GDPR can help make IT security a business priority
It may just be in the human nature to think that the worst is never going to happen to us, whether it is in our personal or professional lives. How many people do we all know that dramatically changed their lifestyles and became healthier after a serious illness or a health scare?
Companies are no exception: sometimes it takes a big hit for changes to happen. Figures from the 2018 Security Capabilities Benchmark Study, published in the Cisco 2018 Annual Cybersecurity Report, reveal that 91% of EMEAR companies that suffered a breach in the past year made significant improvements to their threat defence policies, procedures and security technologies.
If there is one positive aspect of suffering a cyber attack, then this is it: it helps raise internal awareness for IT security.
91% of EMEAR companies that suffered a breach in 2017 made significant improvements to security
How GDPR will help
In many cases, security professionals struggle to speak the same language as their board of executives and help them understand why they need to prioritise investment in security. When a public cyber attack happens and executives see the multidimensional damage it causes, then those reasons to invest become crystal clear. Conversations (and changes) happen at a much faster pace when everyone understands the issue.
This is where laws such as the General Data Protection Regulation (GDPR), which takes effect on 25th May 2018, can help improve security.
Companies that are already investing in security may not have a lot to worry about, as they are probably well on the way to being compliant (on the security side of GDPR). On the other hand, for those organisations that have been struggling to secure funds to invest, GDPR offers a great opportunity to get security professionals and top leaders on the same page. New legislations such as this are forcing minimum standards on companies, which will help support greater technology innovation in the future.
Data privacy and IT security are not only regulatory requirements, but also customer demands. It is becoming more frequent for companies to get questions from their customers about how they are handling their data. There is a relationship of trust, an assumption that the company receiving their data will take good care of it. The law is just there to ensure that companies are doing all they can to honour that trust.
There is a lot of scaremongering going on around GDPR compliance, but companies have nothing to fear. They should take the opportunity to discuss IT security at a board level, and openly review their current processes and what needs improving.
This board conversation is important because data privacy and security goes beyond IT; it affects different roles within organisations. Departments such as HR, Marketing, Sales, Legal and Operations all have to deal with personal data, whether it is from their internal or external audiences. Therefore, it is important that all parts of the business consider the best ways to segment and protect critical data from unauthorised access.
The General Data Protection Regulation can then become a catalyst for change. The hefty fines and sanctions associated to GDPR are perhaps the “health scare” that will prompt organisations to implement and nurture healthier security postures. It could have the same awareness effect that a cyber attack has, but hopefully without any of the financial damage.
For more information on how to get GDPR compliant, visit our Trust Centre: https://www.cisco.com/c/en/us/about/trust-center/gdpr.html