The one-year anniversary of the implementation of GDPR – one of the most important changes to data privacy regulations in the last 20 years has just passed. With potential of fines up to €20 million or 4% of annual turnover, its impact is undoubtedly wide-reaching. But since its implementation, what changes – if any – have businesses made to ensure the data they hold remains secure? And what can they do to ensure they don’t fall foul of this legislation?
Since GDPR was enacted there have been more than 59,000 GDPR notifications across the EU. Looking more widely, one of the most high-profile data breaches to date has been from Equifax, for their 2017 global data breach which affected 15 million consumers in the UK and 147 million in the US. They were fined £500,000 as a result, but actually got off rather lightly, given the penalty would have been significantly higher had it occurred a year later, once GDPR was in force. Google on the other hand was not so lucky when it was fined €50 million in January for violating EU data privacy rules.
Given the scale and impact of a GDPR data breach, it is no surprise that businesses around the globe have been relatively quick in adapting to them as best they can. This can be readily seen with the number of websites which now require acknowledgements from users for data collection purposes. Many businesses have also transitioned to encrypted databases and audits of password storage practices in order to protect private information even more securely.
Unfortunately, despite this, many basic principles for data security are still not being followed as can be seen with the frequent reports of company databases being exposed by hackers. One recent high-profile example is the news that Facebook was storing millions of passwords in plain text. Although businesses have taken some steps towards ensuring that the personal data they store remains secure, it’s clear that many still have a long way to go.
The new risks that companies are exposed to are more sophisticated than ever. It’s not just the ‘good guys’ who have access to sophisticated technologies such as machine learning and AI – bad actors can use them too. Witness for example, new malware that can easily bypass existing AV solutions and firewalls with adaptive signatures and fileless attacks. Attackers are even using steganography (embedded code and URLs within images) to infect devices, which is even harder to detect.
Companies can no longer rely on outdated techniques for developing applications such as storing passwords in plain text, or even rudimentary encryption such as MD5. Instead, they need to design security into their systems from the outset, using the latest security practices and deploying multiple layers of protection, such as database encryption and two-factor authentication.
The future of data protection
It’s becoming increasingly difficult to keep up with cybercriminals’ latest techniques, and the days of relying on a firewall or simple anti-virus software are over. The original AV solutions were designed when we there were only a few dozen viruses in existence. Today, more than 2 million pieces of malware are released every day. The availability of automated bots and cheap computing resources have facilitated this exponential growth. Organisations must deploy new technologies which focus on detecting unusual behaviour to identify these new types of malware and provide an additional layer of protection against these modern threats. A preventative multi-layered defence system is needed to defend against the multitude of threats which businesses now face.
In addition, techniques such as outbound, on-device data protection provide a unique approach to protecting devices. It’s inevitable that cybercriminals are going to get in and access your data – the key is to stop them from getting out. Technology now exists to prevent unwanted data collection and identity profiling by increasingly sophisticated hackers. By eliminating the unauthorised exfiltration of data from personal and corporate devices you will significantly reduce the risk of a GDPR data breach.