Uncategorized

Why businesses must not assume GDPR compliance in the cloud

You may have noticed that more companies are storing data in the cloud and utilising cloud-based services than ever before. But many are failing to ensure that the data is secured or stored in a compliant manner, placing themselves and their customers at risk from data breaches.

With the European Parliament passing the new General Data Protection Regulation (GDPR) last year, businesses have less than a year before fundamental changes to the way they store and secure data come into effect. As cloud adoption increases, businesses must ensure their service providers are compliant or face a hefty fine.

Many organisations are facing a challenge in their road to GDPR compliance. A study conducted by Gemalto and the Ponemon Institute revealed that 73 per cent of businesses considered cloud-based services and platforms important to their operations. But only 54 per cent believed that their company was handling data stored in the cloud in a secure and compliant manner. The volume of data that appears to be stored outside of compliance puts many businesses and their customers at risk of a data breach.

It seems business are assuming that by storing their data in the cloud it is, by default, compliant. This is not the case, and this ‘out-of-sight, out-of-mind’ mentality has contributed to many data breaches around the world. Storing data in the cloud without properly considering security is the same as locking your front door but leaving the garage open. Your enterprise network may be secure, but it means nothing if the cloud isn’t as well.

These issues, coupled with often poor communication of the business need for security, are leaving many companies open to hacks and data loss. However securing data in the cloud and becoming compliant isn’t difficult, as long as a business asks the right questions and uses the appropriate measures.

The first step a company must take is to assess its cloud requirements, and then select a cloud service provider that suits those needs. There is no blanket service that will work for every business, as the amount of data stored, and the way it is used, will vary dramatically. Spotify, for example, chose Google because of the company’s need for data processing expertise. Microsoft Azure is taking on-premise enterprise solutions into the cloud, offering businesses the chance to access guaranteed best practices, rather than leaving it to internal IT teams to keep up.

Once a business knows what it requires from the cloud, and has selected a provider, it must ensure that the data is secure. It’s all about controlling who can get access. The following security protocols must be included in any cyber security strategy:

  • Two-factor authentication – helps to ensure only those authorised to access data can do so by ensuring the employee accesses through something they have (a phone) and know (code/password)
  • Encryption – makes a business’ data unreadable and therefore useless to anyone that is not allowed to access it
  • Key management – holds keys created in the encryption process to ensure only those that are meant to access the data do so. Often encryption keys are stored in hardware to prevent them being stolen

These extra levels of protection are important. Research from the Breach Level Index revealed that, in 2016, just over 4% of all breaches were ‘secure breaches’. This means when data was stolen, it had appropriate controls and protection around it to make it unusable by the attackers. Businesses need to increasingly adopt the appropriate tools, so that if a breach occurs their customers can be safe knowing their data is protected.

In less than one year, companies will have to notify both authorities and affected individuals when a data breach occurs. This means that companies who previously ignored or just swept these breaches under the carpet will no longer be able to do so.

If a company is hacked and deemed to not have implemented sufficient compliance measures – such as end-to-end security process reviews and putting the correct data protection measures in place – the proposed fines are likely to be harsh. The regulation recommends up to 4% of their annual worldwide turnover or €20 million, whichever is greater. Experian, for example, could have been forced to pay up to £192m in fines as their turnover was £4.8bn.

Many in the business community still have their heads in the sand when it comes to learning about and understanding data privacy and data protection laws that apply to their companies. This will no longer be possible, as GDPR is going to affect almost every area of their businesses.

It may seem like a long time from now, but for some organisations the process must start now. When used correctly, the cloud can offer businesses better security than they may be able to afford working alone. But this security is worthless without using proper authentication, encryption, and key management. Once this is in place, businesses can be confident that their data is secured and risk of a breach has been minimised.

Read more: One year GDPR countdown is a final warning for organisations to sort compliance