Sensitive Data Protection in the Face of the EU’s New GDPR Regulations
They are cunning, ruthless and have only one goal, to gain access to sensitive data on the corporate network. Today it’s not only personal data but also image and video files (for example, industrial surveillance cameras footage) that hackers are looking for. Will the EU’s new General Data Protection Regulation convince businesses to increase spending on network data protection? What should they keep in mind and pay attention to? How can they prepare for this EU revolution and avoid painful repercussions for failing? Business owners have slightly over two years to prepare their IT infrastructure for the new regulations.
The problem of managing privileged accounts with access to sensitive data held by a company does not only concern large organizations, but also medium and small enterprises and public offices and institutions like schools or sport clubs. Many of them are lacking clearly defined, formal procedures related to the security of their corporate networks. Really disturbing is the fact that companies don’t apply even the most basic procedures, like monitoring of who has access to data and when, especially data stored for a long time for purposes of an audit. We live in a more and more digitized reality, in which the scale and frequency of targeted hacker attacks are growing in leaps and bounds. The PWC report shows, that in 2015 more than half of all Polish companies recorded no less than 6 cyber-attacks throughout the year and as many as 70% of the principal perpetrators were those companies’ own employees. In turn, a survey conducted by Intel and Intel Security in May 2016 shows that as much as 40% of large enterprises in Poland do not have an emergency scenario prepared in case of a cyber-attack or similar events.
Just recently we witnessed a series of leaks of a vast amount of personal data that could have been prevented by using modern tools to monitor network infrastructure. The scandal resulted in over 800 000 records being leaked from the PESEL (National Identity Number) system in Poland. It’s hard to believe that the Ministry of Digitization detected the irregularities with unusual movement in the system only after one year! The whole situation is even more absurd considering that there are monitoring solutions on the market that would have easily detected anomalies and could have quickly responded to the unusual and suspicious increase in traffic, especially if it took place outside working hours. The sad truth is that over a half of Polish companies never heard of GDPR (according to research commissioned by Trend Micro and VMware). Therefore, it may be presumed, that as many or even more are also not interested in security. Why? Despite the fact that there are comprehensive solutions for advanced monitoring and network management on the market, for many companies implementing such systems still seems beyond their capabilities. There are however options designed for smaller firms, which won’t ruin their budget and won’t require hiring additional staff. This is good news because the financial repercussions and loss of face for a company that has had a breach of data protection rules, is incomparably greater than increased expense on digital security. The loss of valuable information goes hand in hand with engulfed trust and tarnished reputation, which are very difficult to rebuild.
A loss of face, according to research, is not a sufficient deterrent, but the new legislation should definitely help. Revolutionary changes in personal data protection are approaching in leaps and bounds with the purpose of adjusting the existing laws to an ever dynamically developing world of new technologies. On May 25, 2018 The EU’s new General Data Protection Regulation (GDPR) will come to life bringing unified personal data protection regulations to all EU nations. The new law will replace the data protection directive from 1995, a time when the internet was still in its infancy and digital information management wasn’t subject to potential abuse. So what does it all mean to businesses specialized in sensitive data processing? Well, for starters, an obligation to implement high-end security solutions meeting modern, digitized world’s standards. For the refractory (or stingy) ones, high financial fines will be applied. A company that allows a data security breach will be fined 4% of its annual income or 20 mln EUR (depending on which one is higher). As of now 1/3 of all Polish companies still haven’t met the requirements of the 1995 regulation, which is an alarming news.
Technology Comes to the Rescue
Enterprise owners should take under consideration the upcoming changes and prepare their budgets to make the necessary changes for securing their data facilities. The recent data breach scandals (like PESEL gate) show how crucial it is to monitor those with an authorized access to sensitive data. “Monitoring systems include features that allow sysadmins to see exactly who logged in to a server or another source of confidential data and when. They register any login attempts and whether they occurred under unusual conditions, like outside working hours or during holiday”, explains Tomasz Kunicki, founder and CEO of AdRem Software, developer of the NetCrunch Network Monitoring System.
To avoid unnecessary risk and painful fines, companies must start preparing for adapting to new regulations. When choosing available solutions, it’s worth considering a modern network monitoring system capable of handling the security requirements of a modern IT department. Doing so will play a key role in the war against cybercrime, including the one within the company.