In 2018, with the General Data Protection Regulation going into effect, data security finally secured a spot in the boardroom. SoftwareONE’s Mike Fitzgerald discusses takeaways for compliance practitioners in the year that’s passed since.
After years of IT professionals arguing its importance, data security firmly secured a place at the boardroom table across most industries in 2018, further illustrating that it is (and will continue to be) a top concern for organizations at all levels. A year later, it continues to draw attention.
Data security is not just good business practice, it is crucial for companies to survive. Fines associated with data breaches and the General Data Protection Regulation (GDPR) can equal as much as four percent of annual revenue – a high enough price that will make noncompliance cost prohibitive. Many countries (and the technology community) are instituting additional data protection policies on a local and global level to safeguard against data loss.
To move forward with better data privacy, it’s important to know where we’ve been and learn from others’ mistakes. Here are the top three lessons GDPR has taught organizations about data privacy and security:
1. Cybersecurity is a C-Level Issue
No longer is cybersecurity a siloed initiative that IT departments are tasked with maintaining. It has worked its way up the corporate ladder quickly and reached the boardroom. When a whopping $63 million in fines have been imposed since the GDPR privacy law went into full effect, it’s no wonder it has received the C-suite’s attention. New fines, like the recent British Airways situation, are making headlines every day. This only increases the need for the attention from the C-suite, as it hinders a company’s bottom line.
Upon closer examination, a recent study found that 87 percent of board members and C-suite executives lack confidence in their organization’s degree of preparedness against cybersecurity threats. When an issue arises that directly impacts a company’s bottom line, regardless of its origin (IT/data security, supply chain, product development, etc.), it’s imperative that it is elevated to the C-suite to be addressed. Since implementation, GDPR has required the C-suite to make cybersecurity a boardroom issue to better protect themselves, raise their confidence levels in preparedness against cybersecurity threats and save themselves money.
This begs the question: What does the future look like with GDPR? The best approach is a comprehensive IT strategy to incorporate all levels and maintain a strong cybersecurity defense. This strategy requires everyone’s involvement and is no longer just for IT, making it imperative for the effort to begin at the top. Cybersecurity and data security need to be part of the IT and data strategy foundation to ensure effectiveness. This reinforces its value to the organization and better protects the company’s assets.
2. A Growing Sense of Accountability
According to the Verizon data breach report, external sources account for 69 percent of all attacks, with insiders accounting for approximately one-third of all cyber incidents. In 2 percent of the cases reported, business partners were involved, and in 5 percent of the security incidents reported, multiple parties (both external and internal) were involved. Situations like this demonstrate that it’s critical that everyone in the organization is accountable and should know who is handling their data.
The current state of the cybersecurity skills shortage is requiring everyone to step up, especially if there is high turnover. High turnover can create holes in protection. This, combined with the anticipated 3.5 million unfilled roles by 2021, means it’s more critical now than ever that everyone works together for protection.
3. Increase Network Visibility
To effectively protect against data breaches, IT decision-makers need to understand and control how data flows throughout the organization. Data flow mapping tools, which simplify how organizations map data flows, can help identify and resolve data protection issues quickly and cost-effectively – ultimately reducing the risk of a breach.
The recognition of security as a C-level issue causes an increase in accountability throughout the organization, which then increases network visibility. The timing for this couldn’t be more perfect, as an increased rate of migration to the cloud and the introduction of 5G means companies are generating and capturing more data than ever. Reconciling this data and knowing who is handling it and where it is being stored is imperative to ensure privacy standards. The need for real-time visibility and updates will increase an organization’s ability to know immediately when a data breach happens – ultimately allowing more time to react, protect victims and save money.
Since GDPR went into effect in 2018, a lot has changed in regard to data privacy. Cybersecurity being recognized as a C-level issue, the need for more accountability and an increase in network visibility are only three of the many lessons learned over the past year. These lessons are interconnected, and the acceptance and application of them lead to success, ultimately impacting an organization’s overall security.
Once cybersecurity becomes a C-level issue, it will increase accountability through a comprehensive cybersecurity strategy, ultimately allowing increased network visibility for all parties to do their jobs efficiently. While GDPR has been operational for a year, we still have a long way to go to ensure data privacy. Embracing these three lessons is the first step.