are “good enough” or haven’t implemented modern technology yet due to lack of resources (budget, time, etc.). Do you have the right technology in place today?
- People: People will follow human nature, at times doing things that do not follow the rules. For example, how many times have you driven over the speed limit in your car to get somewhere faster? You are not sure if you will get caught, and you know that it is against the rules, but many of us still do it. It is human nature to do what we need to do to get where we are going. Same goes for the workplace, users want to be productive, have a consumer-like experience and get their needs fulfilled immediately or they will go around IT, resulting in shadow IT. Will your people do things that put your organization at risk because they see it as a means to an end?
- Process: There are so many processes that must be put in place to mitigate risk around GDPR. One example of a poorly-defined or poorly enforced process might be how users manage their files. Everything from deleting to locking their files. How many of your files are encrypted or contain personal information on others? Do you have any data stored where it shouldn’t be? I’m sure that there are a lot of people who – although not with malicious intent – store data in unsecure locations outside of the core network because it is simply easier to access and manage. This is just one example of how a process that is not well-defined or enforced can lead to risk. Does your organization lack process control?
Make mitigating risk the cornerstone of your GDPR strategy
Your GDPR strategy should address your risk in all three of those areas. Ensure your people can carry out their jobs without disruption, but enforce the processes and rules that need to be applied based on the context of the user (who they are, where they are, what device they are using, etc.) Then decide if the action they are trying to do is unusual or outside the rules. If controls are implemented correctly and automated, you will end up with a productive and secure environment.
When it comes to GDPR, I think the largest mountain to climb is mitigating your risk around people and processes, without hindering productivity. Make sure your processes are strong and complete enough to ensure you meet the requirements, but flexible enough to let people still do their jobs. If not, they will go around you and open you up to even more risk. With self-service, context-aware technologies, and by automating the rules around processes, you can leverage technology to set boundaries (where files can be saved, automatic encryption, preventing rogue or unauthorized applications with whitelisting, etc.) and protect the infrastructure and data from vulnerabilities.
If you would like to learn more about how you can be GDPR compliant, take this 10-question assessment and receive a personalized summary with helpful action items.