Four years have passed since GDPR came into play and from it both challenges and the knowledge facing privacy are increasing
It’s easy to forget the panic surrounding GDPR before its introduction in May 2018, which forced organisations to treat data with the seriousness and care it deserves.
Four years later, its influence has been greatly felt in how businesses deal with data and their responsibilities, much to the point where data breaches and fines regularly appear in the news.
“What it’s done is it put the concept of personal information to the forefront of every business owner’s mind,” Paul Casey, chief operations officer at Paradyn, said. “You should be thinking about it early in the process; it should be in the initial planning phases.”
“There’s probably more of a focus on data protection with cases appearing in the news. At least once a month, there’s some new headline and that is solidifying that this is the standard and it’s here to stay.”
Casey brings up an interesting point that while GDPR has been around since 2018, the pandemic happening two years later changed the landscape.
With all workers moving off-premises and many likely staying that way into the future, either as fully remote or a hybrid model, data protection is now more complex than before. Now the onus is on protecting data in different locations like the cloud.
“If they’re working from home, there’s so much between where they are and your organisation’s data,” he said. “You have to make sure you can verify it’s the right person from the right location getting to the data and not somebody else in-between.”
It’s why practices like zero trust – which requires all users to be authenticated, authorised and continuously validated for security before being granted or keeping access to data, no matter where they are in an organisation’s network – are becoming so popular. The boundaries separating organisations and access have disappeared completely.
“A lot of organisations are putting in the components of a zero-trust architecture without having that as a strategic end goal,” he said. “They did that to cover the risk of employees at home, verifying that it’s still that person.”
“We need to make sure we put those divisions in place and the previous IT infrastructure idea of the corporate networks being your castle where everyone inside is safe and trusted and everyone outside are the bad guys, that’s long gone.
“We need to consider people behind the walls as much as those outside it are working for the bad guys and we need to make sure and constantly verify that we’re still allowing the right people access to the right areas and no more and no less than that.”
Focusing on ensuring all of these things are covered is more difficult when considering the global skills shortage in cybersecurity. Having a dedicated team in-house is a luxury only major multinationals can afford, so for most organisations, outsourcing security is the only way.
It’s why services like Paradyn SOC and SIEM are growing in popularity, but as Casey mentions, many don’t know where to start.
The good news is that there are cybersecurity frameworks to base your protections on, such as ISO 27001. They can help break down your responsibilities and requirements into more manageable chunks so you can assess where your blind spots are.
“When you look at it from a holistic, big picture side, it gives an IT manager or director of IT a roadmap on what to do,” he said. “It’s all measured out, there are milestones, KPIs, and they can show that the organisation’s security posture is going in the right direction.”
“If you’re not operating on one of these frameworks, it ends up being piecemeal and you won’t be aware of the gaps in these projects you’re running.”
The benefit of that framework and measuring it is that you have something tangible to show those at board level about the effects of your security measures. By presenting it in a way that they understand, it makes it easier to show how vital security is to the organisation.
There is further scope for encouragement with the EU organisation ENISA (the European Union Agency for Cybersecurity), which is trialling certification for cloud products ensuring that they’re up to a certain standard.
Similar to the standard ISO 27001 provides, it will give further confidence that organisations are treating data with the protection and care it deserves and is expected to come into play in 2023.
“It’s good to see this evolution because they’ve seen we’re missing a spot there,” Casey said. “They said, what can we do to validate and express confidence in these cloud environments, where all of our data is held at the moment?”
“If you look at cybersecurity budgets – and it isn’t necessarily an IT function, it’s an organisational function – there’s a big portion of that which relies on IT doing what it needs to do to protect where the data is.”
“They’ve almost all come together in a line to emphasise organisations’ responsibilities to protect the data. Whether it’s on-premise or in the cloud, paper or digital, personal data or additional bits, you protect it with the same best practices.”