Time to get that GDPR Gremlin off your back
With less than nine months to go until Global Data Protection Regulations (GDPR) come into force across the European Union, businesses should be well underway in their efforts to achieve compliance. However, meeting the demands of GDPR is easier said than done and a substantial proportion of businesses are still showing a worrying lack of preparedness.
According to a study released in July by Spiceworks, just five per cent of IT pros in the UK and two per cent in the US believe their companies are fully prepared for the regulations. With fines up to a maximum of €20 million or four per cent of a company's annual global revenue on the table, failing to comply with the legislation could be disastrous.
There are multiple explanations for this apparent complacency. In many cases limited C-suite support and a lack of knowledge or awareness are holding organisations back, while some simply don’t think the regulations will affect them. But a key issue that many businesses are also struggling to cope with is the hugely complex, and difficult to manage, nature of modern networks, which now typically incorporate multiple databases and a growing number of network devices that constantly manage potentially sensitive data.
All of this means multitudes of businesses are putting themselves at risk of being hit by substantial fines, as well as reputational damage and a potential loss of customers. The new regulation also holds individuals personally responsible, highlighting that compliance may not be sexy, but if you get it wrong it certainly has big teeth.
One mistake many organisations also make is viewing compliance as a destination rather than an ongoing journey. A common pitfall is that businesses only worry about passing an audit and, once the audit is over, compliance gets relegated from being a priority to an afterthought, resulting in a stark reality that many businesses are barely surviving from one audit to the next.
In a GDPR world, that mindset simply won’t be good enough. Cybercriminals – and compliance authorities – will be ready to pounce at the slightest sign of complacency, so businesses of all sizes need to ensure that compliance is viewed as a constant process rather than a single point in time.
Keep it simple
With business networks constantly growing and data flowing across an ever-larger environment, keeping track of all the moving parts can be a significant challenge. Therefore, when it comes to GDPR, the first business challenge should be to tackle complexity head-on, by increasing visibility and gaining a strong sense of all the moving parts of the network.
Data mapping is an important part of this process. By mapping the network – and ensuring it is regularly updated – businesses get a clear view of how data flows through the company. This addresses several important concerns, such as knowing where sensitive customer information resides, how it is being used and who has access to it, all of which are central components of GDPR compliance.
Mapping the network also helps to maintain security policy compliance by enabling businesses to easily identify all their network traffic across different applications and services, based on actual usage. Once everything has been mapped, network segmentation can then be applied to ensure that only the appropriate network zones or user groups have access to specific types of data, which helps to keep customer information safe in the event of a data breach.
But, key to everything is having a centralised tool to manage network security policies and streamline all future changes made to the network. Policies are put in place to ensure that businesses operate in line with regulatory standards and are especially important when it comes to effectively managing large quantities of data. By incorporating a centralised policy management tool, security and compliance can be simplified and IT teams can enjoy a greater level of control over the environment.
Continuous compliance
When GDPR comes around, making sure doors to corporate networks remain locked will be key to ensuring compliance – and automation can significantly reduce the amount of effort required.
When it comes to achieving continuous compliance, there are several different ways in which policy-driven automation is a central component. For example, with networks being more dynamic than ever before, carrying out regular reviews of existing rules and policies is essential, but also an extremely tedious task to do manually. Automated tools are able to identify high-risk or redundant rules in a fraction of the time and with a greater degree of accuracy.
This also applies to provisioning new policies, which must comply with GDPR requirements without adversely impacting any existing rules. Again, this is a complicated and time-consuming task, the burden of which can be drastically reduced through an automated approach that maintains compliance without the risk of human error. Any policy violations will be flagged and resolved in real-time, thereby significantly streamlining operations. Life is also made easier for future inspections, as automated actions are constantly recorded and documented for auditing purposes.
Furthermore, the so-called ‘ripple effect’ where a minor change to one policy causes a vulnerability in another area of the corporate network is a very real danger. Automated policy management solves this issue by providing network-wide visibility and designing optimised new rules based on real-time analysis of existing rules, thus avoiding the ripple effect. Most importantly, business leaders can feel reassured the whole network meets regulatory standards.
Maintaining GDPR compliance 24-7-365 is no mean feat and businesses need all the help they can get. Through an automated approach, risks and vulnerabilities can be proactively identified and resolved across even the most complicated network environment, ensuring compliance all year round.
Time may be in short supply, but it’s still not too late for businesses to start putting their GDPR plans into action and turning compliance into a valuable competitive advantage.
Andrew Lintell is RVP NEMEA for Tufin Technologies, the leading Network Security Policy Management vendor. For more information, please visit www.tufin.com or contact him directly.