GDPR: is this about IT or resilience?
Levels of concern in business appear to be rising, as the date for the roll out of the new EU Data Protection regulations, known as GDPR, was announced (May 25, 2018, by the way). Social media were alight with comment and speculation and many people were questioning if a potential Brexit could impact the uptake of the regulations in the UK. The bottom line is, we have our own Data Protection Act, which will remain and it is not possible to rule out the adoption of best practice guidelines, regardless of any potential Brexit outcome. But surely, that is looking at the GDPR the wrong way round? It almost appears as if the tone has been set and once again data protection and security professionals face the probability of an established negative view of what is meant to be a helpful set of guidelines.
Granted, GDPR contains monetary penalties, but if look at the level of data breach we see in the press every day, much of it is preventable and comes from poor practice. But if we cannot be assured of businesses and organisations protecting the data that we lend them, then legislating them into it would appear to be the logical route. Surely we should all be pleased at the opportunity to look at how we handle data ourselves and question how our data is handled?
According to the Datastrophe report, half of enterprise IT decision-makers (ITDMs) are concerned that the security measures they have in place will not meet the GDPR expectations and one in five were waiting to see what final decisions were made in the regulations before putting additional security measures in place. Now, whilst on the one hand, it may seem sensible to wait and see what new regulations may mean for the UK business sector before spending, we have had access to many of the proposed regulations for some time and given that this included a potential monetary penalty amounting to 4% of global turnover for a serious data breach, you would think this alone would have had all ITDMs making some serious decisions.
However, there is part of the problem: ITDMs. Data protection is not the reserve of IT. IT is a part of the DP solution but by no means all of it. Granted, the survey had to be directed to someone but it is so often we see this kind of research directed toward IT and this leaves us to question more than it allows us to clearly answer, sometimes. If we are genuinely trying to grasp the UK preparedness for GDPR, looking to the IT response is not going to give us the full picture. But as we know, sometimes this is a problem with security perception in general; it is frequently seen as an IT issue not a business one and this is merely a reflection of that belief.
For instance, what about the areas of governance outside of IT, how prepared are they for GDPR? Risk teams, infosecurity professionals, data protection professionals, senior information risk owners, information asset owners and of course, end users, all play a part in data protection success or failure. They will also be part of the planning and preparation for the GDPR roll out. Let’s take a look at business units like HR and finance which both handle significant levels of sensitive data: employee salary, medical and personal information, as well as sensitive business information and access to funds and assets.
Not all of this information is in digital format and not all of it is sitting within the protective sphere of a corporate network…even though it should be. It could be sat on any number of end user devices. What about sharing of this information, moving of this information or changing it? And finally what about users who print things out? We know from the Information Commissioner’s Office that this is a common method of accidental breach. What can IT do about that? So how is the adequate protection of all information assets handled by a business and what steps are being taken at a corporate level to prepare for GDPR, is what we really should be asking.
We know that “shadow IT” is alive and well and being used to circumvent security restrictions placed on users because, amongst other things, they have decided it will enable a more convenient user experience. This can include behaviour such as, sending corporate information to personal email addresses and using personal devices on networks without security testing or permission. Whilst there will always be users who try to do this, overly onerous policy or procedure should be avoided in order to prevent this kind of risky behaviour. Security policy makers need to find out what users need to do, find a way for them to do it securely. They also need to enforce policy once it has been set. Data sat on personal devices is way beyond the touch of corporate security and given the behaviours outlined above, security may not even be aware it is at risk.
Let’s go back to that Datastrophe report, because that tells us that ITDMs think around 42% of all corporate data is held on endpoint devices that are outside of the traditional security perimeter. Not surprising that almost 70% of these ITDMs feel that more needs to be done in terms of investment in endpoint data protection. Bear in mind that when we talk about end points, we are talking about devices that the business knows about and either owns or has sanctioned for use via a Bring Your Own Device (BYOD) policy. On this point users and ITDMs disagree hugely and according to the data, 65% of ITDMs believe there is a clearly defined BYOD policy in place, 67% users saying they do not….
The truth, no doubt, lies somewhere between, however everything we have learned about shadow IT and as mentioned above, tells us that users will leverage their own devices for convenience. Indeed some researchers (such as Ovum) have found that up to 70% of BYOD practice is done without the knowledge or consent of employers, which to a degree tends to back up the users’ assertions. So there is another area untouched by IT security oversight…
So realistically, we need to examine what measures are in place to secure the behaviour of end users, instead of expecting IT to handle the whole DP arena and absorb the changes coming through to business via the GDPR. Understanding and evolving how we handle data protection in the face of firmer regulation, means that businesses need to look at themselves in their entirety and be brutally honest about how the effective the whole business is at security and resilience. For out of this will come a pragmatic and business-enhancing approach, that will benefit end users with streamlined, pragmatic and agile security which results in practical improvements to both experience and data protection levels. Surely this is the right way to be looking at GDPR?
About the Author
Mike Gillespie is Managing Director of Advent IM Ltd, and an information security practitioner and CLAS consultant of many years’ standing. He is well versed in the threat to organisational information assets. An active member of the Security Institute since 2008, Mike was voted onto the Board of Directors in 2013 and given special responsibility for Cyber Research and Strategy. Additionally he is part of the Institute’s mentoring scheme and a member of the CSCSS Global Cyber Security Select Committee. As a subject matter expert Mike is called upon regularly to speak at events and contribute editorial, most recently for the BBC and The Sunday Times as well as regular industry media.