Ensuring confidentiality, integrity and availability of data has become increasingly vital for organisations, especially recently, with advanced cyber attacks continuing to break through the barriers of global organisations and compliance regulations mounting. There seems to be two main areas in particular when preparing for the General Data Protection Regulation (GDPR) that encompass common challenges for businesses today: a lack of visibility and adapting to change.
Lack of visibility
Despite the noise surrounding GDPR right now, global businesses are still unaware of how they will uniquely be affected by GDPR. According to our new 2017 Risk:Value report, where NTT Security surveyed 1,350 decision makers in businesses across the globe were interviewed, just 67 per cent of respondents knew where their data was held.
With all the hype surrounding various data compliance and visibility technologies and expertise, there still seems to be a reactive, bolt-on approach resonating amongst the market. With the cloud, Internet of Things (IoT) and digital workforce mandates being implemented from senior management, prioritising GDPR can be difficult. It reminds us that a more built-in approach to security and privacy needs to be adopted in order to play a part in the enterprise security architecture.
The perimeter continues to expand and data is no longer residing in one or two places but constantly in transit and in an automated manner. This makes data discovery and data mapping incredibly complex, especially in IoT environments made up of various applications, devices, sensors, controllers and transmit data using a wide range of unique and native communication protocols.
Adapting to change
Many organisations will be finding it difficult to accept the fact that this is not just another data protection regulation but a potentially disruptive change to operations. Potentially one of the most impactful changes to the new regulation requires businesses to report a breach within 72 hours. This is expected to significantly impact a large number of organisations, especially those who do not already have a plan in place. In fact, findings from the Risk:Value report show that less than half of companies surveyed have an incident response plan in place. This raises the need for organisations to adopt a robust critical incident response plan as well as having the ability to significantly reduce the time it takes to detect and respond to an attack. This can be resource-intensive and often requires partnership with a managed security service provider.
With ‘Privacy by Design’ a core requirement of GDPR, organisations will be required to make fundamental changes to the design of systems, applications and projects. However, this should also be seen as an opportunity to capitalise on the privacy engagement with the business and address other key areas of an Enterprise Security Architecture for ‘Security by Design’. This can seem like a daunting vision but there will be more disruptive changes to come in the future in the form of stringent regulations or sophisticated cyber attacks. Therefore, organisations need to have adaptable enterprise security architecture in place in order to be able to seamlessly address these challenges in a timely and effective manner.
To summarise, the challenges of data visibility and adapting to change are clear but addressing them often feels like taking one step forwards and two steps back. Complying with GDPR therefore requires organisations to approach these challenges the other way round; taking one step back (gaining perspective by stepping back and assessing the requirements in context) and two steps forward (implementing and managing a tailored program).
To find out how other businesses around the world are addressing GDPR and information security risk, please download the 2017 Risk:Value report here: www.nttsecurity.com/RiskValue2017