The new General Data Protection Regulation (GDPR) will be a big business driver for security solutions in many industries this year. The size of the potential fines and the reputation damage of a reported violation could have a negative effect on business digital transformation initiatives. For many organizations, the question is “where to start” and “where do we prioritize”? Business leaders and security executives should take a critical look at their existing data security program and use these discovery questions as a start.
Is there a culture of data security and awareness in our organization?
Why is this important? It’s essential that all people from executives to users, administrators and developers be trained, certified and ready to develop a culture of data security and privacy by design with an organization. In many circumstances, preparing for the new regulation requires the appointment of a Data Protection Officer, responsible for organizational compliance and communication with supervisory authorities. Given the high fines levied for violations, GDPR will most likely require new internal reporting structures and development of a continuous compliance culture.
Do we know where our sensitive data or privacy-related data is stored?
Why is this important? You can’t ensure the protection of data if you don’t know the key repositories, applications and business processes. Many data loss prevention programs fail because of this very issue. Today, data is everywhere but it increasingly stored on mobile devices and cloud systems, creating more exposure to attack or misuse. A key consideration should be to implement a continuous data discovery and classification program that involves a cross –functional team of business data owners, security operations team and data security professionals.
Do we employ encryption for data protection?
Why is this important? Encryption is a key mitigation factor for potential data loss incidents and should be employed where possible to protect data at rest or in motion particularly on mobile devices such as laptops and data uploaded to cloud services. In recent surveys, it was determined that almost 20% of data uploaded to cloud storage sites included sensitive data. Each of these could have triggered GDPR violation. Additionally, organizations should have visibility over encryption status and should employ automated corrective actions on unencrypted devices or data flows.
Is there a current data loss prevention project in place or planned for this year?
Why is this important? A data loss prevention program that includes host and network-based control points is essential to prevent or detect accidental and policy-based data loss incidents. In recent surveys, almost 10% of all data shared externally contains sensitive data, including personally, identifiable information. Additionally, organizations experience an average of 20 data security incidents per day. These incidents could each trigger a GDPR violation.
Do we know where all of our databases are located and types of data stored?
Why is this important? Databases often house the crown jewels of an organization and particularly customer-related data. However, many organizations usually deploy only basic security controls, do not patch regularly because of application downtime and relay on administrators for activity monitoring. Additionally, many databases are deployed for testing and development with production data creating another risk for sensitive data exposure. Some key considerations for GDPR readiness should include a review of database security procedures, deploying additional protection against vulnerability exploitation attacks, and creating specific database breach use cases in security operations.
There are many other questions to think about. How do we account for Cloud Software-As-A-Service applications that house private data? How are we controlling privileges and privileged user activity, particularly with cloud services? Or does Security Operations have pre-planned data breach detection use cases? These are the type of questions organizations need to be answering in preparation for the General Data Protection Regulation.