GDPR compliance and the lasting effects of avoidable breaches
Attacks to enterprise systems can have long lasting impact and reverberations, as in this latest data security breach, which stems back to 2012. According to the article, a missing patch led to an attack and data was compromise, –and suddenly criminals had access to over a million records of personal data. Of course, this case likely has a lot more detail behind the attack than pointed out in the article. But even so, five years later, the firm settled with a significant fine, negative publicity, and no doubt a lot of disruption in the process – investigations, remediation, process changes and intrusive third party investigations.
While one could conclude that the answer is better patching, the fact is that all software contains vulnerabilities, and patches might not exist for every permutation of exploitable code. Even the best prepared enterprises or firms moving to modern container and hybrid cloud based applications are still vulnerable.
So, whether it’s micro service composed apps, cloud workloads in AWS, Hadoop, or traditional mainframe data processing, data security needs to be on-tap, built in, and ready to protect sensitive data with encryption and replace live information from the reaches of malware and insiders. While I don’t know the ins and outs of this particular firm’s data security approach, if any breached firm had data-centric security built-in to the applications processing Personally Identifiable Information (PII), especially using modern Format-preserving Encryption, the attackers would have gotten nothing of value, and the five years of disruption from breach to settlement could have been avoided.
Data Security is good for GDPR Compliance
The real costs with this data breach could be far more than the $5m settlement fee when business disruption and legal costs are taken into account – and these days, with regulations such as the looming General Data Protection Regulation (GDPR), organizations need to be focused on growing the business while staying compliant versus using budget to defend avoidable data risks. Incidentally, under GDPR, if the firm handled PII of EU citizens or residents, this kind of breach could have even bigger financial consequences (see “Here Comes the GDPR”). If you haven’t already started the journey to secure data in databases and analytics, especially if GDPR data protection is on your radar, consider a first step in evaluating a data-centric security strategy for a strong bang-for-buck risk mitigation approach.
Mark Bower is Global Director of Product Management for HPE Security – Data Security. He will be delivering the Data Security Keynote session at Protect 2017, as well as presenting on “Mapping SecureData to GDPR requirements: Best-practices on practical use cases” and panel moderator for “GDPR: The opportunity within the challenge.”