CS Mar-Apr 2020
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
expert insights<br />
WHY CYBERSECURITY POLICY & GDPR<br />
COMPLIANCE AREN'T SO DIFFERENT<br />
THE COMBINED FORCES OF FURTHER REGULATION AND NEW<br />
TECHNOLOGY WILL UNDERPIN DATA SECURITY IN THE YEARS AHEAD,<br />
ARGUES ROBERT ALLEN - EUROPEAN DIRECTOR OF MARKETING<br />
& TECHNICAL SERVICES AT KINGSTON TECHNOLOGY<br />
Over the last decade, data has<br />
become the world's most precious<br />
commodity. The largest technology<br />
organisations have grown into empires and,<br />
following this shift, regulators and<br />
governments have now awoken to the value<br />
of data and begun to treat it accordingly.<br />
New data security laws, such as GDPR,<br />
affect companies and individuals across the<br />
world. And as organisations adopt further<br />
digital technology, the cybersecurity threat<br />
has grown, as the rewards for gaining<br />
unlawful access to data become more<br />
lucrative. Historically, the emergence of new<br />
technology in other industries has always<br />
been followed by regulation, usually<br />
because it quickly becomes obvious that<br />
without clear standards, those industries can<br />
create products that could cause serious<br />
risks. But until only recently (arguably, still)<br />
there has been a 'wild west' attitude to<br />
digital technology. Risk is still tricky to<br />
quantify, let alone manage, and many<br />
companies still do not treat data security<br />
seriously, even with the threat of regulatory<br />
fines in place.<br />
Cybersecurity threats are similarly not<br />
taken seriously or even well understood in<br />
companies. If they were, password reuse<br />
wouldn't be prevalent, nor would reliance<br />
on outdated software or the widespread use<br />
of unencrypted devices. We all know there<br />
are multiple threats to digital security that<br />
require multiple solutions. But it's clear the<br />
companies that consistently maintain a clear<br />
approach to data management have been<br />
able to meet regulatory compliance better<br />
than those who had to scramble to meet<br />
the 2018 regulation date. GDPR has<br />
demonstrated that, by long-term prioritising<br />
of data security and data protection,<br />
a firm will be in a better shape to meet the<br />
regulation that will surely follow further<br />
down the line. Prioritising and investing<br />
in both together is simply good business<br />
practice.<br />
A combination of further regulation and<br />
new technology will drive data security<br />
over the next decade. David Clarke, CTO<br />
at GDPRUK.EU and founder of the GDPR<br />
Technology Group on Linkedin, agrees.<br />
"Cybersecurity technology will need to adapt<br />
to the many global regulatory environments<br />
to protect data and manage the appropriate<br />
and fair use of personal data, protect the<br />
vulnerable in our society, from managing<br />
dataveillance and preventing online harms.<br />
Data is already regulated; the next big<br />
challenge is the regulation needed to<br />
manage and monitor behaviours in a<br />
world of zero-knowledge identification."<br />
With a workforce as likely to be working<br />
with sensitive company data when travelling<br />
or at home as in the office, transporting<br />
data to and from these locations is a key<br />
security weak point. But when a business<br />
deadline needs to be met, it's all too easy to<br />
quickly transfer crucial documents to the<br />
first USB stick you find in a drawer. Rather<br />
than outright banning USB storage, there<br />
are secure products, such as Kingston<br />
Ironkey D300, that can mitigate this risk,<br />
with on-device hardware encryption that<br />
ensures that, if a device is lost or stolen,<br />
the thief will not have access to any of the<br />
data, which may be more valuable than the<br />
hardware itself. Designed from the ground<br />
up with security in mind, attack vectors<br />
have been carefully considered, from<br />
tamper-evident materials to a secure<br />
password input method designed to foil<br />
key loggers.<br />
However, it seems that even our own<br />
government isn't sending the right message<br />
on security. Recently, it was revealed that<br />
the UK government lost 2,004 mobiles<br />
and laptops in 12 months 1 , from critical<br />
government departments. Many were stolen<br />
and 200 of these devices were unencrypted,<br />
with potentially sensitive data accessible to<br />
all. If security is best led by example, then<br />
more joined-up thinking from above would<br />
encourage better practices across the board.<br />
1 https://www.bbc.com/news/technology-51572578<br />
8<br />
computing security <strong>Mar</strong>/<strong>Apr</strong> <strong>2020</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk