View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
November 1, 2016

Is your security strategy just ‘fine’?

Code42's Nic Scott looks at how businesses should seek to revise their security strategies in order to avoid fines following the GDPR implementation.

By Ellie Burns

If UK CSOs and CISOs approach 2018 with the assumption that their security strategy is fine, the consequences may be just that — specifically an £11m fine for the enterprise, and £13,000 for SMEs on average. In fact, the total financial penalty for organisations that fail to implement adequate data security measures could reach £122bn once the General Data Protection Regulation (GDPR) comes into force in 2018, according to the Payment Card Industry Security Standards Council.

What is more worrying is that these staggering figures are a conservative estimate.

Nic Scott, MD UK & I at Code42.

Nic Scott, MD UK & I at Code42.

They are based on data breach rates from 2015, which, if current trends continue, will have increased markedly by 2018. The predictions are based on the laws set out in the GPDR, which states that organisations can expect a fine of up to €20m or 5% of annual turnover if they fail to adequately safeguard customer data against a breach, or fail to report it to the supervisory authority within 48 hours. But businesses have been aware of the upcoming GDPR for months, and still have years to prepare, so why are the predicted non-compliance rates so high?

Banking on Brexit

Although the implementation of the GDPR has been pending for some time, it is an EU ruling that will affect member states only. As a result, it seems that the UK’s decision to ‘Brexit’ may have caused confusion amongst businesses as to whether the legislation will still apply to them. The answer is a resounding ‘yes’.

Regardless of the eventual terms of Brexit, the UK may not split from the European Union entirely until as late as 2020, depending on when Article 50 is invoked. During the transition period, the UK will still adhere to EU laws. This means there will be a crossover of at least one year (2018) where Britain is still bound by EU legislation, including the GDPR.

Furthermore, the UK is highly likely to negotiate a new trade deal with the EU once Brexit has been completed. In doing so, it is almost certain to require adherence to data protection standards of at least GDPR level. Therefore, making the requisite adjustments to a data security strategy represents a wise investment for any UK organisation.

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

It is also noteworthy that any initial outlay on improving data protection would be minimal by comparison to the financial and reputational costs that a breach can incur — prevention in this case is always much cheaper than a cure.

Solidifying data strategy

According to Code42’s 2016 Datastrophe Study, in which over 400 UK IT decision makers (including CIOs and CISOs) were surveyed, 50% of them acknowledged that the security measures they have in place currently will not be enough to meet GDPR standards. Therefore, the first thing that CIOs and CISOs need to do in order to become GPDR–compliant is to identify vulnerable areas of their security stack, and upgrade them accordingly.

A truly comprehensive security implementation is comprised of a range of solutions providing complementary functions, such as  anti-virus programs, breach detection solutions, deception technology, encryption tools, and endpoint backup and real-time recovery systems. Any weak link in the chain can dramatically increase the chances of a breach, so it is essential that organisations utilise best-in-class solutions in each area.

Be prepared for the worst

Unfortunately, given the rapid evolution and widespread nature of online threats, most businesses will suffer a breach at some stage. This means that security professionals must be prepared for the worst. In such a worst-case scenario, IT departments must be able to identify, mitigate, recover, and report breaches within 48 hours, in order to be GDPR compliant.

The ability to identify breaches and mitigate damage is complicated by modern working habits, and the ways in which employees access corporate data. Much if it is now stored outside the confines of the traditional data centre, on endpoint devices such as laptops and tablets. In an attempt to streamline working processes, employees frequently make use of third-party cloud sharing solutions (often referred to as ‘shadow IT’). As a result, the enterprise’s cyber defence strategy must reflect this shifting trend towards mobile computing.

So how best to avoid potentially crippling fines? The GDPR is inevitable, so roll out the right solutions, and educate your employees to be security-savvy. Pre-empt shadow IT by developing internal policies that promote accessibility and flexibility. And ensure you have complete visibility over your data, wherever it resides.

Topics in this article : , , ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.