There has been plenty of discussion about the impact of global data regulations on data security practices. Particularly with the implementation of the EU’s GDPR last year, organizations in every industry have been scrambling to develop new security practices to avoid fines and the associated bad press of an infringement (especially after the £183 million and $5 billion fines for British Airways and Facebook, respectively).
However, cybersecurity strategies based solely around compliance should still be considered the bare minimum in data security. Many organizations mistakenly believe that data privacy and protection regulations are there to protect their business, when the impetus behind many of these regulations is the protection of their customers’ data. Regulators understand that data breaches are still inevitable, so the real teeth within the regulations is for timely notification of affected customers.
What compliance regimes have accomplished, fortunately, is in changing the conversation that many security leaders are having with their executive team and board. Cybersecurity is no longer solely the domain of the IT team, as constant headlines have hammered home the point that senior leaders can, and will be held accountable in the event of a data breach.
Understanding what happened in a data breach
One of the strictest components of data privacy regulations is the requirement of timely reporting to authorities. In the case of GDPR, you have 72 hours to notify regulatory bodies of:
- which data sets were breached
- where these data sets are located
- when the breach occurred
(And that’s just the beginning – organizations also need to share why and how the breach happened, who’s impacted, their remediation plan, and more.)
Prior to the recent era of regulations and fines, many organizations wouldn’t be able to answer the above confidently. In fact, simply knowing where their data was located would have been beyond them. To illustrate the problem, IDC research has found that 82% of organizations have more than 10 copies of each database, and that’s likely to increase as we continue to capture more data across cloud and IoT environments.
The need for a risk assessment approach
Data discovery and classification is an important first step in your cybersecurity program, particularly for compliance reporting requirements. However, these measures don’t go far enough.
A thorough business risk assessment is essential for determining where your most sensitive or high risk data resides, what the negative financial outcomes could be, and what level of protection your organization should invest in to “buy down” that risk. Using models such as Infonomics, pragmatic security leaders understand that not all data is worth the same, so they use their discovery and classification compliance programs to understand where they need to take things one step further.
They then begin moving towards advanced policy application, activity monitoring, and user rights management to create a robust security posture. Also, these leaders invest in security analytics so that they can gain visibility into who accesses what data and how often, what potential threats are hitting their systems every day, and which ones are the most important. A side effect of this is the improvement in overall business efficiency, but the real goal is to drastically reduce the risk of a data breach.
Cybercriminals don’t simply shut up shop and find a new profession just because governments have implemented more stringent data security regulations. They are forever evolving their tactics and becoming more sophisticated, so it is up to your business to understand where you greatest risks lie, and what measures you are putting in place to protect them.