The real and hidden danger of GDPR

There’s a danger lurking within the General Data Protection Regulation which could cost your company money even if you don’t suffer a data breach. How can that be possible? Because your preparedness now probably comes under closer scrutiny than it ever has before, that’s how – and that could come as a big shock…

For just a moment forget data breaches, enormous fines, and possible catastrophic reputational damage, and consider another potential harmful side effect of breaching the rules of GDPR, which went live across the UK and Europe at the end of May.

It’s this: What do other companies think of you if you’re not able to prove that you are alive to the threat of cyber risks and have taken all reasonable steps to protect yourself – and them – from a data breach.

The reality is that close scrutiny of your response to the GDPR requirements is becoming a regular feature of the due diligence done by especially large companies before they award potentially lucrative contracts. And if you’ve not taken the necessary steps, you could find yourself out of the race before it’s even begun.

The reason such care is being taken is that, just as no man is an island, nor is a company. Industrial-scale data mining is happening right now, and if one company hasn’t put in place protective measures, that increases the risk faced by others further down the supply chain.

No fit and forget solution
But here’s the rub: there is no ‘one shot’ fit and forget certification to prove you have the right security systems in place. Instead it needs to be an ongoing discipline, for one very simple reason: systems change and evolve, which means that what was adequate five years ago almost certainly no longer is.

The best option in the UK is to take on board the Government-backed Cyber Essentials programme, which provides a common standard for the status of company cyber and data security. It’s seen as the closest you can get to an industry standard and requires every company to be able to update its status every year, making it a simple and visible marker that a company is alive to the risks, and is doing what it can to guard against them. It sets out a good baseline of cyber security suitable for any organisation, which, when implemented, can prevent about 80% of cyber-attacks.

So, what’s involved? Certification to Cyber Essentials standards shows that a company has

  • securely configured systems
  • boundary firewalls
  • internet gateways
  • controlled access and admin privileges
  • protection against malware
  • and regularly-installed patches

The result is that potential clients can see commitment to the spirit and the letter of the regulation. It shows they’re dealing with a company that pays attention to the detail, and what’s more it means a data breach is less likely to occur because of the protocols and rules in place.

The weakest link
Speaking of rules, it’s too easy to overlook the weakest part of any computer network –  the people who use it. They’re the ones who will attempt to visit non-approved web sites or will innocently click on the wrong link, and in doing so, punch a hole in the carefully-built cyber defenses.

It’s therefore important that rules are put in place about how computers are used in your business, and people are properly trained to abide by them. Consider too, the implications of allowing employees to use their own devices on company networks – what kind of risk is that exposing you to? You can have no idea.

In short, expect the worst, and plan for it. And remember that a company which can’t prove it takes data security seriously isn’t going to be the first choice as a trusted supplier, so you can probably kiss goodbye to that major contract which could have made your fortune.