As the EU prepares for the General Data Protection Regulation (GDPR) to become a reality as early as this year, I keep hearing from European organisations that are scrambling to keep up.
The goal of the GDPR is ostensibly simple: to protect personally identifiable information (PII). This protection is more important than ever, as we see data breaches occurring nearly every day, affecting businesses both big and small, and harming companies and individuals. Protecting data stored in file cabinets or on on-premise networks shouldn’t be a problem – but the biggest wrinkle for GDPR compliance might be contending with the cloud.
Tech leaders across a range of organisations have told me that they’re worried about the GDPR’s more deliberate look at the cloud and BYOD practices. By the end of this year, 90 per cent of UK businesses will be using at least one cloud service. Storing and sharing information in the cloud can, of course, be a boon to business productivity and cost-cutting initiatives, but it’s a double-edged sword: without the appropriate security measures, the cloud is a repository for a lot of unsecured sensitive information floating around for anyone to see.
When cloud services operate in the shadows – as they do at many companies – no one is in control of their security, which results in gaping vulnerabilities. More than 60 per cent of UK professionals in engineering, legal, or medical fields say they use cloud services without their employer’s permission, often just because it’s simpler. The problem, however, is that if you’re not controlling your employees’ cloud usage, you’re also not controlling safeguards that protect mobile devices or controlling how information gets shared. This scrutiny couldn’t come soon enough, because you can’t protect against unknown risks.
In part, this is what the GDPR is trying to curtail. These stricter regulations will crack down on information-sharing to better protect PII. Healthcare, research, and legal industries will be particularly impacted as pseudonymous data is newly being considered subject to regulation, and the required protections for genetic and criminal-conviction data will increase. Third-party vendors and service providers working with companies will also now be subject to compliance.
The bottom line is that a lot more information is going to need to stay secure. But as we move further into the cloud, there’s a widespread impression that security is ever more elusive. Mobile devices are perhaps the largest purveyors of files shared and stored in the cloud. But when a file – whether it’s PHI, clients’ financial statements, or a spreadsheet containing genetic data for R&D – leaves the cloud network to sync to a mobile device, it loses all its default encryption. And when upwards of 750,000 smartphones get stolen every year in the UK, you can only imagine how much inadvertently unencrypted data might fall into the wrong hands.
The GDPR is requiring companies to take a long, hard look at their security measures. Re-evaluating security procedures and updating them to adapt to the shifting face of technology is a must.
Here are a few things businesses can do strengthen their security and prepare for the GDPR’s crackdown:
• Encrypt sensitive data on the cloud and on mobile devices. By adding an additional level of file-level encryption to any default cloud protection, files will become encrypted before they ever reach the cloud – and stay encrypted wherever they reside.
• Know what to encrypt. It’s not enough to know to encrypt – but knowing what to encrypt is also key. Familiarise yourself with the new guidelines, and know how information is stored at your company and how much of it is handled by third parties.
• Enable two-factor authentication. Password security is paramount to keeping files safe, and safeguarding already-strong passwords with two-factor authentication keeps data breaches even further at bay.
• Make security seamless. Employees want a simple workflow, and anything that interrupts it – like VPNs, clunky portals, or unconventional file transfer procedures – will likely inspire them to pursue unsafe workarounds. Instead, choose a cloud provider that allows seamless security to get everyone on board.
Asaf Cidon is CEO and co-founder of Sookasa