The adoption of Cloud-based services and a lack of well-defined security strategies are two of the factors that mean companies are struggling with their data. The General Data Protection Regulation (GDPR), which comes into effect from 25 May 2018, will make it even more urgent for companies to get a clear view of where data is stored and who owns it.
Paving the way for security problems
This is particularly pertinent because recent research by Kaspersky Lab found that 35 per cent of businesses don't know if certain pieces of corporate information are stored on company servers or on those of their Cloud providers. Kaspersky stated: “This makes the safeguarding and accountability of data extremely hard to achieve, putting its integrity at risk and paving the way for potentially severe security and cost implications.”
In fact, GDPR will have huge penalties: if companies that use and store personal data of EU citizens are found to have transgressed the rules, they will face steep fines of at least €20 million. But there are are also the costs of systems and insurance to protect data from hackers and of course the cost and fallout if a data breach actually occurs. Kaspersky found that large organisations suffer an average $1.2 million financial impact as the result of a Cloud-related security incident, while for smaller/medium businesses the impact is around $100,000.
Get clear on data ownership
Part of the problem is that companies have been quick to adopt Cloud-based services but this has sometimes been to the detriment of security and a clear strategy for security and ownership of data. Kaspersky says that 70 per cent of businesses using software-as-a-service (SaaS) and Cloud service providers have no clear plan in place to deal with security incidents that could affect their partners. The software security firm's research also found that:
- 42 per cent of businesses do not feel adequately protected from incidents affecting their Cloud service provider;
- 24 per cent of businesses have experienced a security incident affecting the IT infrastructure hosted by a third party over the past 12 months; and
- in third-party incidents, the most common types of data affected are: highly sensitive customer information; basic employee information; and emails and internal communication.
Four things to consider to strengthen data security
So when considering data security in a Cloud and omnichannel environment, what are some of the key things companies should consider?
- According to Kaspersky, companies should use a combination of techniques including machine learning and behavioural analytics to spot anomalies within their Cloud infrastructures.
- Companies also need to get a clear view on where data is stored within the Cloud ecosystem and its cybersecurity layer, and if its current protection status meets corporate security policies.
- GDPR will provide clarity in that all personal data pertaining to customers based in the EU will be owned by the customers, not by the organisation that processes or stores that data - but companies will be obliged to protect that data adequately.
- We've often heard the mantra that people are the weakest link in data security – well so are passwords. The majority – 81 per cent – of hacking-related breaches involved either stolen and/or weak passwords, according to the Verizon 2017 Data Breach Investigations Report. And since just about all organisation continue to use passwords as a primary authentication method to protect data, it's probably time that this strategy was revised.
GDPR: a year away but 86% of companies worried about compliance
By May 2018, companies will have spent an average of €1.3 million ($1.4 million) on systems and training to comply with the General Data Protection Regulation
53% of companies would change a third-party relationship if risk was too high
High-profile cyberattacks and new cybersecurity-related regulations are changing the way companies are viewing not only their own cybersecurity risks, but also those of third parties
18% of multinationals ‘highly confident’ of GDPR compliance
Just 18 per cent of companies are ‘highly confident’ they will be able to comply fully with GDPR by the May 2018 deadline and many organisations may be at risk of non-compliance