If your company stores or processes data and information concerning citizens of the European Union (EU), then the answer is yes.
You are probably at least somewhat familiar with the General Data Protection Regulation, commonly known as GPDR, that officially went into effect on May 25, 2018. GDPR is a set of provisions that requires businesses to protect the personal data and privacy of European Union (EU) citizens. The intention of the legislation is to provide a unified standard for all 28 EU member states in order to strengthen data protection.
While the directives of GDPR firmly apply to all organizations established in the EU, companies outside of its borders that offer goods or services to EU data subjects, or monitor the behavior of them, fall under its jurisdiction as well. In other words, EU-based legislation applies to any organization that deals with the personal data of its citizens. This is because GDPR is not directed at companies; it is directed at the data and information of EU citizens. The tentacles of GDPR run deep. If you are a managed services provider in the United States and some of your clients do business with Europe, chances are that you fall under GDPR.
GDPR broadly defines personal data as any information relating to an identified or identifiable person. More specifically, “personal data” under GDPR now includes the following:
- Basic information such as name, address and ID numbers
- Web data such as IP addresses and cookie data
- Health, biometric and genetic data
- Racial, ethnic and sexual orientation
- Political views, religious beliefs and union memberships
Although companies have had over two years to prepare for GDPR, the majority that fall under its authority are still scrambling to adequately address the ambitious set of rules established by GDPR. In an April 2018 survey conducted by the Ponemon Institute of over 1,000 companies, half stated that they would not be compliant in time. This is a grave concern because the potential fines that can be levied by GDPR due to a company’s lack of due diligence pertaining to the prevention or reaction to a data breach of third party personal data can be shocking. For the most serious infringements, companies can be fined as much as 4% of annual global revenue or €20 Million (whichever is greater). That translates to as much as $26 million USD, depending on current exchange rates. Less infractions can levy a fine of 2% or €10 Million.
Ironically, these record fines may entice hackers to increase their level of attacks of GDPR-compliant organizations. Hackers may breach companies to confiscate data only to charge management an extortion fee to hide the breach rather than risk the punitive fines. Just like ransomware, cyber criminals will figure out the sweet spot at which companies will willingly pay the hush money. There is precedent for companies such as Uber to work cooperatively with hackers in order to cover up the breach and make it go away.
Even if your company does not fall under these regulations, many believe that the sweeping legislation of GDPR is a sign of things to come as legislation begins to catch up with technological reality. As an example, the state of California just passed the California Consumer Privacy Act of 2018, which goes into effect in 2020. The regulations mirror many of the strict provisions of GDPR. More mandatory compliance based legislation is sure to come in the future.
No company can protect their data from every possible attack nor can they guarantee the security of their hosted data. But what they can do is to perform their due diligence to protect their enterprise and that starts with killing local admin rights for standard users. Hackers today use a vast tool set of malware to infiltrate your network and exfiltrate your hosted data. When malware installs on your user devices, it takes over the intrinsic rights and privileges of the user who initiated the session. Allotting your users local admin rights gives possible malware those rights as well. This is a problem because according to a recent survey conducted by PolicyPak and GPAnswers.com, 57% of companies implement this practice. Many of these organizations accept the risk out of convenience to give users permission to install software and printers in order to reduce the workload for the helpdesk.
There is a solution however, that offers both convenience and security in one package. PolicyPak’s Least Privilege Manager allots you the authority to determine what applications are authorized and reject the rest by elevating only applications that standard users need to run with admin rights. In addition, it forbids users from running applications that you did not install yourself. Least Privilege Manager from PolicyPak allows you to self-regulate your enterprise devices in an automated fashion.
GDPR applies to organizations of all kinds, from the largest of enterprises to the smallest of shops. A survey conducted one month prior to the activation date of GDPR showed that 90% of small companies were not prepared for the pending legislation. Security Settings Manager from PolicyPak gives even the smallest companies the ability to secure their non-domain joined machines using Group Policy Security Settings, enforcing some of the same security measures as the largest domain-joined enterprises.
PolicyPak gives you control of your enterprise devices, thus eliminating an attack avenue used to access and confiscate your hosted data. Of course PolicyPak by itself will not save you $23 Million, but making it a part of your due diligence effort to protect your data and ensure compliance will help you avoid both malicious malware intrusions and costly non-compliance fines.