In the last year, high profile data breaches and cyber-attacks continued to rock the headlines and impact companies’ bottom lines. The Yahoo! data breach cost the company $350 million in its deal with Verizon, and WannaCry became the worst digital disaster to strike organisations in years yet, crippling transportation and hospitals globally. As data breaches continue to increase in both frequency and severity, it’s no wonder that regulations are being put into place to hold organisations accountable for their cybersecurity efforts – or lack thereof.
The incoming General Data Protection Regulation (GDPR) is one such regulation, bringing a new set of ‘digital rights’ for EU citizens and giving them unprecedented control over their personal data. This new regulation requires material changes to how organisations protect their EU customers’ sensitive data, and it also requires organisations to notify both the authorities and the potentially affected customers within 72 hours of a data breach. With a hefty fine of up to 4% of a business’ global annual turnover waiting for any company that fails to comply, in addition to any direct financial losses from the breach itself, it’s no surprise that companies are clamouring to be compliant.
There are several things organisations need to focus on to make sure they are ready jump through the hoops that GDPR compliance requires, including knowing where all personal customer data is stored, who can access the data and how access is granted.
Discover Who Has Access to What Data
The best place to start is by conducting a thorough risk analysis and mapping of data and owners across their entire infrastructure. They need to know who their users are and where their at-risk data resides, whether that’s in a database or a spreadsheet, on a NAS device or in the cloud. Those who fail to take this first step of actively assigning accountability to data are leaving themselves open to hefty GDPR penalties.
Practice Least Privilege
Once data and owners are mapped, organisations need to strengthen the controls that determine who has access to specific data. Removing unwanted and unneeded access to systems, applications and data is imperative. This means users should have “least privilege” access to only the minimum resources they need, and access to sensitive data should be highly restricted. These privileges also need to be checked on an ongoing and repeatable basis.
Secure Sensitive Data
Once organizations have identified who has access to sensitive data and what they’re doing with that access, they can take steps to secure it according to best practices. This is particularly important for data stored in files and folders, often times residing outside of the corporate firewalls.
Monitor User Activity
After all of these efforts, organisations must implement ongoing activity monitoring to improve risk mitigation and understand appropriate use. This continued monitoring can alert the appropriate personnel when out-of-bounds activity or aberrant requests are detected in real time, allowing for immediate remediation.
Accountability is Key
GDPR compliance also means a higher level of accountability. Companies must be prepared to provide evidence of compliance upon request and document all of their data processing policies, procedures and operations accordingly. They will need to be able to quickly answer fundamental questions about where all their sensitive data resides and who has access to it.
Beating the Clock
With the GDPR compliance requirement of notification within 72 hours for high-risk individuals whose data was leaked, automation is a must. Response times like that simply weren’t a part of earlier compliance initiatives. Automation is imperative, especially for larger companies whose potential risks and penalties increase with their size. Automated provisioning and de-provisioning of access allows organisations to tighten security controls while also enabling business efficiencies.
Identity Governance Is the Path to GDPR Compliance
One certain way to meet these stringent GDPR requirements is by placing identity at the centre of security strategies. Identity governance helps organisations achieve compliance by giving them the means to grant and revoke access to sensitive data in accordance with their GDPR policies, as well as the ability to regularly review and adjust access to sensitive data as needed to stay compliant.
With the power of identity, businesses will have full visibility into who has access to what data, and insight into how that access is being leveraged, giving them the means to not only meet GDPR compliance and other regulatory requirements, but also to realise an overall improved security posture. In addition to addressing regulations and preventing costly fees, these measures will also increase consumer confidence and ultimately keep companies out of the headlines for the wrong reasons.
By Mark McClain, Chief Executive Officer & Co-founder, SailPoint
GDPR Summit Series is a global series of GDPR events which will help businesses to prepare to meet the requirements of the GDPR ahead of May 2018 and beyond.
Further information and conference details are available at http://www.gdprsummit.london/