Networks Europe Jul-Aug 2019 - Page 23

GDPR By Thorsten Kurpjuhn, European Market Development Manager at Zyxel Following the flood of opt-in/opt-out emails that hit our mailboxes last spring, ahead of the introduction of the General Data Protection Regulation (GDPR) on 25 May 2018, silence has fallen over the topic. To some extent, the uncertainty about the legal implications of the legislation still prevails and businesses have, in the meantime, buried their heads in the sand under the assumption that it won’t impact them. As a result of the laissez-faire attitudes towards GDPR to this day, we’ve seen GDPR fines total €56m in its first year, with more than 200,000 investigations, 64,000 of which were upheld. The total fines issued to date remains dominated by the €50 million issued to Google by France’s national Data Protection Commission CNIL. The approach and reaction to GDPR widely differ across Europe. Countries such as Slovakia and Sweden are yet to issue a single fine, while countries like Poland, Portugal and Spain have fined companies several hundred thousand Euros. Germany has seen some of the highest GDPR activities, with 42 fines imposed, averaging €16,100 and 58 warnings issued. In comparison, while the Netherlands has issued over 1,000 warnings, only one fine has been issued, which happens to be one of the highest in Europe at €600,000. Whether the level of GDPR fines issued is down to poor compliance in some countries, or less-diligent Data Protection Agencies (DPAs), in others it remains a grey area. So where are businesses going wrong when it comes to GDPR compliance? Business networks are the weak link A business’ network is a prime data highway, which makes it the prime target for cyberattacks. Even if data handling protocols and procedures are GDPR compliant, these efforts can be rendered worthless as soon as network security is breached. Strengthening the network to protect the data must be a priority for businesses of any size who want to avoid falling foul of GDPR and possibly facing severe financial penalties. Companies are already risking fines of up to €20m or 4% of global annual turnover, whichever is higher if they are found in breach. Yet, compliance still remains a challenge. Arguably, this is because carrying out an email marketing campaign and updating internal documents is a much easier exercise than taking concrete steps to safeguard the network and protect sensitive information. Cybercrime is an evolving threat that can cause catastrophic damage. Cybercriminals are using increasingly sophisticated new ways of penetrating IT infrastructure, making it difficult for businesses to defend networks and keep data safe. The harsh truth is that we cannot make a network completely secure and unbreachable. Thankfully, that is not what GDPR requires of companies. The legislation simply specifies that businesses must do all in their power to ensure data security. This means On the anniversary of GDPR £56m of fines have been issued already, so where are businesses going wrong? that businesses need a robust and reliable solution that demonstrates their dedication to control access to and protection of their digital assets. At this stage, it appears that most businesses would fail to prove that their network is as secure as it can be. The time for stronger security is now Legislation, including GDPR, is only as powerful as the enforcement. Moving forwards, Ernst and Young expect European authorities to become more stringent. “We expect European regulators to implement their 2019 announcements and increase their fines,” said Ernst and Young partner Peter Katko. In the next few months, it will be critical for businesses to step up their game as DPAs begin to ramp up efforts. While large companies are able to outsource the task of putting security measurements in place and maintain them to Managed Service Providers (MSPs), smaller businesses often lack the required knowledge and resource. Yet, the penalties for not dedicating enough effort to introduce stronger cybersecurity measures can be a deathly blow to all businesses. DPAs have the power to not only issue a fine, but to also impose a temporary or indefinite suspension of processing data. The aim is to ensure that no more data can be compromised while investigations take place, but this ruling on its own could threaten the future of a business, especially when you consider the serious reputational damage that would ensue. To reduce the risks, there are practical steps that small businesses can take to ensure the corporate network is aligned with GDPR requirements. Above all, it’s crucial that they build their networks using the latest cybersecurity standards and network infrastructures rather than relying on a standard domestic router with out of the box anti-virus software. It’s time to move on and reap the benefits of new tools available. For example, previously specialist technology, such as Advanced Threat Protection (ATP) is now moving into the mainstream and will allow businesses to monitor and protect their network against cyber threats in real time. This will be crucial as attacks increase in numbers and their sophistication increases. Businesses can’t afford to wait any longer. Not only do they need to keep up to date with regulators’ guidance and the enforcement decisions from DPAs, but they must also review existing network infrastructures to reduce the risk of cyberattacks. Businesses must also prioritise internal cybersecurity awareness and education to ensure that everybody in the organisation knows how to handle data securely and know what to look out for when it comes to the threats to the network. Time has not yet run out, and those who act now can still prevent sanctions and reputational damage. n 23