The European Union’s General Data Protection Regulation (GDPR) has shifted attention to the security and privacy of customer data. But more importantly, the regulation calls for enterprises to assess existing data security policies, processes and enforcement mechanisms — a practice that in my experience generally gets completed moments before an audit.
Data Security Takes the Lead
Compliance continues to be a main driver of data protection technologies such as encryption, tokenization, data loss prevention, and file access monitoring and alerting. Roughly half of the enterprise inquiries IDC receives about data security technologies, strategy and best practices result from a failed audit, a significant security incident or a data breach.
While many of these discussions seek to identify and examine subtle security solution differentiators, one common element is clear: The failed audit, security incident or data breach stemmed from a policy flub or process breakdown that resulted from a change to the environment — a new or altered business initiative or newly installed productivity software — that wasn’t fully vetted. It’s usually the “people” part of the people, process and technology equation that creates a cascading breakdown.
GDPR, which takes effect in May, isn’t very prescriptive. Its recommendations largely point to the need for a comprehensive data security strategy. The only technology recommendation specifically called out in the document is encryption.
The language of the regulation will be discussed and debated by legal teams until the first fines are levied and the measure’s true teeth are tested in court. The essential point is that meeting the spirit of the regulation requires a careful assessment of the existing state of an organization’s data security program, a possible refresh of data governance policies, a reconfiguring of existing security controls and potential process changes.
The Three Pitfalls
Undertaking such an exercise is no easy feat, and it must involve all stakeholders to avoid any possible missteps. I’ve noted the following pitfalls from discussions with auditors, enterprise chief information security officers (CISOs) and other security practitioners over the years.
1. Failure to Conduct a Comprehensive Assessment
Organizations must know where the most critical data resides. Understanding this requires both discovery tools and an actual discussion with data owners, business partners and other stakeholders. Organizations are creating and using data at an unprecedented level, and over the last several years, data has become richer and more unstructured.
IDC’s Digital Universe Study found that in 2017 the amount of data created, captured and replicated exceeded 10 zettabytes. The good news is that much of this data doesn’t need encryption and is rarely stored. But some of it requires attention. The question to ask data owners is: If exposed or lost, what data would be catastrophic to the business?
2. Failure to Adequately Deploy Security Controls
Organizations deploy encryption, implement data and file activity monitoring, and ensure adequate compliance automation and auditing, but they often fail to address the weakest and most likely pathway of an attack. A security incident generally takes place because an insider or external attacker bypasses these safeguards.
Such incidents may stem from enterprises historically investing in siloed security products. Security controls can’t be comprehensive unless they integrate with identity and access management (IAM) systems, endpoint security software, network security appliances, security information and event management (SIEM) platforms and other IT security tools.
3. Failure to Keep Pace With Change
Even organizations that properly implemented data protection have been victims of breaches. A review of insurance claims associated with data breaches found that some organizations fail to keep track of altered network infrastructure — alterations often due to shifts in business strategy. Key assets that need to be protected are sometimes forgotten.
Mistakes happen, too. Technology rarely solves the problem of human fallibility. For example, a security consultancy conducting a risk assessment at a healthcare organization found that even though financial files were stored on an encrypted server, the team deploying the server on the network assigned it to the guest Wi-Fi.
More Than One Bottom Line
GDPR measures shed light on how digital business transformation strategies at enterprises are impacting society. Sharp, competitive organizations are continuously analyzing customer data to provide new and improved services. The insight gleaned from this analysis attempts to identify and adapt to potentially disruptive changes and, in turn, create new business models, products and services that enhance the customer experience.
While the effective use of data results in improving operational efficiencies and organizational performance, IT teams need to consider the impact to their risk mitigation strategies. Consider the data that’s the lifeblood of your organization and allocate resources based on risk rather than simply addressing a compliance checklist.
Notice: Clients are responsible for ensuring their own compliance with various laws and regulations, including GDPR. IBM does not provide legal advice and does not represent or warrant that its services or products will ensure that clients are in compliance with any law or regulation. Learn more about IBM’s own GDPR readiness journey and our GDPR capabilities and offerings to support your compliance journey here.