GDPR: securing data is more than just a technology fix, it’s about understanding human behaviour

With just a few weeks to go before GDPR comes into force, resellers and customers alike should now be well on their way towards ensuring they have the necessary processes and security measures in place to qualify as GDPR compliant.

It might seem like a logistical headache right now, but ultimately this regulation will be a real force for good. GDPR is the push all of us have needed to pay more attention to the most important asset our companies have: our data.

If the last year has shown us anything, it’s that data can be extremely vulnerable and leave both companies and their people exposed when breached. Protecting this data against potential attacks, whether they are accidental or planned, will be critical for businesses operating in an increasingly information-centric age. 

A full business approach

In my role at Forcepoint, I’m often asked about what this protection looks like. My reply for businesses is that it becomes much easier to prepare for GDPR when you understand that, as the old saying goes in our industry; it’s about people, process and technology. The steps you should take towards full compliance have to be seen as a part of a full-business approach, and not just an overhaul on your workplace technologies. Technology alone will not keep your business GDPR compliant.

From a channel perspective, what we’re hearing from our partners is that more customers are beginning to understand this nuance and want more support on how to appropriately collect, store and manage their data, as well as safeguard how their staff engage with it. Customers are beginning to better understand the significance of user behaviour and how it could impact upon the future of their business, and are subsequently becoming keener on focusing on the behaviours and motivations of employees as a strategic cornerstone of their contemporary security plan. 

Only human

It’s little wonder. Whether intentional or accidental, human behaviour is the biggest threat to a company’s security, with an eye watering 81 percent of data breaches caused by the hijacking of user credentials by hackers to gain access to internal systems. Businesses can spend substantial sums on the latest cybersecurity technology designed to identify and mitigate threats when they emerge, but they will always be at significant risk if they do not find ways to independently account for the unpredictability of human behaviour. The winning combination for a post-GDPR security plan therefore requires a blend of the appropriate cybersecurity technology with a human-centric approach to workplace security, which can support businesses with more accurately understanding and troubleshooting suspicious employee activity in real-time.  

The major benefit is that by being able to analyse different types of user behaviours, whether that’s access to cloud-based apps, connections from unknown devices or attempts to visit websites hosting malicious code, businesses can prevent potentially risky incidents from ever taking place.

When it comes to protecting against GDPR violations, this ‘real-time’ factor could not be more significant. Avoiding potentially astronomical financial penalties will come from the ability to stop risks in their tracks before they become incidents; it’s these incidents that could ultimately prove so expensive for the business at fault.   

A marathon, not a sprint

When watching a race, we know for a fact that not every runner on the track will cross the finishing line at the same time. Some will inevitably arrive later than others, and when it comes to GDPR compliance, what we’re also hearing from partners is that some of their potential customers haven’t yet given much thought to preparations for the penultimate week of May.

Leaving it late might not appear risky on the surface, but could invite serious issues when GDPR comes into effect. Resellers now have a responsibility to convey to customers that the regulations are far more complex than they might first appear, and it can take a significant amount of time to ensure every box is successfully ticked. The sooner businesses take a long-term view of the regulation, the better. 

Dazed and confused

Many initial violations will likely come from ill-prepared businesses confused by the more intricate articles within GDPR. This is more likely if they did not give themselves enough time to assess everything properly before the deadline. Everything from failure to comply within a reasonable time to the right to be forgotten/erasure, the right to portability, and the right to rectification requirements could be hugely unwelcome surprises.

Confusion around the differences between consent and legitimate interest for processing could also be a shock – GDPR requires a data subject’s consent with a transparent purpose defined before data can be collected.  Legal guidance on successfully justifying this consent for legitimate business interest can be hugely complicated, and take a vast amount of time to navigate depending on the size of the business involved and its geographical footprint.

 There are resources which can make the process easier. Forcepoint has worked in partnership with legal firm Hunton and Williams to produce a whitepaper outlining the steps and guidance businesses can take now to help them on their way to GDPR compliance ahead of the deadline. The report can also double as a checklist for those who are well on their way through the process, or feel they might have more to consider before they can call their compliance plans complete.   

A look ahead

Technology vendors and resellers have a key role to play in ensuring that businesses have everything they need to be able to safely navigate the upcoming deadline. This can take many forms, such as the implementation of a data loss prevention (DLP) solution which can offer security focused on people’s interaction with data (including in creation, storage, email, webmail, personal devices and cloud applications). It could be a reminder that the clock is ticking far faster than it may seem. Or it could even be consultative direction on the tools that can help more accurately understand where risks for violation may lay inside the business. Solutions such as Forcepoint CASB (Cloud access security broker) are particularly adept for this, helping eliminate blind spots by offering visibility into - and control over – users’ devices and cloud apps, allowing businesses to better understand the rhythm of their people and the flow of their data.

So long as we play our part to ensure that these businesses prepare with three pillars front of mind – people, process and technology – the regulation deadline, and life after it, will all feel far easier to live by. Just let’s all ensure that we don’t leave it too late.