Historically, it has been argued that end users must be involved for a proper security-awareness posture to work – “don’t open attachments,” “don’t click on links,” “don’t print something without getting it from the printer,” “don’t speak in public about sensitive matters,” – i.e., the situation that some of our clients still find themselves in today. We can implement all available technical measures in terms of anti-malware, web filtering, RFID to print, but at the end of the day, we still rely on peoples’ awareness of how sensitive the information is. And, to be honest, making people aware and encouraging them to respect trade secrets is not that hard.
Neither is making the majority of them instinctively careful with email content (although “ransomware” through email with required user interaction is still “effective”). But what about the basic information that is used by millions every hour of every day – personal data?
We can identify all personal data that is processed and stored; all the business processes that are involved; all the applications and systems that are used to support, information minimization, automatic deletion routines, etc. The general issue lies with anyone with justified and managed access to process data, for its purpose, since that’s the business need and actual reason for the data existing in the first place.
Ultimately, we must do everything we can to ensure that we are compliant with the GDPR, including full SLDC with privacy/security-by-design and privacy-by-default. However, we also need to spend more time than ever on awareness. If the requirements are not truly understood by everyone, the personal data on any system can be breached.
We surveyed 1,000 executives and 6,000 consumers across eight markets to explore attitudes to, readiness for, and the opportunities of the GDPR. Download the report to read the complete findings: Seizing the GDPR advantage.