This year has been tough for organizations that have to pass compliance audits, and 2018 is not looking any better. The regulatory landscape is going to keep on changing. In the U.S. all credit reporting agencies are now obliged to comply with the New York Cybersecurity Rules, while all federal contractors must face NIST Special Publication 800-171 that comes into force December 31, 2017 and will regulate the protection of controlled unclassified information (CUI). For the UK, the most far-reaching change will come into force on May 25, 2018 —the EU’s General Data Protection Regulation (GDPR), which applies to every organization that processes personal data of EU residents.
Are you prepared for all of these regulations? Many organizations aren’t. In fact, it can be hard to even know where to start.
I would like to share 5 key strategies that will help you comply with GDPR in 2018 — and be prepared to quickly meet other requirements that will undoubtedly follow in the years to come.
1. Assess your current cybersecurity status, and get the right help.
Companies from highly regulated verticals are more likely to already have the awareness and processes necessary to adapt to new regulations; other organizations still need to expand the visibility of cybersecurity on the C-level. Because not all companies have cybersecurity professionals on staff or can afford to hire them, demand is increasing for tools that automate the required technical controls, and for security consulting and services to implement and manage those tools and processes.
2. Make cybersecurity a priority at the highest level.
Many businesses have shrugged off data breaches over the last few years, offering credit fraud protection to impacted customers but no real executive accountability. But the fact that Equifax’s CEO, CIO and CISO simply retired after the recent huge data breach is raising many eyebrows. While in the U.S. regulators are trying to establish responsibility for the C-levels, in the UK the GDPR is crystal clear here: Executives are accountable for ensuring that data is safe. Therefore, the board of every enterprise should not only initiate improvements to security programs, but also ensure the flow of stable funding to those programs. One person cannot fix the problem of weak data security alone. It requires a business-driven approach led by senior leadership.
3. Establish a risk assessment and mitigation process, and use it continuously.
Organizations need to establish a reliable risk assessment and mitigation process that will help them identify and prioritize the risks threatening their data security, so they can improve processes and policies to minimize those risks. Not only it is a must for the GDPR compliance, but it’s also important to understand that risk assessment is not a one-time event. Because both IT environments and the threat landscape are constantly changing, risk review and mitigation must be repeated on a regular basis, such as annually or quarterly.
4. Stay alert to urgent issues that arise between your regular risk assessments.
Although risk assessment should be a regular process on the executive level, designated security personnel must always stay aware of the changing security landscape — an outbreak of a new malware variant or the discovery of a zero-day vulnerability cannot wait until the next board meeting. Establish a process for assessing and responding to new threats as the organization becomes aware of them.
5. Adopt a secure framework for information protection.
Choose one of the available cybersecurity frameworks, and have your executives, security experts and IT professionals work together to adapt it to your unique environment, processes and culture. Remember, you can’t eliminate the possibility of a breach. But a breach itself is not what causes the most outrage from consumers and government officials; it’s how it is handled. There are two things that organizations repeatedly fail to do:
- Follow simple cybersecurity hygiene best practices. Think about simple things like network segmentation and patch management.
- Notify the impacted clients and authorities in a timely manner. When GDPR comes into force you will have only 72-hours to report a breach.
Once you’ve implemented these core strategies, no new data protection compliance regulation will be able to ruin your day. With an established and regularly maintained risk management strategy, you will be able to quickly adapt to the changing regulatory and cyber-threat landscapes and harden the security of your critical information.