The introduction of the GDPR has been heralded as a major improvement to privacy and how data is handled. While it only affects the data of European citizens, it is credited with having an impact on privacy around the world. Earlier this month, security ratings vendor BitSight, issued a report thanking GDPR for improving cyber security in Europe.
GDPR has shown us that no matter how long you give companies to prepare, they will always require more time. GDPR was passed as a law in May 2016. At that time, legislators in Europe decided to give organisations two years to prepare before they would start enforcing the GDPR. Judging by surveys and reports, the majority of SMEs are still unprepared as are many large companies, especially those based outside of Europe.
To understand this, Enterprise Times caught up with Jake Olcott, Vice President, Communications and Government Affairs at BitSight. Olcott talked about what BitSight has seen as a result of GDPR and what it would like to see in the future.
Do companies know enough about the data they hold?
Olcott highlighted the challenge for organisations in having to understand what data they have and how it is used. He said that one of the first things that GDPR achieved was to: “make people realise that you had to put some time and effort in this whole issue of personal data. That means more than just paying lip service and writing policies.”
One solution to this is a data map. A data map shows companies what data they have, where it is stored, how it is used and who is using it. ET asked Olcott if he had seen organisations invest enough time and resources into their data map.
Olcott replied saying: “One of the observations that we have as an organisation is that organisations are really struggling to understand not only where the data is inside of their own organisation and what kinds of data it is, but more importantly, now that we’re doing business with dozens or hundreds or thousands or tens of thousands of different companies, where our data is going. Who has access to it? Where can it reside?”
A need for shared responsibility
Data management has historically been an IT problem. Several generations of technology on from the arrival of the PC, data is often created, lives and dies on devices that IT knows nothing about. Olcott agrees saying: “Cyber is a shared responsibility inside an organisation. And that responsibility is shared by executives, board members, senior leaders, business units, the employees, and IT, and IT security. So that is different from what we were saying ten years ago. Which was, cyber is IT’s domain.
“I think the other reality though is that shared responsibilities are never actually addressed inside of organisations. At the end of the day, you have to task somebody to do something or else the ball just gets dropped. So, I think what we’re going through right now is the recognition that we all play a role in this and that it’s critical that employees are just as involved and understanding about how they should think about securing their systems and being responsible and diligent stewards of company resources as well.”
But is the C-Suite really taking responsibility for data?
Olcott continued: “It’s almost certainly too early to tell. What I would say about GDPR as I would say about any other piece of legislation, is that at the very least, it has raised awareness among senior executives in companies, about the importance of securing data and securing organisations. I think it’s fair to say that this has been a trend within the business community for at least a short period of time and it’s very important that the C-Suite become much more involved in managing this risk.”
Shared responsibility needs a fresh look at breach reporting
One of the inhibitors for shared responsibility is the way organisations handle breach reporting. A user who accidentally clicks on a link is often dealt with harshly. This dissuades users from reporting mistakes and prevents IT getting early notification of the problem. There is also, inside many companies, a difference in standards when it comes to how senior people are treated compared to staff in lower positions.
Olcott believes that this is a fundamental issue if we are to change user behaviour. “What I’ve seen over the years is there has been a move to including security as part of job performance. That may be individual employees being put through the anti-phishing training regime and if you click on that link you get sent to remediation. If you do it too many times, I’ve absolutely heard of situations where organisations have addressed that through a dock in pay.”
This raises the question of how do we change user behaviour? Should we gamify security internally and reward departments and users for spotting risk? Working at the department level has the advantage of using internal social networks to spread information.
Olcott says that behavioural change has to happen at all levels of the enterprise and beyond. Data is now shared widely by organisations and GDPR means that businesses are responsible for how data is treated by their partners. Olcott posed the question: “How do I change their security behaviours? When we’re going into business with someone and I’m not satisfied with their security performance, but I still want to do business with them, how do I change their behaviour?”
He sees both the gamification approach and contractual controls as part of this. But can a company reasonably impose security controls on a wholly separate organisation?
Can GDPR be the catalyst to change the conversation around cybersecurity?
The C-Suite has been overwhelmed with the issue of cybersecurity for several years. No matter how much money is allocated to cybersecurity, it never seems to be resolved completely. GDPR helps change that focus. It talks about risk, threats to the business, compliance and regulation.
Olcott is certainly seeing a change in the way IT is talking to the board. He commented: “IT has to become much better at communicating cyber risk. The way that that is increasingly being done is by leveraging not only performance metrics but attributing financial consequence to those issues. Being able to show the efficacy of the programme. In other words, for every dollar that I’m spending on this new security technology, I am improving our risk, and this is how I measure it.”
The rise of cyber insurance
Another benefit of this conversation is greater use of cyber insurance. Earlier this year, AIG said that it expected GDPR to drive both the adoption and claims around cyber insurance.
According to Olcott: “The rise of cyber insurance is broadening the conversation in the C-Suite as well because traditionally, the IT guys would go to the C-Suite with ‘This is how we’re going to mitigate this risk’. Now, they are talking not only about risk mitigation but also that risk transfer. And that’s the way that many risks have been handled by executives and board members for years.
“It’s recognising that there’s something very unique about cyber. It’s much more dynamic, more adversary, there’s a lot of different things about it. But it’s trying to improve the way that we understand, assess, and communicate risk to the C-Suite and to the board. That’s the fundamental change that IT needs to go through in the next decade if we really want to try to address some of these problems.”
But cyber insurance is not a solution to the problem. Companies buying it are not audited or examined to show that existing systems meet certain requirements. In addition, it is often a bolt-on to existing insurance policies. This means that organisation needs to understand where the overlap and gaps are. This is the problem that US-based National Bankshare Inc. discovered when its insurers declined a cyber insurance claim.
Can we be sure that GDPR is helping any of this?
Yes we can. The need to understand where data is and how it is stored is a major step for many organisations. The need for a shared approach to protecting data where data security is a business not just an IT problem, is a major shift. It also brings with it a better understanding of risk across the whole business. When this is allied with costs for not doing things right, there is an imperative on the business to get it right.
Another improvement that the GDPR has delivered is responsibility for data when it is shared. Businesses must understand what their business partners are doing with the data and make sure it is audited. If not, the business has to accept its share of any fine should there be a data breach.
From Olcott’s perspective, the signs that this is getting through to organisations are clear. It is shown in the security ratings that BitSight issues and in the adoption of cyber insurance. While there is still more to be done to bring all companies to the same standard, Olcott believes that privacy is improving.
Whether the GDPR can be the base standard for a global increase in data privacy, however, is still something that has yet to be seen.