In May 2018, the General Data Protection Regulation (GDPR) comes into force. GDPR toughens rules around obtaining consent to process data; it forces companies to tell consumers whenever a serious breach occurs; it sets much more stringent standards for data protection; and it means that companies can be forced to stop collecting or processing data, and even face fines of up to €20 million or four percent of global revenue, whichever is larger.
Because of this, for at least the last year, all debate around data protection has focused on the GDPR. For companies that suffer a significant data breach, fines are just the start of their problems. What does a significant data breach really mean for your business?
Businesses need to get serious about protecting their data
In a recent survey, two-thirds of respondents said they used personal mobile devices at work. That means a lot of companies do not have any control on these devices. Once data is on those devices, it can go anywhere and be viewed by anyone outside of the company who has access to those devices.
That’s not all. Employees – or even entire departments – can sign up for cloud applications that have not been approved by IT and are operated without any IT oversight. Once data has been uploaded to cloud email, storage services or one of the many popular online CRMs, the business has little or no control over how it is shared, accessed or modified. There is also no guarantee that the cloud app itself stores and secures data in a way that complies with national data protection laws.
With the sheer volume of data and the speed at which it moves around organizations, these factors have made data protection a critical issue for every business. They need to get a better understanding of the data they are dealing with, how much of this data is particularly sensitive, where this data is transferred, how they can protect it, and how they can detect and respond to a data loss incident if it actually takes place. But without any visibility into data risks, this can prove quite a challenge.
You need to follow your data, everywhere it goes
Technologies like Active Directory or Lightweight Directory Access Protocol (LDAP) give organizations the ability to specify how each user on the network may access, edit, and share any piece of data. That was fine when data didn’t leave the network and was only shared between authorized corporate users, but is insufficient today, when data is as mobile as the devices your employees have in their pockets.
The answer is to secure documents using technology that is applied at the data level. When a document is uploaded to Dropbox or Google Drive, the access and editing permissions your IT department specified for that document should follow it into the cloud. Even if a document is widely shared online – and our recent research shows that 20% of documents are broadly shared – it will be strongly encrypted and only authorized personnel with the proper credentials should be able to open and edit it.
Unauthorized users will be unable to make any use of the data to cause harm to the individuals or the company. Without this level of control, you run the risk of personal data falling into the wrong hands, company documents and internal discussions coming to light in a way that may hurt the company’s reputation, your company’s intellectual property leaking into the public domain, as well as demonstrating sub-standard data protection practices that can run afoul of GDPR.
A broader view of data risks
GDPR coming into force is imminent and organizations should be preparing for it now, as the consequences of not doing so could be immense. A recent study found that in the UK, the companies fined in 2015 would have cost 79 times more under the GDPR. In one instance, a fine would have risen from £400,000 to £59 million. Data protection authorities could also force organizations to stop collecting or processing data, which could prove even worse than any fine for data-driven companies like online retailers.
Our understanding of the risks posed by data loss should not stop at the legal consequences. A 2017 study found that stock prices fall by an average of five percent in the wake of a major data breach and customer churn increases by as much as seven percent.
Only by applying security that can intelligently identify sensitive data across your extended organization, applies strong security to protect that data, and then follows it in both unmanaged and managed environments on the corporate network or in the cloud, can businesses adequately protect themselves against these risks.