Is it time to batten down the hatches on security?
After the flood of activity ahead of the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, a great silence seems to have descended. But this may just be the calm before the storm. It does not mean the rules are not being enforced. They are, and unless those businesses that have so far buried their heads in the sand on GDPR act swiftly to protect themselves, they could soon find themselves in trouble.
Fines totalling €56 million have already been issued, the most prominent of which was the €50 million handed to Google in France. In Poland, Portugal and Spain companies have been fined several hundred thousand Euros. Germany has imposed 42 fines, averaging €16,100 and issued 58 warnings. The Netherlands has handed out over 1,000 warnings but issued only one fine – although at €600,000, this was one of the highest yet.
Other countries, such as Slovakia and Sweden, are yet to issue a single penalty. In fact, fines have only been imposed in seven countries so far. But that does not mean other countries won’t start to enforce the rules at some point.
The weakest link
Why are these companies falling foul of GDPR? One reason is that all the focus to date has been on email lists and updating internal documents. Not enough has been done to safeguard the network and prevent hackers and cybercriminals from penetrating defences and accessing sensitive information.
Even if data management and procedures are GDPR-compliant, they can be rendered worthless if the perimeter security of the network is breached. This is a big challenge for businesses. Cybercriminals are using increasingly sophisticated methods and the harsh truth is that no network can be made unbreachable. Thankfully, that is not what GDPR requires. It simply specifies that organisations must do everything in their power to protect data.
The time is now
At this stage, however, it appears that most businesses would fail to prove that their network is as secure as it can be. They need to step up their game soon, because there is every indication that the authorities are going to increase their activity on GDPR. While action to date has been relatively limited, Ernst and Young expects the rules to be enforced more stringently from now on and the number of fines to increase.
This is something all businesses need to take seriously. Remember, companies are risking fines of up to €20m or 4% of global annual turnover, whichever is higher, if they are found to be in breach of GDPR. It is time to batten down the hatches.
There are practical steps all companies can take to increase protection on their networks. First of all, instead of relying on out-of-the-box anti-virus software, they should make use the more comprehensive cybersecurity tools that are now widely available. For example, once considered a specialist technology, Advanced Threat Protection (ATP) is now much more accessible and affordable. It enables businesses to monitor and protect their network in real time. This will be crucial as attacks increase in numbers and become more sophisticated.
Caught in a storm
They should also review all their network defences to ensure everything is up to date and providing an appropriate level of protection. Preferably with the help of a network security expert or partner. They should also step up their game on internal security awareness and education to ensure that staff know how to handle data safely and how to spot the signs of a potential cyberattack or threat.
It is not too late to make sure the network is as safe and secure as it can and should be. But as authorities all over Europe get ready to up their game on enforcement, the clouds may be gathering around GDPR. All businesses need to take positive and decisive action now to ensure that they do not get caught in the storm.