Data Privacy and Security

Naked security: Why technology alone can't conquer GDPR

This is a contributed piece by Jason Allaway, VP UK & Ireland at digital workspace specialist RES

In the famous tale of the Emperor’s new clothes, two weavers sell invisible cloth to the emperor; cloth supposedly made of the finest silks and the purest threads. Except, the silks or threads don’t exist. Nor do the clothes. The weavers simply knew what the emperor wanted, and sold him a dream.  

While the Emperor’s new clothes may be fiction, a similar reality is unfolding today in the face of GDPR. Nearly every single company – from delivery firms to mobile network providers – need to ensure they are compliant with the new regulation. And today’s equivalent of the weaver has appeared. With the increasing demand for GDPR compliant systems, firms are offering one-size-fits-all solutions to conquer GDPR – something that simply can’t be delivered.

Security isn’t as straightforward as is often promised, because while you can have the most sophisticated of systems, even state-of-the-art organisations can suffer the effects of human error. In fact, your workers are your greatest security risk, and there’s no invisible, technological miracle that can always protect them. 

Confused by the GDPR? Check out: What we know, and don’t know, about GDPR

With this in mind, this article explores the kind of technologies that can secure a large portion of your organisation in the face of GDPR, but also how to deal with the human-based risk to ensure maximum compliance. Because no matter how great the sales pitch is – human nature will always be your greatest compliance risk.

Tackle the technology...

Your technology is the most effective barricade to hackers and breaches – and should be front of mind for any company looking to achieve GDPR compliance. Of course, not all tech is created equal, and the below outlines three of the best options to ensuring compliance.

Automated, context-aware access controls: In today’s workplace, the technology you implement has to understand the mobility and modern working methods of employees. This means, a system that is aware of employees using different devices, working from home or various locations and their roles within the company. And not just knowing, but governing what resources can be accessed for each person, based on the immediate working contexts, raising or diminishing access levels based on these factors. Workers are no longer confined to a desktop in the office, and IT leaders must have processes in place that are flexible and agile to match today’s working environment.

Whitelisting with automation: Large-scale cyber-attacks are often launched from rogue emails or documents. Therefore, companies should be employing automated whitelisting and blacklisting, so that files are unable to execute or download if unknown, and threats are blocked immediately. This provides a technological barrier, meaning threats that arrive in your network are defused immediately.

Automated onboarding and offboarding: When GDPR comes into force, it’ll be your responsibility to ensure that all data is protected. It’s worrying to think that more than 13 per cent of workers can still access a previous employer’s systems using their old credentials. This means ex-employees can view, and steal, data whenever they decide to. And a company will probably be none the wiser until they fail an audit. In fact, once an employee leaves an organisation, risk of a breach occurs, as they could take data with them, access it later on, or have their login commandeered by a criminal. Luckily, technology can help squash this risk. By automating the onboarding and offboarding process, workers that join and leave can have their access granted and revoked automatically, preventing former employees from exposing the organisation’s data and systems to extremely high risk.

... but don’t forget your workers

If companies successfully implement the above technology, then they are well on their way to being compliant. However, humans are unpredictable and no technological solution can guarantee that a virus won’t be triggered by a haphazard mistake from an employee. Therefore, alongside purely digital security, firms need to protect their workers and in turn protect themselves. This can be achieved by:

Investing in education: The worst thing a company can do is assume their workers understand cyber threats - because for the most part, they don’t. If an employee sees an email supposedly from their CEO marked urgent, they will more often than not open it and download any attachments. It’s an age old weakness that has worked for hackers time and time again.

In order to minimise this risk, organisations should provide informative materials and awareness courses on how to spot various threats and social engineering, who to contact when one is received and ultimately how to avoid playing in to the hands of a criminal. This way, if an employee does find a suspect email or any other threat; they are equipped to recognise and deal with the situation.

Stamping out “shadow IT”:  In addition to education, giving your employees controlled choice in regards to the apps and solutions they use can also help plug security gaps and halt the creation of ‘shadow IT’. In today’s working environment, employees will bring in their own devices, they will want to use their own apps to improve efficiency, and they have no issue with downloading what they want on to the network. But of course, if just one of these apps is malicious, then the whole company is compromised. And it’s not just about what employees bring in, after all, what if data protected by GDPR makes its way onto those personal devices or stored in a personal app.

To tackle this issue, organisations should provide self-service capabilities. By providing a company culture where workers can request access to apps and services that can then be vetted and automatically delivered, employees are less likely to adopt a DIY ideology, and IT will have a clearer overview of their security status. And, implementing controls around the storage and movement of data will help you avoid additional risk.

Cover all the bases

Ultimately, GDPR compliance can’t be achieved with the flick of a switch. Technology will of course play a central role, and firms have to ensure they have the best solutions in place to protect their data. But security in the workplace is a complicated beast and workers and their processes pose challenges that even the most sophisticated systems can’t predict. That’s why technology has to be supported with a focus on workers – through education and digital support.

After all, just like the poor Emperor, if you rely too heavily on one miracle solution, you could find yourself exposed when the regulators start to enforce GDPR.


« News Roundup: Should hackers require a licence to work?


Innovating with SAP: The magic happens at the edge not in the digital core »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?