Does Compliance Equal Security in the Age of Data Privacy?

Written by

May 25th, 2018 is a date that will forever be etched in history as day when the European General Data Protection Regulation (GDPR) was finally implemented. Many assumed it would lead to the world ending but alas, the earth is still turning.

To summarize, the law was passed to sufficiently address how organizations make use of the data they collect on each citizen/consumer with a view to protect the personal information of individuals in the EU. Even though it is a European law, the scope of the legislation impacts every organization on the planet and the severity for those found non-compliant can be financially detrimental. As a result, organizations are scrambling to improve data security with the objective to ward off cyber criminals from stealing their precious information. Doing so has led many to ask: ‘does having adequate security also mean my organization is GDPR compliant?’

This happens to be the €20 million question (the maximum penalty for non-compliance); and with the rapid evolution and sophistication of hacking, it’s one that organizations need answering quickly. 

Despite the implementation of data protection laws, the news of organizations suffering data breaches has not slowed down. Towards the end of 2018, a spate of highly publicized attacks made the headlines and included brands like British Airways, Amazon, Facebook, Vision Direct, Dell and Marriott Hotels. Moving into 2019 and even Google is facing a $57 million fine for violations of the GPDR (the largest fine issued by the new EU law). 

Yet, due to the cybercrime environment becoming more diverse, sophisticated and complex, it has made it nigh on impossible to completely eliminate the risk of being breached, leaving many organizations to operate in fear. In truth, compliance does NOT equal security, and in fact this perception fuels a false sense of security. Instead, meeting compliance should be seen as a stepping stone in the right direction towards security.

The issue for organizations
To some extent, cybercrime is a precursor to compliance, especially when it comes to targeted attacks. With threat vectors constantly evolving, hackers are one or two steps ahead and they operate quicker than regulations can be passed and implemented. But, depending on the size of the organization, there could be thousands of endpoints masked within a complex infrastructure, meaning it could be virtually impossible to be 100% compliant; and even harder to be totally secure. 

For starters, there is no direct end to being compliant and secure – these are ongoing projects that need to be constantly maintained, updated and require thorough vigilance, combined with careful architecture. Introducing regulations, such as GDPR, is a great place for organizations to begin to carry out the basics for data protection; yet, this is just an elementary step to addressing security.

To meet more advanced and dynamic threats, enterprise security architecture needs to be able to meet unique organizational management objectives and risk challenges. 

Organizations unsure on what should take priority - compliance or security – need to start by ensuring that security and privacy are truly baked-in within systems, with the objective to reduce risk, mainly unlawful access to critical data.

In the wake of recent attacks, these are often reluctant afterthoughts, by which time the damage has already been done. Although every enterprise has a variation of threats that they will face, there are two types of attacks that are applicable to most: sabotage or data theft to gain access to sensitive information.

What should be done
A layered approach to data security is what organizations have begun undertaking to beef up defense parameters, resulting in many investing in solutions that defend against various threats.  Unfortunately, this has led to enterprises wasting valuable resources on unnecessary solutions which is calamitous, especially when you consider many security teams are already confined to tight security budgets. 

To help cut through the confusion, organizations should prioritize a data-centric security strategy. The focus here is to protect the data throughout the data lifecycle, whether that be in motion, at rest or in use. Embedded within this strategy should be tokenization as this essentially “de-toxifies” sensitive information, ensuring that the information cannot be linked together, replacing it with a unique placeholder the system randomly generated, which protects its true form via anonymization. This gives the organization that ability to use the data while still protecting its original characteristics and most importantly, meets both compliance and security concerns.

Compliance and security are not necessarily two peas from the same pod, but they are both vital to the survival of enterprises today. GDPR has set a precedence and now we are seeing other countries adopt similar data privacy laws including Brazil, Australia, Japan, South Korea as well as certain states in the USA.

With this trend likely to only increase, data privacy laws should be seen as the perfect opportunity for businesses to review and address any security weaknesses, especially regarding the protection of data. Any fines for non-compliance should only act as an impetus to implement these policies; particularly in today’s world, where data protection is fundamental for data privacy. 

What’s hot on Infosecurity Magazine?