a snowy winter scene
Winter is coming figuratively, if not literally, for organizations in the form of the upcoming GDPR deadline. PHOTO: Dominik Dombrowski

We are in the midst of one of the coldest winters on record here in the Northeast. But the real big privacy and security chill is happening all around the world.

For all you Game of Thrones fans, winter is coming quite figuratively — if not literally — as companies begin to face the reality that the European Union’s General Data Protection Regulation (GDPR) deadline is almost upon us.

By May of this year, all companies holding European citizen data must be compliant, and most — if not all — organizations, big and small, are not adequately prepared.

How to Become More Compliant in 2018

All of this is set in the context of the seemingly never-ending data breaches in 2017.

Those breaches exposed the sensitive, personal data of hundreds of millions of people, but also affected the companies in question with billions of dollars lost in market value as a result. Equifax, Deloitte, Yahoo — the list goes on and on.

What's clear is no organization is breach-proof. Cybercrime is on the rise, and every company is vulnerable. Winter is truly coming — in fact, it’s already here. So what can we do about it?

Understand Data May Be Your Most Valuable Asset

This is a large part of the reason cybercrime and breaches are on the rise. We’ve heard of data as the “new oil” in our digital economy, but another analogy I heard recently which resonated even more was data as “electricity.”

Data powers our companies and fuels our productivity, but it can also shock or hurt us. Imagine the impact to our businesses if it was turned off. By taking proper precautions to build in safeguards, we can not only optimize our use of data to generate revenue, but we can also prevent harm or even calamity.

Tag Your Data

Only one third of enterprise organizations are tagging their data, according to a 2017 GDPR Self Assessment Benchmark Survey conducted by privacy and cybersecurity think tank, Centre for Information Policy Leadership (CIPL) and AvePoint.

How is that even possible? The companies that responded to this survey truly represent the best and brightest of leading privacy programs around the world. How is it possible that these mature companies with their excellent security and privacy programs are not doing the basics?

If you do nothing else to prepare your business for GDPR and ensure your cyber-posture, I would strongly recommend you implement automated metatagging so that you could truly understand risk across your business.

Know Where Data Resides

If you do not know what you have, you cannot protect it. The GDPR implements a 72-hour breach notification period. If you don’t know what data you hold and where it sits — as well as who can access it and what they are doing with it — how will you know if it’s lost once you’ve determined you've been breached?

Ditch 'Security by Obscurity' Approaches (and File Shares)

For many years, security and privacy officers have avoided a well known vulnerability in almost every company: legacy file shares.

File shares represent a virtual sea of data. Once upon a time, everyone who placed a document on a file share knew what and where it was. Today, that is far from the truth for most organizations.

These file shares contain a treasure trove of undiscovered information assets, duplicative content and risk. Not knowing is never better. You need to understand how your business users are managing sensitive data today, so that you can properly remediate and educate going forward after a system clean-up.

Usually ungoverned and unmanaged, these files shares represent tremendous risk for most organizations. They often hold “dark data” that is unidentified, untagged and often redundant, obsolete and no longer relevant to the business.

I’ve heard CIOs describe their file shares quite literally as “toxic waste dumps” that they don’t want to touch. These file shares are often pivotal to the “culture of a company” and whether or not your organization plans to retire them, or keep them in production, ignoring the opportunity and the risk of the data that sits in those siloes presents a very high risk factor.

Risk Assessment Isn't the Name of the Game

Risk management is. There is no such thing as perfect security. We’ve learned over and over again that every organization will face security threats.

In my mind, there are two kinds of companies: those that have been breached, and those that have been breached, but just don’t know it yet. Every organization has at least one employee who will click on anything. So how do you protect your organization against an infinite number of unknowns? The answer is simple: you can’t.

The best defense is to prioritize what you are protecting from whom, make it easier for your end users to do the right thing with your most valuable assets across your protected systems, and mitigate risk and harm with some very simple steps.

Harness an Existing IT or Business-Driven Modernization Project Within the Company

Use a project — such as a cloud migration — to gain momentum for your privacy and security program.

GDPR sets out clear technical controls that are required for managing certain kinds of personally identifiable information (PII) in the cloud. The message from security and privacy to the business and IT should be, “Yes our business is moving our legacy data from on premises to the cloud, AND before we do it, we are going to first understand the data.”

By making data classification and protection a part of a migration from the start, you can ensure you only move data that should be stored in the cloud.

In addition to protecting data subject to records management, privacy or security concerns, you can also dispose of data that is redundant, obsolete or trivial. Through this approach, you provide cost savings to the business, while also improving IT efficiency and end-user experience. Now, privacy has become a business enabler, rather than a cost.

Become Fluent in the Language of Business

Under GDPR, the Privacy Office (or Data Protection Officer) not only has a whole new level of importance and purchasing authority, but also now holds responsibility for making technology decisions. This makes it incumbent for them, lawyers or policy folks, or technologists, to become fluent in the language of the business, IT and security — a responsibility they have often left to their counterparts in other departments.

Realize You’re All on This Ship Together

Who is ultimately responsible for privacy and security? The reality is, no matter who is “organizationally” responsible for protecting sensitive information and shielding your company from a data breach, if something bad happens, everyone is in the same sinking ship — just ask the former CEO of Equifax.

Security must be everyone’s job. If you treat it as an afterthought, or leave it to the people in IT, or even to your CISO, then you have already failed.

No matter how great the security team is at your organization, history has shown us there are too many adversaries and attack vectors. While we as security practitioners need to get our defenses right every time, hackers only need to be right once. If you make security the job of each of your employees, you will have an army to protect your data.

Build a Corporate Culture

Build a corporate culture from both the top down and bottom up that prioritizes the protection of your most valuable asset: data, the new money.

Plan For the Worst

If you are not already doing so, be very clear on how you will respond and what you will do if and when your organization suffers a breach. Let’s learn a positive lesson from Equifax — you don’t want to plan your response as you are in the throes of the incident.

Implement Really Good Data Life Cycle Management Policies

You will, by default, limit and understand the data you need to protect. If you are appropriately end-of lifing data, moving data from production to archive environments, and properly deleting it as required under GDPR data minimization requirements, you will also be reducing your risk.

GDPR, like most other privacy and security laws, is in many ways reframing or reimagining the best practices that companies have been implementing in part for a number of years. But the time is now to put really good policies, procedures and technical controls in place. We must help build organizations that are lean, optimized and cyber-resilient.

It’s also important to educate yourself on the new GDPR regulations and solutions if you haven’t already. If you view the upcoming GDPR deadline as an opportunity to implement the procedures and technologies your organization has been neglecting for too long, we can all make it through winter stronger than we were before!