Mitigating Cybersecurity Risks In The Era Of GDPR

gdpr

#1

Cybersecurity has become a key concern for businesses as cybercriminals continue to prey on hapless organizations. Intellectual property theft and ransomware are among the more profitable criminal activities that contribute to the £1.15 trillion (US$1.5 trillion) revenue that cybercrime generates each year.

The introduction of new technologies like cloud computing, big data, and smart devices to company infrastructures is increasing their risk of cyberattacks. Case studies by endpoint management service Cloud Management Suite (CMS) reveal that digitization can introduce hundreds of devices even to mid-sized organizations' networks which can all introduce vulnerabilities that attackers can exploit.

Business processes are also steadily shifting to cloud-based services so IT teams now have to expand their coverage and manage both on-premises and cloud-based components.

Further adding to this complexity is the advent of data and privacy laws like the European Union's General Data Privacy Regulation (GDPR). The GDPR requires companies to provide enhanced protection to customer information. To compel companies to comply, the GRPR is also designed to punish companies that fail to provide ample measures to prevent and respond to data breaches with maximum penalties amounting to millions of Euros.

However, the GDPR is revealing itself to be a double-edged sword. These new requirements can actually be exploited by malicious actors. GDPR-based extortion is now an emerging concern for companies where cybercriminals can threaten companies with non-compliance reports to authorities. Clearly, companies have to step up their efforts to cope with these developments.

Breaches are bad news

Thanks to the developments in big data and analytics, companies had been able to implement wide scale tracking and profiling of customer activities across digital channels. These efforts allowed companies to gather customers' personal and financial information which are now stored in their systems and databases.

Because of the nature of information they hold, these systems have become ideal targets for cybercriminals to breach. Stolen data can be easily sold on the cyber black market. Credit card information can fetch upwards of £10 ($13) per record. Given the number of records a company stores, a successful breach could be a major payday for criminals.

For companies, dealing with a data breach can cost millions. IBM and Ponemon estimates that each stolen record costs companies £113 ($148). But aside from the financial cost, there's also the damage to reputation that could prove hard to repair. Companies like Yahoo! and Equifax have struggled to recover from the massive data breaches they suffered.

GDPR complicates things

Aside from worrying about existing threats, companies must now also deal with GDPR compliance. Many bemoan the regulation. To start, many of their customer engagement and marketing efforts are hampered by strict provisions that limited the means by which they can gather information about customers. Moreover, it also added the pressure on companies not to fall victim to data breaches.

Aside from the cost of stolen records and the damage to reputation, the fines for non-compliance that victim organizations need to pay can easily ruin them. The stiff penalties made companies susceptible to extortion. The GDPR also created an avenue for industrial sabotage. Cutthroat competitors may hire cybercriminals to hack their rivals and framing them for non-compliance.

There is also the concern of preparedness. A survey by internet security provider Incapsula showed that companies had been ill-prepared for the GDPR. Only 41 percent of security professionals said that their companies were working on meeting the guidelines prior to the regulations taking effect last May. These factors underscore how vulnerable companies are given the situation.

Plugging the gaps

Businesses and their IT teams must be able to meet these challenges head on. Fortunately, there are concrete actions they can take to mitigate these threats. Here are some ways companies could plug the gaps in their cybersecurity and compliance strategies.

Understand the regulations. Companies must first understand what the regulations cover. They must be made aware of key provision which include implementing data protection measures, notifying authorities and concerned users in the case of data breaches, and performing impact assessments when new technologies that process data are introduced to business activities. Businesses must also keep users and customers informed and seek consent if ever customer information is being gathered. Protect the infrastructure.

Cybercriminals are always probing for weaknesses to exploit in companies' networks so it is important for IT teams to secure all network devices and endpoints. Management tools like CMS feature comprehensive tools that allow IT teams to manage and secure all enterprise devices. The service can also perform remote management of both on and off-premises devices and automated patching of operating systems, device firmware, and even various third-party software.

These activities help eliminate vulnerabilities that attackers might use to breach their networks. Secure data. Companies must also implement technologies and processes that secure customer information. This may include adopting hardware or services for secure storage and performing actions such as encrypting their databases and scrubbing personal identifiable information off of data through pseudonymization.

Refine policies and processes. Security is always a work in progress so companies must always adapt to changes in the cybersecurity landscape. The GDPR requires companies to appoint a data protection officer who needs to provide stewardship within the organization to ensure compliance across all business activities. Companies must also address the human element through proper training and governance.

Merging security and compliance

It is already a given that companies must put in place cybersecurity strategies even without the GDPR. The threat of cyberattacks is ever present and rampant. While the GDPR forces companies to guarantee security of data, it is quite unfortunate that it also created new means for cybercriminals to prey on companies. What is essentially required is a comprehensive strategy that covers both GDPR compliance and cybersecurity. Strict compliance paired with robust security mechanisms should mitigate these new risks and allow businesses to survive and thrive in the GDPR era.