Data Privacy Day provides an important opportunity for organisations to take a step back and consider whether they really are doing enough to keep their customers’ data secure in the face of today’s threats. While data protection regulations such as the EU GDPR have helped start conversations and forced organisations to think differently about how keep data secure, this is just the starting point.
Just because a business complies with a regulation, that does not necessarily mean it is doing everything it can to protect its customers’ personal data. For example, under the GDPR, the integrity and confidentiality principle states that organisations must implement ‘adequate security controls’ to safeguard personal data. Critically, however, the regulation does not define what ‘adequate’ really means.
An organisation could argue that their implementation of basic anti-virus protection and once-yearly data protection training for staff is ‘adequate’ – this may technically be regulatorily compliant, but is it really enough to keep consumers’ personal data safe from malicious attacks and data breaches?
Today’s cyber threat landscape has changed dramatically, with malicious actors favouring sophisticated, targeted attacks that rely on social engineering to capitalise on human vulnerabilities. ‘Adequate’ security simply isn’t enough. Defending against such threats requires an equally sophisticated strategy for the ongoing security of people, processes and technology.
Regulatory compliance is often viewed as a check-box exercise and can be open to interpretation, so becoming compliant with regulations such as the GDPR should not be a primary driver of security. Compliance is an important step in the process as it can help an organisation discover critical gaps in its current security, but it should only be viewed as a starting point on the journey to true data protection and information security. Beyond the compliance checkbox, organisations need to implement industry best practices, understand their individual risk profile, and implement people-centric security strategies.