You can’t escape it: the General Data Protection Regulation (GDPR) compliance deadline is less than a month away and the vultures are circling. Whilst the majority of IT security vendors are opting to scare the XXXX out of organizations with their demands for rip and replace strategies to safeguard personal data, a number of small business insurers are instead opting for a sugar pill. But are these acceptable approaches companies should adopt?
While virtually every business is struggling to get to grips with the challenges of the new GDPR, the current feeding frenzy, from IT vendors to ‘GDPR data experts’, and, now, insurance companies, is unconscionable.
Offering an insurance policy to ‘transfer the risk’ of a cybersecurity breach, and emphasizing the new regulatory reporting demands associated with GDPR is a classic piece of misdirection. The costs, from punitive fines to business loss, are simply too high for any insurer to insure companies against a GDPR breach. And secondly, no insurer will cover any organization that fails to protect its data or assets.
There is a risk that organizations will mistakenly believe the ‘insurance’ provides extra time to understand GDPR and how it affects the business, rather than invest in a cyber security policy today. This is not the case.
Improving the GDPR journey
To prepare for the looming GDPR deadline, companies should have clear thinking in place with regard to securing both data at rest and in transit. The deadline is not optional or a one-off: regulators fundamentally need to see that companies are on a clearly defined and workable journey towards compliance.
A big concern for businesses is the need to inform both regulator and affected data subjects, as soon as data breached has been detected, something that is likely to have a devastating impact on business reputation. However, if the data is encrypted, in the event of a breach there will be no need to notify data subjects as the information will not have been compromised.
In order to safeguard data in line with GDPR, security needs to move away from trusting every member of an organization by default. Maliciously or not, people continue to be the weak link in every organization. A swift move towards a Zero Trust mentality assumes that every user could be compromised. Users must then only be granted access to the only information they need to know to do their jobs.
The second step is to ensure that all data is protected. Taking out cybersecurity insurance in case of a hack will not always result in a payout to help cover costs. Insurance policies will usually only pay out if the correct steps have been taken to secure data in the first place. Certes’ Layer 4 Encryption solution limits what the hacker can do if they manage to make their way into the network, and prevents them from moving laterally. This is a vital process that is currently missing from most cybersecurity strategies.
There is likely to be a several high profile companies fined in the months following GDPR as they suddenly find themselves non-compliant. But as long as organizations are approaching security with the Zero Trust mindset, enterprises can be confident they are securing data and complying with regulation.
To learn about General Data Protection Regulation Compliance Solutions from Certes Networks visit certesnetworks.com/go/gdpr/