[BreachExchange] What the “D-day for security” means for your business

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 4 19:25:20 EDT 2016


http://www.itproportal.com/features/what-the-d-day-for-
security-means-for-your-business/

The European Parliament recently passed the new General Data Protection
Regulation (GDPR). If you don’t know what this is yet, then you should, as
it is one of the most important legal changes of the 21st century.

The GDPR basically brings data protection legislation up to date and in
line with current technologies. And it puts the onus squarely on companies
and organisations that hold personal and sensitive data to be fully
responsible for protecting that data. And with less than two years before
the new EU rules come into force, it’s absolutely vital that companies know
what this means for their business.

The topline news is that the 25th May 2018 is already being referred to as
the “D-Day for security” with the latest EU data protection rules
specifically designed to protect European citizens’ personal data in our
digital, always-on age of smartphones, social media and remote working.
Even though the UK voted to leave the EU, some UK businesses need to be
aware they are still on the same timeline for the upcoming GDPR,
regardless. UK organisations that are dealing with the data of EU customers
and companies will have to ensure that they’re fully complaint with the
regulation or face fines as a result.

It’s taken over four years for this extensive and complete re-haul of the
incumbent EU data protection directive, which was originally put into place
way back in 1995. A time when many of us old enough to have been of working
age still didn’t have email addresses and mobile phones, let alone Twitter
handles, smartphones and access to 24/7 always-on internet banking!

A new era of data security and protection

We live in a completely different era than we did twenty-one years ago,
particularly when it comes to data security and protection. Back in 1995,
data breaches and identity theft were not widespread, mainstream problems.
And many of us still did our banking face to face, often being on first
name terms with our local or business bank managers.

It’s easy to see, put in that context, why so many look back on the
pre-web, pre-mobile era with rose-tinted nostalgia spectacles. We didn’t
have to worry about data theft, hackers, cybercriminals or even need to
remember countless different passwords for our various online social,
email, bank and other accounts and services.

There is a reason why companies hold so much data on us, in terms of
financial data and records of our consumer behaviour and lifestyle habits.
It’s so those same companies are able to deliver better products and
services targeted to our individual wants and needs. We share our personal
data because it benefits us. And there is a trade-off between the amount of
personal data we are willing to share with a company and the quality and
convenience of service we expect from them in return.

It is also why the colossal amount of data collected, stored and accessed
by businesses and organisations is incredibly valuable and, should it be
hacked and get into the wrong hands, can (potentially) be extremely
distressing for consumers and citizens.

Security can no longer be an afterthought

We will take a closer look at the main aspects of the new EU regulation
that businesses, organisations and institutions need to be immediately
aware of below. Firstly though, the most important thing to know is that
all companies will now have to notify both authorities and affected
individuals when a data breach occurs, meaning that companies who
previously ignored or just swept these breaches under the carpet will no
longer be able to do so.

At this point, it should also be stressed that the GDPR has been
specifically designed to benefit European citizens and businesses alike.
Businesses just need to be aware that there are very high penalties for any
organisations that don’t comply with the new security regulation. This
means that data security can no longer be an afterthought, because if a
major hack or data breach occurs, then it could well hit your bottom line
hard.

If your company is hacked and deemed to not have implemented sufficient
compliance measures - such as end-to-end security process reviews and
putting the correct data protection measures in place - the proposed fines
are going to be harsh. The regulation recommends up to four per cent of
your annual worldwide turnover or €20 million, whichever is greater. The
necessary changes that business must make to avoid being hit with such
penalties may well feel like a big change. And, for those that haven’t yet
properly implemented proper end-to-end security and data encryption
measures, it most likely will be a big change. But the important thing for
businesses to understand is that the regulation has also been devised to
benefit them in the longer term, as they will no longer have to deal with
different regulations from each of the 28 member states.

Security and data protection must now be seen as a high priority for all
European businesses. The facts speak for themselves. According to the
Breach Level Index over 700 million data records were compromised last year
as the result of 1,650 data breaches, so the new EU Data Protection
Regulation is clearly a significant step forward in protecting European
citizens, as well as giving them far more control over their personal data.

Many in the business community still have their heads in the sand when it
comes to learning about and understanding the data privacy and data
protection laws that apply to their companies. This ignorance will be far
from bliss for those folk, if they don’t wise up very quickly and accept
that GDPR is going to affect almost every area of their enterprises.
Two-stage authentication, proper data encryption, intelligent encryption
key management, all of these techniques and security technologies are
essential for compliance with the GDPR. And these are not things you can
start to think about next year, because the clock is ticking!

The countdown begins now. Businesses need to get their data security
strategies in order or face the prospect of a major data breach and the
huge commercial penalties that the GDPR is soon to introduce. Not to
mention the immense loss of consumer trust in your brand.

You have less than two years to future-proof your data privacy processes.
Be warned!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161004/fd301bbb/attachment.html>


More information about the BreachExchange mailing list