On May 25, 2018, the General Data Protection Regulation, better known by its acronym GDPR, came into force. For two years before that – the European Parliament approved GDPR in 2016 – businesses around the world hustled to comply. Fines could go up to €20 million (euros), or 4% of the company’s worldwide annual revenue (whichever was higher)! It made good business sense to be prepared.
Sixteen months after it was enacted, we can evaluate what’s transpired. According to Enforcement Tracker, which maintains a list of GDPR fines imposed within the European Union, 21 countries have applied fines:
Austria, Belgium, Bulgaria, Cyprus, Czech Republic, Denmark, France, Germany, Greece, Hungary, Italy, Latvia, Lithuania, Malta, Norway, Poland, Portugal, Romania, Spain, Sweden, UK
It is important to note that the list provided by Enforcement Tracker is not complete as not all fines are made public (maybe legislation should be changed so all are treated in the same way). The top three fines add up to €365 million.
The fined are people and companies from all kinds of sectors: private companies, municipalities, political parties, hospitals. They range from large media companies and banks to a kebab restaurant and a police officer.
From a business point of view, GDPR may appear unhelpful. Not only do businesses have to worry about the never-ending wave of cyberattacks, authorities may also go after them if they do become a victim. If we look closer at the fines and the reasons behind them, we see that a number of them share the same root. Fines are handed out for reasons such as:
- “Poor security arrangements at the company”
- “Should also have done more to secure its systems”
- “Lack of basic security measures”
- “Unrestricted access to all patient files”
- “Insufficient security measures”
Any business can suffer a data breach. Today it is important to notice that it is each company’s responsibility to protect assets – and one of the most valuable assets is data. Most attackers go after money and, like any business, calculate their return on investment. If security is lax, criminals can steal data quite cheaply for a great ROI.
A few simple steps can protect businesses from both cyberattacks and GDPR fines. (It’s unfortunate that both can seem like threats to businesses. We will grow beyond that.)
Protect all your devices: You might be tempted to install a security solution on your computers, and that’s it. While that’s a step in the right direction, all devices have to be protected: smartphones, routers, and any devices that can be used as a point of entry to your business network. All of them must be protected and monitored.
Patching: Make sure all the software you use in your business is updated. That includes the operating system, all programs installed, drivers, firmware, etc. Cybercriminals will use any known security hole to enter. That again includes not just computers, but all devices that are connected to your network.
Device control: Your network is your responsibility, and therefore nobody should be able to enter it without your permission. Policies that define when and under what circumstances devices can enter the network must be set.
Remote work: It is more popular than ever to work from home, which means businesses allow employees to access their network from around the world. Virtual private networks are a safe solution. Remember to enable two-factor authentication to make sure that even if the credentials are stolen, unauthorized access can be prevented. Different VPN profiles can be created and assigned to users in order to give them access to the network resources they need, but not to the whole network.
Remote desktop: It is common in many companies to use the remote desktop to access a specific workstation or server and control it from elsewhere. That is fine as long as it is only accessible to people who already are in our internal network.
We have to assume that, sooner or later, our network is going to be compromised. We must act accordingly, and look for suspicious activities. We should run periodic penetration tests, find the weak points, and follow recommendations to fix them.
We do not need to see GDPR fines as inevitable, however. As nations settle into more standardized enforcement, businesses small and large will be able to breathe a little easier. Good cybersecurity practices will be rewarded. Safe businesses benefitting from solid security will also be in compliance with what initially seemed like a frightening law.