By Matt Lock, Director of Sales Engineers (UK) at Varonis
Over the last year, much of the discussion on the EU General Data Protection Regulation (GDPR) has been about the huge fines that can be levied against firms that fail to protect the personal data they are entrusted with: up to €20m, or 4% of annual global turnover. However, the new regulation’s real focus is not simply punishing negligent companies; Elizabeth Denham, the UK Information Commissioner, stated last year that large fines are a matter of last resort in most cases. Instead, the aim of the GDPR – which goes into effect on May 25th – is to change the way companies think about, manage, and protect their data.
The new regulation is overdue. Many companies don’t have control of the data they hold, with some having little knowledge of where their most sensitive data is stored or who can access it. In 2017, Varonis analysed hundreds of corporate IT systems and found that almost half of the companies examined had at least 1,000 sensitive files open to every employee. This is exactly what the GDPR is designed to prevent: requiring companies to implement security programs that protect data and enforcing the rules through regulatory warnings, audits, and, if necessary, fines.
This is an issue for any organisation that routinely deals with the data of EU citizens, but banking and financial sector companies are particularly at risk because of the large amounts of personal and highly sensitive data they store as a matter of course.
What are the risks of poor data control?
A crucial principle of the GDPR is data minimisation: organisations should limit consumer data collection and continue to store data for which there’s a real business need. This new approach is in stark contrast to the current data culture, which has seen the majority of organisations spending the last couple of decades steadily collecting and storing as much data as possible, with few ever deleting anything.
Aside from landing a company at legal risk with the regulatory bodies if poor practices are discovered, the personally identifiable information (PII) or “personal data” as it’s referred to in the GDPR held by financial organisations is, of course, highly sought after by cyber criminals. PII is often easily monetizable, or can also be used as a spring board to social engineering attacks, or if need be sold to other criminals for through the dark web.
Leaving PII and other sensitive data collected in a disorganised, unmanaged way creates a number of major security risks because anyone with access to the network will have free reign to access all of these sensitive files. If an attacker breaches the network, they often can spend weeks and even months steadily harvesting information without attracting any notice.
Uncontrolled data can also be easily stolen without the criminal even needing to penetrate the network. Having data open to a large amount of users, and with no visibility over access, means there are more targets for clever phishing emails aiming to trick users into exfiltrating the data. The proliferation of ransomware-as-a-service also makes it easy for criminals to purchase exploits to hold an organisation’s data hostage, and will work even faster on disorganised, unprotected data.
How can organisations get their data under control?
It’s important to note that the GDPR is not designed to punish a company purely because it has suffered a data breach. Rather, it is more concerned with whether the company had sufficient protection in place before the incident, and followed best practice in investigating and alerting potential victims after the fact.
Organisations are waking up to that fact that total security assurance is impossible – they cannot protect against every attack.They should be prepared for a security breach by equipping themselves with the ability to detect malicious activity by analysing data access – much like a credit card company monitors purchase activity for unusual signs that point to fraud. To achieve this, it’s vital that they can monitor file access and user behaviour.
There also need to be solid processes in place to prevent valuable and sensitive information making its way from highly secure systems like databases onto file servers where data is often open to everyone and no one is watching what’s being accessed.
The first step for any organisation should be to examine its security policies and, in particular, they absolutely need to maintain a least privilege model, where sensitive files can only be accessed by the bare minimum of users required. Locking down access to data and segmenting networks will also help to limit the damage of malware such as ransomware and worms that spread through the environment. These kinds of attacks will be able to spread far more quickly in systems where there is unrestricted access.
Priorities for meeting the GDPR
A common failing is for a company to invest in measures such as antivirus and firewalls, and assume they will be protected. For a financial organisation with a network full of personal and financial data, this is akin to investing in a state-of-the-art safe, but making no effort to check the contents, or even that the door has been closed.
Organisations need to question every layer of their defence and consider what could happen at every stage if the system or a user account is compromised. What data could be accessed, what could be lost or stolen, and how quickly would they be able to detect that something has happened? Basic controls, continuous monitoring, and data analytics are critical to answering these questions.
Enterprises that still lack understanding about where their sensitive data is stored or how it is accessed should start by deploying automated data classification tools which can flag sensitive folders and list access. Armed with this knowledge, the company will be able to put in place systems and policies to organise and control access to data that should be restricted.
An essential part of meeting the demands of the GDPR is for a company to prove that it undertook best practice to prevent and limit potential data breaches. Even if a major incident does occur, a company that can demonstrate it has its data under control will be in a much stronger position.