Organisations no doubt will have heard more and more about the General Data Protection Regulation (GDPR) of late.
This European-wide legal framework will hold companies more accountable than ever in regard to controlling and processing personal data.
Coming into law in May 2018, the GDPR will financially penalise organisations that are based in or operate from the EU should they fail to adequately safeguard customer data against a breach or fail to report it to the supervisory authority within 48 hours.
The worst case scenario for a business that is not GDPR compliant is a potentially crippling fine of €20m or 4% of its annual turnover.
In fact, according to recent research by the Payment Card Industry Security Standards Council, if the GDPR had been in effect during 2015, UK organisations, from enterprises to SMEs, would have been fined a cumulative total of £122 billion in 12 months. That works out, on average, to an £11 million fine for each affected enterprise and £13,000 for each affected SME.
If breach rates continue to rise as they have done year-on-year in recent history, the total amount of those prospective fines will be even greater in 2018.
>See also: GDPR preparation: 5 steps to get ready
Of course, fines are only one part of the puzzle. The damage from a breach that involves personal information may be far wider than ‘just’ a monetary penalty. And this type of brand damage can be far harder for organisations to recover from — just take TalkTalk as an example.
So, why are so many organisations still at risk?
The answer to this question is not clear — but it does paint a concerning picture about the woeful cyber security policies of many UK businesses.
Could it be Brexit?
Although the implementation of the GDPR was announced in May, many companies still seem to be waiting to see how Brexit will play out.
Because the GDPR is an EU ruling that will only affect member states, the UK’s decision to leave the EU has put a metaphorical spanner in the works.
The critical flaw with the ‘wait and see’ argument is that there will certainly be some overlap between the GDPR coming to force and Britain potentially exiting the European Union.
Should the government invoke Article 50 tomorrow for example, then there would still be nearly half a year where the UK would have to abide by the regulation — and it is likely to be a lot longer than just six months.
In addition, the UK will likely want to continue trading in the Single Market, which will require a new trade deal with the remainder of the continent.
Equally as likely is that the EU will demand data protection and responsibility legislation on par, or more stringent than, the GDPR in order for UK organisations to keep doing business in the European Economic Area (EEA).
Put quite simply, it is not worth waiting.
>See also: GDPR still stands for UK businesses
Organisations must act now, and implement a comprehensive and accountable data security strategy.
Just because businesses may be at less risk of a fine for 18 months does not mean that they are immune to the fallout of a breach.
Additionally, there is little excuse not to invest in cyber security now.
The initial outlay to improve data protection is likely much less than the knock-on financial and reputational costs of a data breach. Prevention in this case is always much cheaper than a cure.
Boost your security stack
The unfortunate truth is that no organisation is immune to external and internal threats when it comes to data security.
There are however steps that organisations can take to significantly reduce their risk.
Should the worst happen, they can then prove to regulatory authorities that they have done what they can to mitigate the damage of a breach.
An effective security implementation is made up of a range of solutions, together which provide a net of protection.
This could include anti-virus programs, deception technologies, encryption tools, breach detection solutions, endpoint backup and real-time recovery systems.
Only with all these tools working in unison can the risk of a data breach be successfully reduced.
You will get hacked at some stage
The enterprise environment today is made up of three sorts of organisations — the lucky ones that are running on borrowed time, those that have been breached, and those that have been breached and don’t know about it.
This means that security professionals and IT departments must be prepared at all times to identify, mitigate, recover, and report breaches within 48 hours in order to be GDPR compliant.
Of course, the modern BYOD environment has made it exponentially harder for organisations to keep track of sensitive corporate information, with much of it stored on laptops and tablets outside of the confines of the traditional data centre. This is where advanced endpoint monitoring and backup can play a vital role.
The GDPR is inevitable, whether it is with us for months or years.
So, roll out the right solutions, focus on helping your employees understand what it means to be security-savvy, and develop internal policies that promote accessibility and flexibility, whilst maintaining visibility over company data, either on the premises or off.
Sourced by Nic Scott, UK managing director UK & I at Code42