With the World Cup in Russia this summer and the Olympics in Tokyo in 2020 further down the line; organizations conducting business around the event will face unprecedented challenges with cybersecurity and data protection. With the rise in data breaches in recent times, it might not be too strong to say that the success of these major international events relies upon the whole country being data security conscious.
Everything from local hotels to travel agents and tour operators will process increasingly large quantities of customer data, including credit card details, making them ripe targets for cybercriminals. This personally identifiable data (PII) will include EU citizen data and so will need to be protected under the EU General Data Protection Regulation (GDPR).
This year alone saw hackers targeting organizations involved in the Winter Olympics in South Korea, whilst last year, a single cyber-attack campaign struck 1,200 hotels in the US, with the aim of stealing customer’s card details. Major entertainment events are now hotbeds for cyber-crime thanks to the treasure troves of information stored by companies in the hospitality sector. Processing everything from email addresses and phone numbers, to credit card details and passport numbers, these organizations hold increasingly valuable PII.
All information has value to someone, somewhere, and the reasons behind its theft can vary greatly. From hacktivism to damaging the reputation of specific organizations to monetary gain, whereby cybercriminals sell the data on the dark web or encrypt it and demand a ransom to the organization to regain access. No industry is immune to cyber-crime, and it impacts any sized company, from the very small to the global enterprise. What’s more, a shift in the value of digital information is driving the types of attacks hackers carry out. Email-borne attacks, activity hijacking, reprogrammed USBs and morphing and evading techniques are all increasing rapidly, all with the common aim of stealing and/or exploiting data.
For overseas companies, securing this information in an increasingly insecure world has grown exponentially more important. With EU citizens flocking to events such as the 2020 Olympics and the FIFA World Cup in Russia, the upcoming General Data Protection Regulation (GDPR) has created an imperative for companies to secure and protect EU citizen data located anywhere in the world.
To be clear, any organization anywhere in the world that processes the personally identifiable information of EU citizens must comply with the regulation or risk facing a fine of up to €20 Million or 4 percent of corporate annual turnover, whichever is greater.
The enforcement of the new data protection law on 25th May 2018 will, therefore, reach far beyond EU borders. While GDPR has received a great deal of media attention, other countries and regions are also putting similar compliance programmes in place – all aimed at keeping citizen data safe, and to grow confidence and trust in online business.
The three step process of GDPR compliance
Compliance is not just about technology. A three-step approach to data protection is critical to success, mitigating cyber threats as well as the more common human mistakes which can result in a data breach. Organizations should look at their existing data protection policies and technologies, find any gaps and augment them:
- All businesses process personally identifiable information. Sales departments will receive passport details and credit card numbers to process booking transactions, the marketing department will use names and email addresses to target audiences, while the finance department will process PII data for both staff, customers, and suppliers. Communicating the value of this information to employees and explaining the risks associated with mishandling it is the first step in securing your data. Reinforcing this with ongoing education and training seminars will create a data security consciousness amongst the workforce that will help organizations become GDPR compliant.
- Ensure employees know what to do day-to-day as well as what they need to do should they believe there to be an issue. For example, if they send an email containing sensitive information to the wrong person by mistake, or a dreaded ransomware message appears on their screen. Create Policies that employees can refer to and that help to guide them in working safely and securely.
- People are both the greatest strength and the biggest weakness for cybersecurity. Encourage a culture of information protection and remember that things do go wrong – don’t shoot the messenger. A rapid response, because people are willing to come forward, is preferable to someone trying to hide a mistake.
- To become GDPR compliant, organizations need to get clear where the information that needs to be protected is located within their network, and how they’re going to protect it. Carrying out a Data Discovery exercise will map the data-flows across the business; where information is coming in, who is using it and where it is being stored. With this information, organizations can gain visibility of where all GDPR relevant data is located (e.g. laptops, desktops, servers, systems etc.) A hierarchical structure can then be introduced, organizing information based on how sensitive it is and implementing policies that dictate who has access to these different types of data.
- Remember, with GDPR, there are also concerns around data flowing into your organization, which can create problems as well. Ensure that data-flows coming into the organization are mapped as much as those leaving. It’s not just about email, but also access (uploads and downloads) through the web, and even onto removable media, such as USB sticks on endpoints.
- The majority of GDPR compliance is about having suitable processes and policies in place, and ensuring everyone in the organization - from the CEO to the receptionist - knows about them. Have a data breach process, as well as how to deal with a ‘right to be forgotten’ request, mapped out and communicated. After this, any other processes needed can be added relatively quickly.
- Technology should be deployed to enforce policies and protect people - both employees, as well as customers.
- In addition to helping you secure your critical information, deploying the right technology will demonstrate your efforts to comply with GDPR. Adaptive Data loss Prevention across email and the web will increase data protection, enforce security policies and provide control and increased visibility of data flowing in and out of the organization. Importantly, it can prevent critical information from leaving the businesses, either intentionally or accidentally, via email or web channels, providing you with a last line of defense in the event of a security incident.
Contact the Clearswift team for a discussion to learn about how we can support your organization with GDPR compliance.