On 25 May 2018, the long-awaited European General Data Protection Regulation (GDPR) will finally come into force. It represents nothing short of the biggest shake-up in privacy laws in a generation: a seismic event for organisations around the world which handle data on European citizens. Most importantly, it will place strict new requirements on these firms to protect customer data and notify quickly if they’ve been breached – or else risk huge fines.
With breaches the norm rather than the exception today, it will therefore become more important than ever to spot attacks on the datacentre as early on in the kill chain as possible. And have the right set of advanced, automated tools to support a speedy, effective response.
A Major Shake-up
For those UK organisations hoping that Brexit will mean being able to duck the GDPR, think again. Apart from applying to all organisations which store, process or share the data of European citizens, the UK government has already indicated it will harmonise its laws with those of the EU following separation from the bloc. That means little will change post-Brexit.
Specifically, the GDPR will:
- Apply both to data controllers and the suppliers they engage to process that data – bringing a whole new category of firms under the scrutiny of regulators
- Mandate 72-hour breach notifications
- Levy heavy fines for non-compliance: up to €20m ($21m, £17m) or 4% of global annual turnover for serious infractions
- Make it much easier for individuals to bring private legal claims against firms
Compliance will present a major challenge to organisations in the UK and beyond, given the scale of the cyber threat facing firms today. The average number of security incidents faced by UK companies increased by 23% last year to reach 5,792, according to PwC stats taken from its Global State of Information Security Survey 2017. Attacks are often covert, easily bypassing perimeter defences. And once inside the datacentre, traditional systems fail to pick them up – allowing attackers to linger for months, exfiltrating highly sensitive IP and customer data. PwC claimed 18% of UK organisations didn’t even know how many cyber attacks they suffered last year.
What to Look For
This lack of visibility and control will have to change ahead of the coming European data protection regulations – or boards could be on the hook for a serious financial and reputational hit. Next generation datacentre security tools can help to stop as much as possible at the perimeter, but then crucially enable firms to detect and respond with speed and accuracy if and when threats do creep through.
Look out for providers which offer multiple detection methods, including reputation analysis of suspicious domain names, IP addresses and file hashes within traffic flows. Dynamic, distributed deception techniques can identify covert threats without disrupting datacentre performance. And automation is key: to speed incident analysis and response which would otherwise take hours for inundated security teams.
Some estimates claim UK firms could be forced to pay out over £120 billion in fines when the GDPR finally lands next year. Advanced datacentre security tools can help make sure you’re not one of them.