On May 25, 2018, the E.U.’s General Data Protection Regulations (GDPR) come into force. Despite the Brexit negotiations, U.K. companies and even U.S. data centers with customers and customer data residing in the E.U. will have to comply. In fact, any company from any part of the world with customers located within the E.U. must adhere to GDPR. Interestingly, PricewaterhouseCoopers (PwC) finds in its GDPR Preparedness Pulse Survey that GDPR compliance is a top data-protection priority for 92% of U.S. organizations in 2017.
Journalist Nick Ismail also reports in his article “What are US companies’ view on GDPR?” that “nearly all of the respondents considered compliance with Europe’s landmark General Data Protection Regulation (GDPR) a top priority on their data-privacy and security agenda in 2017—with over half of respondents saying it is ‘the’ top priority and 38% saying it is ‘among’ top priorities. The survey examines ‘why US companies are willing to spend $1 million or more on GDPR readiness plans.’”
Article 5 of the regulations requires companies to take particular care of sensitive personal data. It obligates that data must be “processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical measures.”
Organizations therefore must comply by conducting regular audits and by knowing the biggest threats to their businesses. Nigel Wright, Managing Director of Legal Futures Associates, highlights just some of them in his blog “The Five Biggest IT Threats to Your Firm’s GDPR Compliance.”
The first threat is an overly relaxed attitude towards security—particularly when you’re opening new offices, merging or acquiring another firm. The process of merging and securing all of the IT systems based in various locations is arduous and challenging. Often, companies assume they’re following all the necessary security guidelines, but they need to test this assumption rather than take it for granted. Forethought, precautions and hard work will pay off.
Wright points out that a data breach can result from a failure to update or upgrade software or operating systems. You would then have to prove that you have done all you can to comply with GDPR, and if you can’t, you could receive an enormous fine. Audits should therefore take a broad view of your IT estate to ensure that everything is covered so that if a disaster does strike, you can show that you took all the necessary steps to protect the customer, supplier and employee data you keep.
Held for Ransom
Wright says the second threat is a lack of protection against cyber attacks. With the frequency of cyber attacks increasing, organizations must invest in solutions to protect their systems and data. Alex Hern, reported in The Guardian June 15, 2017, that even the University College London suffered a ransomware attack. It brought down UCL’s shared drives and student-management system. “The attack has also led to a number of hospital trusts suspending their email servers as a precautionary measure, in an attempt to prevent the repetition of last month’s damaging WannaCry epidemic”, he said.
The first line of defense is to train employees to become aware of ransomware and its potential impact on an organization. They must also learn what to do and what to avoid doing to ensure they don’t find the company servers locked down with a ransom demand. They must therefore be able to spot what’s a legitimate email and what’s a phishing email, or a download that may contain malicious code that gives an attacker access to company systems.
The third point is that your organization needs a policy to ensure that passwords are strong. Traditionally, organizations force their employees to change their passwords frequently. Although doing so offers a degree of security, people have a tendency to forget their new passwords—and it gets worse the more they change them. Employees are then tempted to create passwords that are too short and too weak. Companies should therefore have a password policy that guides authorized users in creating strong and secure passwords that they can also remember. An appropriate password policy should also reduce calls to the IT help desk, allowing IT to focus on more strategic projects and day-to-day operations.
I mentioned his fourth point earlier in this article: the risks associated with out-of-date operating systems and software generally. The recent attacks on organizations that still run Windows XP and Windows 7 have shown that once these machines have reached their end-of-life, they become vulnerable to the newly emerging threats that are appearing every day. Consequently, they’ll no longer be receiving the latest security patches, allowing hackers to exploit them. So, you need to audit all your hardware and software—including anti-malware and antivirus software.
The fifth threat that Wright mentioned is when an organization has a weak backup, business-continuity and disaster-recovery plan. I will add a sixth one: the need to have the right data-acceleration solutions in place, such as PORTrockIT, to ensure that you can mitigate data and network latency in a way that beats the hackers. Such a solution will also enable you to encrypt your data at the source or before it leaves the server (which WAN optimization is currently unable to optimize), and use machine learning to permit secure and efficient backups as well as the fast data recovery that GDPR requires.
Backing up your data is crucial. “Data is, without doubt, one of the greatest assets to any business enterprise, especially with GDPR coming into force next year. A commitment to backing up your data is therefore a crucial component of ensuring continued business success,” wrote Clare Hopping in an IT Pro article. And she’s right: your data requires your attention because it’s what makes your business profitable. So you must invest in the right solutions.
Hopping says the problem is that “research by StollzNow revealed that a staggering 49% of businesses have reported data loss in the last 2 years. With half of all businesses surveyed experiencing data loss, it’s clear that this is an extremely widespread and serious issue with potentially diabolical consequences.” The study also found that more than 50% of SMBs fail to back up their data. Yet doing so could put them at risk. Even more worrying is that 85% of these SMBs have no offsite backup capability.
So, the audits need to consider all potential consequences. Without them, your organization may find that it’s leaving itself open to either an attack or a complete disaster because you failed to back up regularly. You should also carry out regular failover testing to ensure that if one system or data center goes down, you can continue to operate from another.
The quickest way to do so is with a data-acceleration solution—one that provides high-performing recovery-time objectives (RTOs) and recovery-point objectives (RPOs). You’ll then be able to protect your data and recover or maintain your business operations effectively and efficiently whenever disaster tries to strike you down.
The good news is that you don’t necessarily have to buy new network, storage and IT infrastructure to comply with GDPR. What you already have is often sufficient. You must, however, invest today to ensure your data is safe. It requires that you protect your organization now, as complacency has no cost savings.
Disaster can strike anytime, so it’s best to make sure you’re compliant with GDPR before it comes into force. Complacency could leave you vulnerable to attack or at risk of losing data through other means, and subsequently, you could be at risk of failing to meet the requirements of the legislation. Prevention is better than a cure.
About the Author
David Trossell is CEO and CTO of Bridgeworks.