Maren Winter - stock.adobe.com
Dutch organisations invest heavily in compliance – but in vain
Despite the fact that companies in the Netherlands have invested heavily to comply with GDPR legislation introduced two years ago, 90% of them are still discovering fundamental weaknesses in their IT environment
A lack of cooperation between IT, operations and security teams is the biggest stumbling block to General Data Protection Regulation (GDPR) compliance in the Netherlands.
Unified endpoint management and security supplier Tanium investigated the country’s state of compliance with GDPR two years after the EU law was introduced.
The most striking conclusion from Tanium’s study was that big expenditure does not lead to better compliance. Despite spending millions on compliance programmes, more than 90% of Dutch companies are discovering weaknesses in the IT environment that make them vulnerable to data breaches and fines.
Wytze Rijkmans, regional vice-president at Tanium, suggested that organisations lack an overview of data security. “There is no unambiguous picture between IT, operations and security,” he said. “At many companies, these departments are siloed so that one team does not know what is happening in the other.”
Rijkmans also said there is a lack of the right tools and platforms. “Organisations mainly work with point solutions, which means there is a lack of complete overview of all end points in their network or cloud environment,” he said. “If you have no insight into which end points are used by whom and what they contain, you are very vulnerable as an organisation.”
Tanium’s global survey, conducted by Vanson Bourne, quizzed more than 750 IT leaders in large companies, including 100 IT decision-makers from the Netherlands. Dutch companies indicated that the introduction of GDPR and other data privacy legislation had led to significant investments in IT security and operations. Last year, an average of €39m was spent by each organisation with more than 1,000 employees.
Also, 90% those surveyed said they had invested mainly in training their employees, 74% said they had hired new talent and 80% had invested in new software or services. The last of those is particularly crucial, said Rijkmans.
Five key challenges for IT in 2020
- Spending big on compliance is the new normal.
- Critical visibility gaps are pervasive.
- Complexity and ‘tool sprawl’ perpetuate the gaps.
- There is a false sense of confidence when it comes to compliance readiness.
- Poor visibility leaves networks susceptible to disaster.
Source: Visibility gap study, Tanium, 2020
“I recently spoke to a customer who said he had hired a new CISO [chief information security officer],” said Rijkmans. “The critical point was that this person had no platform or even tools to work with. As an organisation, you can write all these procedures and create awareness, but if you don’t have an environment that provides insight into your vulnerabilities, all those initiatives will be useless.
“After all, without the right platform, you cannot measure whether people are adhering to the processes and procedures. It turns out that many companies are still struggling with shadow IT. Of course, it is written down somewhere that employees are not allowed to put company information into a Dropbox, but you can assume that it will happen anyway.”
The study also showed that 79% of the organisations set aside an average of €124m for cyber liability insurance and to be prepared for the consequences of a data breach. “This is a clear indication that they know they aren’t compliant,” said Rijkmans. “If you have confidence in your security, you don’t have to put that much money aside just in case. The fact that they do, tells me that many companies realise that they are not secure or compliant.”
And that worries him, especially now that the Covid-19 crisis is making working from home the new reality and will become the norm. “Companies need to combine working from home with their current company environment,” said Rijkmans. “This means that organisations’ vulnerability is increasing astronomically.”
This is especially true when companies have little insight into the end points that are being used. Not every employee has access to a device from his employer, and a lot of private devices are currently being used for work purposes.
“How is that device secured?” said Rijkmans. “What data and applications are on it? What happens when an end point that is used at home comes back on the company network? These are things that you want to understand, from an operational and security point of view, and on one central dashboard.”
Away with the silos
A central dashboard on which both operations and security are made transparent is crucial for success, said Rijkmans. The research showed that many organisations have a false sense of security because they have various tools in place.
“We often hear companies say that they have arranged their security and compliance well, but then it often turns out to be about point solutions and they lack an overview,” he said. “On average, companies use about 48 different tools, but they forget they need insight and overview.”
According to the survey, visibility gaps are being exacerbated by several things – a lack of unity between IT, operations and security teams (39%), limited resources to effectively manage the IT estate (31%), legacy systems that don’t give accurate information (31%), shadow IT (29%) and too many tools used across the business (29%).
A centralised overview that entends beyond the silos of IT, operations and security is the only way to know for sure whether a company is compliant, said Rijkmans. Such an overview can eliminate visibility gaps, such as shadow IT, but also – especially in these times of working from home – games and tools that are downloaded onto unmanaged devices and passwords that are stored in a Word document on a laptop.
“Elements like that are a nightmare for any business,” he added.
The new normal
Rijkmans draws a parallel with aviation. “There isn’t a single pilot who would consider taking off before he has done all the checks and is sure he can rely on his instruments, so that he’s able to fly even with poor visibility,” he said. “But what do we do in our IT landscape? We install small meters for everything – or not – and think: ‘It’s going to be all right’ and then quickly take off without knowing whether we can trust our instruments in the fog.”
Rijkmans sees the coronavirus crisis as a great accelerator for awareness among companies. “They suddenly realise that they’re flying blind on a course they don’t know,” he said.
Currently, a lack of understanding and control of end points is the biggest challenge to complying with GDPR, according to 35% of survey respondents, and the first step in closing these visibility gaps is an IT assessment, said Rijkmans. “If you know where you are, you know where to go and you can start making policy,” he added.
Then it is important to invest in the right technology in combination with processes and procedures, he said. Finally, it is important for companies to realise that this is now the new normal.
“We’ve been working from home for a month or two now, and I don’t expect us to go back to the way things were,” said Rijkmans. “This is the new norm – working from home is here to stay. That means companies have to be prepared for what is coming at them. Every device and end point must be visible, safe and managed, because that is the link to your company and a potential vulnerability.”