2018 has been a landmark year for compliance. The spotlight has firmly been on data protection and organisations have had to re-evaluate their entire data handling processes to comply with the recently introduced GDPR.
There’s no doubt that this legislation has been the catalyst for change, however the worrying rise in cyber-attacks has also driven home the importance of safeguarding valuable customer data.
As attacks become more sophisticated, organisations are having to become more proactive in their approach to cyber security to ensure they're equipped to deal with these evolving threats.
This means aggressively defending the data they hold and taking all the necessary steps to ensure they’re not the next breached company to be splashed over the front pages of the news.
Despite this commitment to improved data security, there are a number of problems that organisations may encounter in the coming year that pose a threat to their ongoing compliance.
Below are the top five IT regulations and compliance problems that organisations will face in 2019:
The much publicised GDPR came into effect on the 25th May and lay new foundations for how organisations process and handle data going forward. The legislation has modernised data protection rules and now gives individuals a greater control over who collects and processes their data, what it’s used for, and how it’s being protected.
Organisations must be able to demonstrate compliance with the legislation or face hefty fines of up to 4% of annual global turnover or 20 Million Euros. Fines will also depend on the severity of the breach and if organisations have taken steps to show they are compliant.
However, by no means was the 25th May an end point for GDPR. Demonstrating compliance with the GDPR is an ongoing process and organisations will need to continually identify and address privacy and security risks to ensure they do not fall foul of the legislation.
Organisations have spent the last six months getting to grips with the GDPR and they’re already having to brace themselves for a new EU regulation that will require equal compliance under EU law.
The ePrivacy Regulation is expected to be implemented within the next 6-12 months and it will address advancements in technology and focus specifically on individual privacy relating to electronic communications. This will include data on websites, SMS, email, social networks, blogs, apps, VoIP, video, social media messaging and IoT devices.
Although there is some overlap between the GDPR and the ePrivacy regulation, the key difference is that GDPR covers the handling of personal data in all forms, while the e-Privacy regulation covers electronic communications. Organisations will need to demonstrate full compliance with the legislation or face the same steep fines imposed under the GDPR.
The ePrivacy Regulation will apply to everyone and any country that provisions electronic communication services to the EU, but it’s expected to impact some sectors more heavily than others. Industries such as Marketing, Advertising and the Media will be unable to send promotional material to customers without their prior consent.
Third Party Service Providers
Cyber security and compliance have now become key priorities for organisations, however the one area that tends to get overlooked is that of their third parties. In recent years, it’s become the norm for organisations to use a host of different third-party providers to support core business functions, and often many of these parties will have access to a company’s internal systems and data. This interconnectivity poses a huge risk to an organisation’s security and compliance posture.
Organisations may have iron clad security and defence systems in place, but hackers are only too aware that the easiest way to bypass these defences is to exploit vulnerabilities in third party systems. Typically, these suppliers won’t have the same robust cyber security defences in place and provide an easy weak point to attack.
Some of the biggest cyber-attacks in history are a result of third-party breaches and a recent survey conducted by Soha Systems found that 63 percent of all cyber-attacks could be traced either directly or indirectly to third parties.
Going forward, organisations will need to assess their cyber security from multiple angles and ensure that proper guidelines and systems are adhered to by their external providers. Under the GDPR, organisations are now legally bound to provide assurance to regulators that their third-party service providers are compliant with the new regulations by having good cyber security and privacy controls in place.
Employees may be your greatest asset, but they are also your weakest link. Cybercriminals will often target an organisation's employees as they provide the easiest way to infiltrate a system.
88% of all data breaches can be attributed to human error so it’s vital that organisations invest in high quality cyber security awareness training that will enable staff to recognise the important role they play in safeguarding sensitive company data.
The training will not only educate staff on the range of threats they face internally, but it will also address the cyber security risks faced when working remotely. Remote working can present a serious security risk that can leave an organisation’s IT network, systems and devices highly vulnerable to attack. The information held on mobile devices is extremely valuable to cyber criminals and they will take advantage of any lapses in security to steal this sensitive data.
Effective cyber security awareness training will educate staff, reduce the chance of data breaches occurring, and help build a culture of enhanced security compliance.
For organisations to become compliant, they must defend every access point to ensure that hackers cannot penetrate their systems. One of the main causes of cyber-attacks is unpatched systems. New vulnerabilities are discovered all the time and unless patches are applied, hackers will exploit these vulnerabilities to break into a network.
Patching will ensure that every piece of software used within an organisation is up to date with the most current versions released by the manufacturer. Organisations will need to be proactive in their approach to patching to ensure they are able to detect any vulnerabilities before a hacker does.
MetaPrivacy has been designed to provide the best practice approach to data privacy compliance. Contact us for further information on how we can help your organisation improve its compliance structure.