GDPR is a set of security best practices, not a burden
The General Data Protection Regulation (GDPR) that takes effect May 25th 2018 is still raising serious compliance concerns for most UK companies, according to a Bitdefender survey. With companies becoming more enthusiastic in deploying hybrid infrastructures that involve leveraging the capabilities of both the public and the private cloud, 85 percent of UK respondents agree encryption is the most effective way to secure public cloud data.
Interestingly, only one third of UK respondents actually secure between 31 and 60 percent of cloud-stored data, while 21 percent encrypt everything stored within the public cloud. With GDPR placing tough restrictions regarding how "any information relating to an identified or identifiable natural personal" is handled, encryption plays a vital role in achieving this.
GDPR in a nutshell
The proliferation of internet services designed to offer customer-tailored experiences has led to an increase in technologies designed to track customer behaviour across various domains and create virtual profiles based on the monitoring. Consequently, discussions about what information is collected from users -- with or without their explicit consent -- has raised a wave of privacy debates and concerns that the European Union decided to address through the General Data Protection Regulation (Regulation (EU) 2016/679).
The new legislation, which applies to all EU citizens, is designed to place responsibility and accountability on companies that handle personally identifiable information, such as name, a home address, photos, email addresses, bank details, social networking posts, medical information or even computer’s IP address, without ensuring that this "personally identifiable" information is not properly secured. Consequently, while the legislation aims to protect the EU citizens’ rights, this means it also applies to non-EU companies that process personal data of EU residents.
While GDPR doesn’t specifically mention tools or technologies to achieve this, companies are turning to encryption for both in-transit and at-rest data to attain the level of privacy and security required by the new legislation.
Failure to provide "sufficient" data protection for sensitive customer data carries a fine of up to four percent of the company’s annual turnover, or up to €20 million (whichever is higher), which is why six in seven UK IT decision makers are concerned with the security of the public cloud when storing data. While half of respondents believe cloud migration has increased the attack surface for cybercriminals, only one in six actually encrypt data already migrated.
Are UK companies GDPR compliant?
With Gartner predicting that half of companies will be impacted by non-compliance with GDPR by the end of 2018, the type of information that’s most often encrypted relates to information about clients (36 percent), financial info (31 percent), product info and specs (35 percent), backups (28 percent), research into competitors (14 percent) and intellectual property (15 percent).
The survey also revealed that 76 percent of UK IT decision makers rely on the same endpoint security solution to protect both physical and virtual workloads, while only 20 percent have implemented different security tools. In light of this, it seems that UK companies might risk non-compliance, and fines, when the new legislation takes effect.
What’s interesting is that 40 percent of CISOs have serious security concerns about the public cloud, yet not all information stored there is actually encrypted. GDPR compliance -- and security best practices -- dictate that all data, regardless whether it is at-rest or in-transit, should be encrypted to avoid data leaks in case of a security breach.
It seems that, at least in terms of security, UK companies are still struggling to become fully compliant with the General Data Protection Regulation, but some industry verticals -- such as financial and healthcare -- are already pretty regulated. While this may imply that they are already compliant with at least some aspects of GDPR, it does not mean they’re already fully compliant.
In light of recent malware advancements that specifically target companies and infrastructures -- also known as advanced persistent threats or sophisticated attacks -- companies suffering a data breach that involves the loss of sensitive customer data are more at risk than ever.
What’s to be done?
Without proper security defenses tailored to address challenges brought forward by digitalization, such as hybrid infrastructures, software-defined datacenters, and even hyperconverged infrastructures, organizations face much more than non-compliance; they also financial and reputational damages. While some organizations might believe that relying on cyber insurance could cover data breach costs, the reality of GDPR is that organizations will not escape legislative implications.
The first step for companies to become security-compliant -- and implicitly, GDPR-compliant -- is to assess what their critical data is, where it’s stored and how it’s stored. Using the private cloud in conjunction with strict access, authorization and accounting controls will ensure that both sensitive customer data and critical company assets, such as intellectual property documents, are in no way accessible to third parties.
While the public cloud can be used for scalability and customer-facing services, that should not mean lack of encryption or security control. With companies worried about increased IaaS costs caused by elastic cloud computing power, security tools for virtual workloads are sometimes regarded as unnecessary because of performance penalties. However, there are security solutions designed for virtual workloads that are only optimized for virtual infrastructures and come with minimum performance overhead without affecting the overall security posture.
The General Data Protection Regulation should not be regarded as just another legislative barrier to overcome, but as a set of security best practices that, once implemented, have significant return value on a medium to long-term basis and provide an opportunity to improve data governance and customer satisfaction.
Half of UK companies perceive lack of visibility, lack of infrastructure-agnostic security and lack of predictability as top security challenges. All these challenges can be easily address with the proper security tools and technologies that are, by design, built to offer single-pane-of-glass visibility into any infrastructures, across any environment.
Liviu Arsene, senior e-threat analyst for Bitdefender.