On the morning of 24 August, AD 79, the people of Pompeii were utterly unprepared for the eruption of Vesuvius as they went about their daily lives. However, and with the benefit of hindsight and some first-hand historical accounts, we know the tell-tale signs of an impending disaster were there to warn them. So why didn’t they save themselves from disaster if the warnings were in plain sight?
Many companies in the UK and across Europe could face their own Vesuvius if they do not prepare for the new EU Data Protection Regulation which is likely to be approved next year and take effect in 2017. There are obvious signs that significant risks lie ahead if companies do nothing to change how they protect data because the new regulation will have major implications for all the ways in which data is collected, stored, accessed and secured. Most importantly, it will require an entirely new mindset when it comes to securing customer data.
If we have learned anything from last year it’s that we have a growing data security crisis. Four of the top ten data breaches of all time occurred in 2013 and, according to the Breach Level Index, nearly 600 million data records were stolen worldwide - including nearly 4 million in the United Kingdom. The sad truth is that this number is likely to be higher, because most breaches go unreported across the EU.
Each week it’s hard not to see a news story about a major security breach where customer data is either accessed or stolen. In the second quarter of 2014 alone SafeNet’s Breach Level Index revealed that 237 data breaches occurred. .Companies we all know, use and trust with our personal and financial information have been affected, including eBay, Office, Morrison’s, and Mumsnet.
Perhaps what’s worrying is not the number of incidents but the scale of the data breaches. It’s likely only to get worse, and the reporting requirements of the new EU Regulation will make the problem more visible. So it’s time to wake up to the fact that conventional data security and breach prevention measures are not working very well any more.
The new EU Data Regulation will mandate companies to adopt preventative security measures that lower the risks of these incidents and use security measures that help mitigate the consequences after an incident occurs. What will really shine a light on companies with lax security is the requirement to notify both authorities and affected individuals when a data breach incident occurs. Given the transparency that will be introduced by the disclosure requirements, there may very well come a time in which the list of organisations that have suffered data breaches is publicly available, much like a wall of shame.
Beyond the strict requirements of the regulations, what companies really need is to shift to a new data security mindset. Here are four recommendations security operations professionals can seize upon to prepare for the new EU Data Regulation:
Out With the Old, In With the New: Today’s security strategies are dominated by a singular focus on breach prevention that includes firewalls, antivirus, threat detection and monitoring. But, if history has taught us anything, it is that walls are eventually breached and made obsolete. Think the Maginot Line. You get the picture. The next and last layers of defense need to be around both the data and the individuals that access the data by surrounding them with end-to-end encryption, authentication and access controls that provide the additional measures necessary to protect customer data.
The proposed EU Data Regulation may still be a long way from becoming law, but it’s time to start preparing. Companies need to start taking steps to change their security mindset about protecting customer data. Being breached is not a question of “if” but “when. Traditional approaches to data security do not work anymore, so it’s time to move away from breach prevention, towards a ‘secure breach’ approach. This means accepting that breaches happen and using best practice data protection to guarantee that data is effectively useless when it falls into unauthorised hands. If companies don’t wake up to this new reality soon, the consumer revolt will come and they will have their own Vesuvius.
By Jason Hart, VP Cloud Solutions, SafeNet