1 year ago


data regulations IT'S

data regulations IT'S TIME TO BE VERY READY! WHEN THE GENERAL DATA PROTECTION REGULATION (GDPR) COMES INTO FORCE THIS MAY, IT WILL OVERHAUL HOW ORGANISATIONS STORE, SECURE AND MANAGE THEIR CUSTOMERS' DATA. SWINGEING PENALTIES AWAIT THOSE WHO FAIL TO COMPLY When Cisco launched its first Privacy Maturity Benchmark Study in February this year, it found that 74% of privacy-immature organisations experienced losses of more than £350,000 in 2017 caused by data breaches. The countdown to GDPR has seen organisations investing in resources and processes to meet the new standards, states the report. However, with an increasing number of data breaches reported, vendors are asking more questions about the products they buy and the organisations they partner with, states Cisco. "This is causing significant delays in the buying cycle, due to concern about how data is captured, transferred, stored, and erased." Cisco's research highlights the ways in which privacy maturity not only causes significant sales delays, but also its cybersecurity effectiveness: Two-thirds of businesses report sales delays caused by customer data privacy concerns - customers are increasingly concerned about whether products and services they buy will provide appropriate privacy protections that will meet GDPR standards Privacy-mature companies experience fewer breaches and smaller losses from cyberattacks - 74% of privacy-immature organisations experience losses of more than £350,000 last year caused by data breaches, compared with only 39% of privacy-mature organisations. GDPR DAY LOOMS Data breaches are certainly having a massive impact. As Ian Kilpatrick, EVP Cyber Security for Nuvias Group, points out: "The General Data Protection Regulation (GDPR) will overhaul how organisations store, secure and manage their customers' data. EU citizens will have extended rights that include the right to know what information is held about them, the right for that data to be removed, the right to data portability, and the right to be informed if there is a data breach. This data is known as PII (Personally Identifiable Information) "Alongside that, the Network and Information Systems (NIS) directive applies to operators of essential services, such as water, energy, transport and health providers and is aimed at ensuring they safeguard data against cyber-attacks. Like GDPR, the penalties for non-compliance are extremely high." Yet according to research published recently by the Department for Digital, Culture, Media and Sport (DCMS), only 38% of UK businesses said they had heard of GDPR - and among those that were aware of it, just a little more than a quarter have made any changes in readiness for the new regulations. "However, it's not too late to do something," states Kilpatrick. "The authorities know compliance is an ongoing process and want to see organisations showing willingness to comply. Understanding the data assets your 24 computing security March/April 2018 @CSMagAndAwards

data regulations organisation collects, holds and processes is the essential step in the planning stages to GDPR readiness. Once you have identified all the data types and sources you hold, you need to understand where it is stored and who can access it. Printed copies should be securely stored, with regular reviews to ensure the copies are still required. If not, securely destroy them." Electronic storage within a structured database should be relatively easy to recognise, maintain and protect. "The larger problem is unstructured data and knowing where PII, or personally sensitive information, is stored. Data discovery tools can search all mappable drives to find sensitive files (.docx, .xlsx, .pdfs etc) that may contain the data that you are searching for - email addresses, phone numbers, credit card details, National Insurance numbers etc," he points out. "Once you know where your unstructured sensitive files are stored, move them to a central repository from which you can defend access," he advises. "Set up processes and procedures to be able to respond in a timely fashion to Data Subject Access Requests (DSARs). Finding a Citizen within your paper records will require a physical search. Finding a Citizen within your CRM or other database should be accommodated from the application. The same tool that helped your organisation find sensitive files ought to discover specific subjects within unstructured data, allowing an organisation the ability to respond to DSARs within the 30 days prescribed." BALANCING ACT Too often, companies have to balance data protection risks with the pressure to move fast. GDPR tips the scales towards data privacy, meaning global businesses have to rethink how they provide secure access to data throughout their organisation, according to Jes Breslaw, director of strategy, EMEA at Delphix. "We recommend the following tips for businesses when it comes to securing data," he says: Start learning about DataOps - companies should be investigating the idea of DataOps. This approach assigns dedicated people and tools to manage and secure data across an organisation. DataOps enables data operators to know exactly what data is where, to be able to secure (mask) data that is sensitive and to ensure that data consumers still have access to the data they require, when they need it. Govern data access - DataOps and Dynamic Data Platforms enable you to centrally control all non-production copies of your data and mask data at the same time. Data operators can manage who has access to STARTLING LACK OF PREPARATION FOR GDPR A recent survey of 118 professionals in North America by UBM showed that 98% of respondents view data governance as important, but only 6% said their firms were fully prepared for GDPR compliance. Key articles within the GDPR include what to do if a data breach occurs and how quickly an organisation must report it, the requirement of appointing a data privacy officer and that any organisation anywhere in the world that processes EU data must be GDPR compliant. "For organisations that have embarked on becoming compliant, the key challenge is pulling together all of the disparate technologies and systems that need to be integrated, in order to meet what the actual regulation states," says Juliet Okafor, SVP of Global Security Solutions at Fortress Information Security. "Oftentimes, data resides in various systems with differing access policies. Organisations need to understand where this data is, how they use it, and then track and monitor the controls they have in place as part of their overall GDPR compliance requirements." The complexities involved with GDPR compliance mostly revolve around the shared risks that are across the organisation, and typically involves procurement, legal, third party risk, cybersecurity, privacy and enterprise risk teams, as well as senior management. "All of those stakeholders are a part of GDPR compliance and each has a shared piece of the GDPR mandate," she adds. "Collaboration across those groups solves GDPR compliance and the need for agreement." However, organisations tend to have issues with regard to what happens to a customer's data. "That is, what security controls can be put in place that protect the data, but also allow the organisation to use the data to make decisions on future products. The organisation is typically attempting to limit or remove the risk associated with either a compromise or breach of data they've collected." GDPR compliance is complex and will impact many departments. Integrating multiple technology solutions and update internal processes and procedures is vital. "Organisations should look for solutions and partners that will help to solve GDPR-related issues and find someone who can articulate a clear vision to meet the implementation deadline," Okafor concludes. @CSMagAndAwards March/April 2018 computing security 25