Google recently hit the headlines when it was fined €50 million by France for violating GDPR. It’s not the only company struggling with keeping to the rules. Just eight months after the introduction of GDPR, the European Commission reports that regulators have received more than 95,000 complaints about possible data breaches. GDPR enforcement is still largely untested in courts and what constitutes a violation – as well as its corresponding penalty – is yet unknown. What is certain is that the pattern of cyber-attacks and insider-led data breaches shows no signs of declining, and that EU countries are actively pursuing violations, with the consequences for errant organisations undeniably severe. It’s time for organisations to stop being perfunctory about data protection and get proactive.
GDPR’s key principles
The GDPR’s seven foundational principles are laid out at the start of the legislation in Article 5 and are intended to embody the standards that organisations are held to in the processing of personal data. Infringements of the basic principles for processing personal data are subject to the highest tier of administrative fines – a fine of up to €20 million, or 4% of annual global turnover, whichever is higher.
Most of the principles outlined are self-evident or fairly well-defined. For instance, the second “purpose limitation” principle is defined as data collected for specified and legitimate purposes and processed accordingly. However, the sixth principle, known as the “security principle”, is relatively vague and undefined and, therefore, a potential troublesome area for organisations.
What is the security principle?
Many organisations are unaware that the security principle exists, let alone what it means in practice. Broadly, the security principle is the “integrity and confidentiality” principle outlined in Article 5(f) and requires that organisations use “appropriate technical or organisational measures” to process personal data in a manner that “ensures appropriate security of the personal data and protects against both its unauthorised or unlawful processing and its accidental loss, destruction or damage”.
According to the ICO, “appropriate technical or organisational measures” can be understood to include maintaining an information security policy and taking steps to make sure that policy is executed, as well as deciding what measures offer the appropriate level of security for processing the data – taking account of what is considered state of the art in data protection and the costs and feasibility of implementation.
Taking appropriate measures to protect against the insider threat
While many organisations have basic cybersecurity measures in place, such as protection against malware, backups for data, and password protected systems, often these methods are focused on protecting against external cyber intrusions. But it’s also essential for organisations to evaluate whether their “technical and organisational” measures are up to snuff with respect to cyber threats that originate from within company firewalls. Insider threats occur when someone with authorised access to critical information or systems misuses that access and breaches data security, either intentionally or accidentally.
Edward Snowden, who stole classified documents, is likely the most well-known face of the insider threat, but many insiders since Snowden, including a disgruntled employee at Morrisons who stole the data of nearly 100,000 employees, highlight the risk that insiders pose to cybersecurity. Recent Ponemon Institute (The Costs of Insider Threats, 2018) research indicates that data breaches caused by negligent and malicious insiders have increased by 26% and 53% respectively in the past two years and the cost of the insider threat to individuals and businesses has only risen. As insider threats become progressively more common and damaging, organisations need to factor the insider threat into their information security measures in order to avoid falling foul of the security principle.
The security principle expressly acknowledges that both the security measures taken and the level of security for processing personal data should be appropriate to the particular circumstances at hand, bearing in mind the risks that processing poses and the costs-versus-benefits of the security measures taken. So, while the security principle doesn’t require that organisations protect against each and every possible threat to the security of personal data, the cost of an insider-led breach should make businesses sit up and take notice.
There are a multitude of tools available that are designed to specifically tackle the insider threat, but no single technology will “cure” the insider threat. Organisations must put together a comprehensive strategy that prevents, detects and responds to the insider threat while still respecting employee privacy.
How to adhere to the security principle by protecting against the insider threat
Preventative measures can include employee cybersecurity training and clear organisational policies that set out the security precautions and restrictions employees should abide by. Detecting insider threats can be challenging, but solutions that provide full visibility into activity, with real-time alerting of suspicious activity, go a long way to identifying questionable behaviour and stopping data loss before it happens. Importantly, such tools can be implemented without infringing on employee privacy. Activity monitoring can be configured to only collect data when triggered by certain specified circumstances – such as browsing inappropriate websites or using prohibited file sharing sites. Monitoring solutions can also be set to record workstation activity in metadata-only mode, providing context around user activity while at the same time anonymising users and user behaviour data. In this way, users and computers are unidentifiable unless suspicious activity is detected, and only then are privileged administrators given access to investigate further.
Transparency is a key requirement of GDPR, and organisations must inform employees about activity monitoring. It’s important to explain to employees how privacy will be protected and why the monitoring is necessary – namely, to protect both the personal data of employees and customers, as well as the data of the organisation.
It is crucial for organisations to keep abreast of serious threats to their cybersecurity, and the insider threat is one that cannot be ignored. Given its significance, organisations need to implement “appropriate technical or organisational measures” to prevent, detect and respond to the insider threat. Though GDPR can seem unwieldy and, at times, difficult to act upon, the key principles underlying the regulation are a valuable guide, and if followed, will keep organisations standing in good stead.