Originating from Europe I thought of putting a European slant on this first blog post as I join the Clear Skye crew in this exciting next venture. In particular I wanted to share a point-of-view of how Identity Governance and Administration (IGA) can help organizations become compliant with industry regulations such as the European Union GDPR.
My question today is what if you could reduce the risk of failing an audit like the EU GDPR (or the Californian Consumer Privacy Act - CCPA) by being able to prove the necessary organizational and technical measures are in place, and YOU can prove it?
Organizations must trust IGA as a guardian control for their cyber security compliance goals. You simply can’t afford not to ignore this risk and the number of fines, the cost of these fines and the risk to your business and customers is too great to ignore.
I won’t bore you with yet another “here is what GDPR is” post. What interests me, and I hope you, is the question, "Are our information security controls working?" and yes, there is much more to the GDPR than those annoying browser cookie popups!
So what's my point? Simple question really, Dear Reader, "How well do you think we're all doing as a cyber-security industry as it relates to GDPR?
Well nobody is going to say bad right? So let's look at the published data that's available to us, at the time of writing the latest data according to https://www.enforcementtracker.com/?insights shows that €466,666,938 has been issued in fines to date. Now that's a BIG number in any currency! And many in the industry saw 2019 as the transition year with enforcement only going to ramp up going forwards through 2020 and beyond.
Before we go any further let's quickly remind ourselves that the EU GDPR applies to all companies that process EU citizens' data, regardless of where that company is based. The fines imposed on companies like yours for violating the GDPR are significant, in the worst-case scenario you're looking at €20million or 4% of global turnover.
So what's the largest violation so far with the GDPR you may ask and what's the root cause for these huge fines? Is the largest violation down to illegal data processing? Well, there are some violations in that category for sure, although they only come in at numbers #2 and #3 on the naughty list. The clear leader, by a 'sum of fines' ratio of more than 3:1 is our friend "Insufficient technical and organizational measures to ensure information security". Courtesy of enforcementtracker.com the actual sum of all fines within this category (at the time of writing) is € 332,962,397 (over 62 issued fines)
Let's think about this statistic…The number #1 violation type amongst all the fines relating to the GDPR is directly related to control measures around information-security.
So, what should you be looking out for in order to avoid such hefty fines, to avoid damage to your brand and customer confidence? Well you could refer to various expert bodies to see what they say regarding GDPR, such as the GDPR check list produced by the United Kingdom Information Commissioners Office (the ICO ) https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/security/
But what’s important for us all to recognize here is that there's no prescriptive list of cyber controls to implement. The cyber controls to put in place, the very controls that are sadly lacking in many organizations, have to be appropriate to your circumstances and the risk that your processing poses. So, what does that mean exactly? Which brings me onto some very relevant questions to ask your organization;
- Do you understand the risks' that processing/storing personal information exposes you and your customers to?
- Does your company have a published information security policy?
- Does your company have the necessary technical controls in place around the processing of information security and the level of access that staff have to computer systems (and the data)?
- Does your company regularly train its employees on the importance of information security?
- Does your company have the necessary organization and technical controls in place to protect your customers data during processing?
- Does your company perform regular access reviews of these controls, and of people’s access? Are these reviews, if you have them, meaningful exercises of just rubber-stamping Spreadsheets?
- Does your company have lifecycle processes in place (the organizational and technical controls) around when people join, when they change role within your company, when they relocate office, when they leave, or take time off for personal reasons, or maybe they're seasonal workers?
And perhaps the biggest question of them all to answer during an audit being, "Who has Access to What, When, Why and can you prove it?"
This question is at the core of any Identity Governance and Administration investment. If you don't know what your employees (or contractors, suppliers, externals, in fact anyone who has access to these computer systems) has access to, or had access to in the past, then the consequences and likelihood of failing a regularly audit like the GDPR are massively increased.
So back to enforcementtracker.com we can see that it's not just the, "insufficient technical and organizational measures" being #1 in the "sum of monetary fines" but also worryingly #2 in the "total number of fines”. So these fines are huge and they’re frequent and very very real.
Being Cyber-Security professionals how do we feel about this? Do you think the message is getting through that organizational processes (workflows) and technical measures are in place, that they are understood, or is it that they are just NOT WORKING?
Innovation makes the world a better place. Innovation like Clear Skye IGA. Certified by ServiceNow, the IGA application runs natively on the ubiquitous NOW platform. Leveraging your enterprise workflows, your processes and your existing investment in the industry's #1 enterprise-platform-as-a-service.
What if you could reduce the risk of failing an audit like the EU GDPR and the Californian Consumer Privacy Act (CCPA) by being able to prove the necessary organizational and technical measures are in place, and YOU can prove it?
Here at Clear Skye we invite you to open a dialogue with us and see what the latest innovation-as-a-service in IGA has to benefit you. IGA that won’t take years to deliver, IGA that won’t devour you’re budgets, IGA that won’t leave you looking for hard-to-find-consultants, IGA that won’t resemble a bowl of spaghetti. IGA the better way, IGA the Clear Skye way.