With the finable GDPR compliance deadline just weeks away, the vultures are circling – and leading the pack is a group of companies touting so-called ‘cyber insurance’. While the majority of IT security vendors are opting to scare the heck out of organizations with their demands for rip and replace strategies to safeguard personal data, several small business insurers are opting for a sugar pill instead. Both approaches are
Virtually every business is struggling to get to grips with the challenges of the new EU General Data Protection Regulation (GDPR). But the current feeding frenzy, from IT vendors to ‘GDPR data experts’ and, now, insurance companies is, quite frankly, unconscionable.
Offering an insurance policy to ‘transfer the risk’ of cyber security breach is nonsense; and emphasizing the new regulatory reporting demands associated with GDPR is a classic piece of misdirection. Wrapping it up with threats about the number of businesses that fail after a security incident is little more than profiteering.
The fact is that no insurer will insure any company against GDPR breach – the costs, from punitive fines to business loss, are simply too high. Secondly, no insurer will cover any organization that fails to protect its data or assets. Leave the door unlocked and the home owner is not covered in the event of burglary – the same applies to poorly secured data. So just what is ‘cyber security insurance’ actually providing?
Essentially nothing. Worse than nothing, since there is a risk that organizations will mistakenly believe the ‘insurance’ provides extra time to understand GDPR and how it affects the business – rather than invest in a cyber security policy today. In fact, the insurance is nothing more than a business cost – and it certainly will not reduce any risk.
If anything, it may exacerbate the situation; the regulator is looking for a policy, a strategy, a clear direction towards safeguarding sensitive data at rest and in transit – no regulator is looking for an insurance policy!
With just weeks to go now, US organizations should have clear thinking in place regarding securing both data at rest and in transit – but with so many vendors insisting that rip and replace of encryption devices is the only option, it is little surprise that many companies have still failed to make the change.
Just as the concept of cyber insurance is a nonsense, there is also no need to embark on a radical, expensive and disruptive security rip and replace. Finable compliance may arrive on 25th May 2018, but this is not a one-off deadline: regulators fundamentally need to see that companies are on a clearly defined and workable journey towards GDPR compliance – they are not going to radically fine any company that can demonstrate it has taken steps towards improving security.
One of the biggest concerns for businesses – and one that the vultures are leveraging to the max – is the new need to inform both regulator and affected data subjects, as soon as a data breach has been detected, something that is likely to have a devastating impact on business reputation. However, if the data is encrypted, in the event of a breach there will be no need to notify data subjects as the information will not have been compromised.
For many businesses, therefore, it is likely there is nothing wrong with the traditional security and encryption processes being used, provided they have been implemented correctly. It is as and when an organization decides to change the way it processes user data that additional controls and security considerations will be required. The goal is to secure all data in transit regardless of network or service being used – but that doesn’t have to be achieved immediately.
This ethos is exactly in line with current cyber security best practice: The Zero Trust methodology that abolishes the idea of a trusted network inside the corporate perimeter. It assumes that you can no longer trust anything that is within the extended infrastructure – no users, apps or devices. It assumes that the network can be compromised at any time, by anything.
As growing numbers of CIOs recognize these issues, many are starting to push the disaggregation agenda, concluding that service and security should be separate and distinct from the network infrastructure. Indeed, the less knowledge and control over the infrastructure, the more security control and knowledge an organization requires, especially considering the compliance requirements GDPR is set to impose upon businesses.
It is only by embracing Zero Trust and taking that step towards network disaggregation, embracing a truly network agnostic encryption technology that can secure Data in Transit across any IP network, and achieving centralized security orchestration with full data visibility that organizations can confidently achieve GDPR compliance and control over the personal data they hold.
So, forget the insurance, step away from the rip and replace merchants, and embark upon a journey that ensures the business has done everything possible to protect itself – and its customers – from data compromise.
