In the movie The Matrix, there is one pivotal scene where Agent Smith has Neo by the neck as a subway train approaches. The dialogue that comes next is genius: “You hear that Mr. Anderson? That is the sound of inevitability.” In the movie, Neo is able to escape the charging train, but many organizations will not be so lucky due to two inevitabilities: cyber attacks and the EU’s Global Data Protection Regulation (GDPR). Like the sound of rushing air as an underground train pushes through the London Tube, in the last two months, the world has experienced two major cyber attacks and the realization that GDPR compliance is a year away. The question still remains: “What can organizations do to deal with the inevitability of cyber attacks and GDPR?”
No Preparation = No Recovery
Whether you’re dealing with cyber attacks or GDPR, success or failure will come down to preparation. Before you run off and start thinking about a whole mess of shiny new security technology from venture-funded start-ups, step back and look at what the most important asset is: your data. If organizations don’t protect their data, all the security in the world really doesn’t matter much. Whether it’s WannaCry, NotPetya, or answering a request from a data subject to invoke the right to erasure, if you don’t have a handle on your data, you lose.
Dealing with the Inevitable
Responding to the inevitable cyber attack and attempting to meet the latest compliance regulations both require virtually the same level of preparation and planning. Organizations need to first understand exactly where all their data lives — including data in cloud applications and on mobile devices — in order to visualize the full scope of their data attack surface.Once an organization understands their data attack surface, two things happen. First, they gain a much more comprehensive level of visibility into their responsibilities under various compliance regulations. Second, they gain an understanding of the proportionate security controls required to protect that data.
For example, to be in compliance with Article 17 of the GDPR, if an organization is a data controller that utilizes cloud services for storage of EU subject data, they now know that they are required to be able to identify, access, and erase that data when requested to do so by an EU citizen. And after a thorough review, the proportionate security controls that are put in place will allow companies to comply with Article 25. In addition, Article 30 of the GDPR requires organizations to have an audit log for all data processed in that cloud application. Many of the security controls required by GDPR will also be tremendously helpful in protecting corporate data from cyber attacks like ransomware.
Proper Preparation Required
Proper preparation requires using a combination of technology and process in order to recover from cyber attacks and/or be in compliance with GDPR. While there are no magic bullets and no one vendor product will solve all problems, SoftCat and Druva help organizations utilize technology to recover from disruptive cyber attacks, recover from breaches, and prepare for GDPR.
Druva and Softcat presented a webinar on “Expecting the Inevitable.” During this webinar, we discussed how to securely protect endpoints and cloud applications, as well as how to manage PII in line with data governance and GDPR.