With the EU’s General Data Protection Regulation set to take effect May 25, businesses around the world are rightly focused on better protecting their users’ data.
But the GDPR’s effects will reach far beyond consumer privacy. Companies seeking to avoid the regulation’s stiff penalties will soon see—if they haven’t already—that security is the core issue. That’s because to prevent data breaches and customer data leaks, they need a robust security posture.
While companies may be scrambling now, in the longer term, the GDPR will be good for businesses, good for their customers, and even good for the global economy because it will drive much-needed investments in security. Here’s how.
GDPR’s security benefits
At first glance, the GDPR may seem like bitter medicine for businesses. If your company does business online, and your information systems can’t handle GDPR’s requirements, your company may be forced to rebuild them, and even adapt its overall business model, to remain in compliance. That could get expensive. In extreme cases, the security providers and in-house security teams that lack the time, expertise, and money to adapt could be forced out.
That may sound punitive. However, there is a silver lining to what many view as a dark GDPR cloud. Because of its strong incentives for security investment, the regulation actually provides a markedly improved climate for cybersecurity. In this climate, proactive companies should be able to keep up, and in the process, the economy will strengthen.
In the pre-GDPR era, businesses have had few, if any, incentives to protect customer data. Yes, a breach might require remediation—shoring up defenses, changing customer passwords, even restoring consumer trust. But absent a breach, businesses had a hard time justifying serious security investment; it is difficult to quantify the true cost of a data breach before it takes place. Without external incentives, those in charge of security budgets have to wonder: Do we invest $5 million or $25 million to get a decent return on investment?
The GDPR makes the cost of a breach very easy to see: It could be up to $24 million or 4 percent of a company’s entire global turnover, whichever is greater. That’s enough to make businesses sit up and take notice, and their investors to prioritize the security outlays needed to comply. As a result, security investments will be easier to justify, and cybersecurity spending will grow.
These investments will benefit not only consumers but also businesses, through more secure systems and greater customer confidence. In turn, more secure businesses and more confident customers will strengthen the overall economy, which increasingly depends on digital transactions and customer data—identities, payment information, browsing data, and so on.
In the meantime, companies can start shoring up their systems for GDPR compliance before investing significantly more money on security.
Where to start with GDPR-related security
There are two important areas for companies to focus GDPR security, and both center on one of data’s most exploited vulnerabilities, which is also one of the seemingly easiest to tackle: passwords. Measures to prevent password theft and account compromise are critical to keeping customer data protected and a great place for companies to start their GDPR journey.
Password protection is paramount for protecting data. More than 80 percent of hacking-related breaches leveraged weak or stolen passwords, according to the latest Verizon Data Breach Investigations Report.
Even if reminding employees and customers not to reuse passwords seems futile (nearly half of them recycle them on different sites, according to the Pew Research Center), organizations can take various measures to minimize the problem. The latest guidelines from the U.S. National Institute of Standards and Technology for safeguarding passwords, for example, urge organizations to reject passwords that are found on a list of stolen passwords or commonly used ones (those with sequential numbers, for example).
Corporate IT and security teams also need to continuously monitor their systems for signs of criminals using stolen log-ins to compromise accounts and networks. In these “credential stuffing” attacks, criminals use automation to repeatedly try stolen credentials at multiple sites until they find a match that unlocks an account. By detecting these attacks early, companies make the passwords useless and stop the attack chain in its tracks.
Beyond securing their own systems to foster privacy, companies should consider enacting their own versions of the privacy (and thus security-related) regulations that are sure to continue to emerge from government regulators.
As the GDPR shows, government has an important role to play in securing the data of private citizens. Accordingly, even as the GDPR gets set to regulate the handling of customer data in Europe, other governments are considering enhanced privacy legislation of their own, which will require additional security measures to protect user privacy. For example, in the United States, lawmakers have introduced a kind of privacy Bill of Rights that would require companies to seek the consent of customers before sharing their online data.
Forward-looking companies could actually get ahead of the game by enacting their own security Bill of Rights that would address common customer privacy concerns, enhancing trust as well as security. Among other protections, such a policy could promise to obtain consent before sharing customer data with third parties, grant users the ability to withdraw consent to store their data, and spell out the security measures in place for protecting data. This would provide enhanced security and privacy protections for all customers, regardless of geography.
Overall, in the post-GDPR era, security should get the level of investment, attention, and respect it requires to safeguard digital commerce now and well into the future. Companies that lag and resist GDPR not only risk financial and other penalties, they also risk losing consumer confidence and the opportunity to stay with, and even get ahead of, the pack with regard to security and privacy. The companies that will thrive are those that see GDPR as a rising tide that can lift all boats.