FINAL WORD
W
ith just a couple of months
carefully and studiously at its environment,
to go, reports and surveys
evaluate the data it holds, and implement
frequently indicate that CIOs
measures to ensure a level of security
and business owners are concerned
appropriate to the risk.
about and unprepared for General Data
Appropriate and adequate, are found
Protection Regulation or GDPR. And the
repeatedly in the GDPR. The regulation
race is on, with a Veritas study indicating
suggests that, in assessing the appropriate
that more than half of organisations are
level of security, account shall be taken in
yet to start work on meeting the minimum
particular of the risks that are presented by
requirements set by GDPR.
processing, in particular from accidental
While the combination of new
or unlawful destruction, loss, alteration,
technologies and the new regulation may
unauthorised disclosure of, or access
seem an insurmountable task to manage
to personal data transmitted, stored or
over the next 12 months, CIOs and IT
otherwise processed.
directors should look at GDPR as an
Remember: This is not legal advice;
opportunity. Rather than approaching
each company has to decide for itself what
it separately and in isolation, the new
it needs to do to comply with GDPR but I
regulation has put a price on cybersecurity
would suggest you consider these steps as
and secure data management – bringing it
ways to get started on the journey:
to the attention of the C-Suite.
Tarek Jundi, Managing Director, Middle East
This will have a dramatic impact on a
and Turkey, McAfee.
Scope
number of current security challenges many
Know what you have. We cannot protect
IT teams are facing, such as the massive
what we do not know we have. This is a good time for companies
growth in Shadow IT. According to a recent McAfee Labs Report,
to figure out how and where they hold personal data and not just of
almost 40% of cloud services are now commissioned without the
EU residents, and not just for its EU affiliates.
involvement of IT, and unfortunately, visibility of these Shadow IT
services has dropped year on year.
Protect
65% of IT professionals think this phenomenon is interfering
Know how you are protecting those assets. Are you doing the
with their ability to keep the cloud safe and secure. This is not
basics? Could you do more? Are your peers doing more? Are you
surprising given the amount of sensitive data now being stored
following your data classification policy in automated ways or just
in the public cloud and more than half 52% of respondents,
expecting employees to know it? Do you delete unnecessary data?
report that they have definitively tracked malware from a cloud
SaaS application.
Monitor and detect
For the first time, GDPR gives CIOs and IT leaders the authority
Do you have technologies in place, such as encryption, data-loss
to clamp down on Shadow IT in their company, with the support of
prevention or anti-virus software, to protect those assets from
the rest of the board who fear the ramifications of GDPR.
malicious actors, loss, unwanted leaks? And do you know what to
There are specific requirements in the regulation—reporting
do if something goes wrong?
breaches, reviewing processing in advance, making sure vendor
contracts have particular language. But GDPR makes a larger
Review
and more fundamental requirement: each company look
Do you have a process to make sure that all new applications or
cloud services are reviewed and that you know how you are using
them? Are you implementing data protection by design by thinking
of privacy and security at the very beginning of any project?
GDPR: Time
for data audit
The looming deadline for GDPR
compliance needs to be viewed as
a wake-up call for businesses to
relook at their data compliance,
writes McAfee’s Tarek Jundi.
Repeat
The regulation requires a process for regularly testing, assessing
and evaluating the effectiveness of technical and organisational
measures for ensuring the security of the processing.”
Some of the specifics of what the regulation requires will take
years to truly understand as regulators and courts issue rulings on
what comes in front of them, and companies will have different
paths to compliance with GDPR. But at the core of the regulation
is knowing what you do with the personal data of your employees
and customers, and making sure you have stopped to consider the
risks inherent to personal data in your business.
65