The General Data Protection Regulation, or GDPR, is due to take effect on May 25. The Internet of Things, or IoT, is growing and evolving even as you read this. And social engineering efforts, such as so-called “phishing” emails, are likely being used for unauthorized access to a corporate network – perhaps yours or one of your partner’s – as you read this as well.
These three things share three common characteristics.
- They are significant cybersecurity challenges.
- Your enterprise is almost guaranteed not to be prepared to deal with each completely effectively.
- They represent significant opportunities to improve cybersecurity, and IT generally, at your organization.
GDPR, IoT, and Social Engineering: A Quick Recap
- GDPR is designed to protection the personally identifiable information (PII) of every European Union (EU) citizen around the world. Companies that touch EU PII must comply with GDPR, demonstrate compliance on demand, and disclose data breaches as soon as 72 hours after they’re discovered. Penalties for non-compliance can be as high as 20 million Euros, or 4 percent of an enterprise’s annual worldwide revenues, whichever is higher.
- IoT devices are gaining popularity among consumers and within enterprises. However, most have little to no integrated security and cannot have their software updated or patched. They therefore represent potentially significant vulnerabilities for enterprise networks.
- Social engineering, especially phishing emails, continue to be effective vehicles for unauthorized network access. The problem is compounded by easily stolen or guessed user passwords. A respected study found an average of one in 14 users were duped into following a malicious link or opening a rogue attachment. The same study found that 81 percent of breaches took advantage of weak, stolen, and/or easily guessed passwords.
GDPR, IoT, Social Engineering, and Cybersecurity: 4 Things You Need to Do Now
While the challenges summarized here are all different, better overall cybersecurity can greatly improve your enterprise’s ability to defend itself against all of them, and others. Cybersecurity experts at agencies around the world, including the Australia Signals Directorate (ASD), the Center for Internet Security (CIS), and the U.S. National Institute for Standards and Technology (NIST) agree. When taken and managed correctly, four relatively straightforward steps can protect against up to 85 percent of threats, according to ASD findings. Those steps?
- Application whitelisting – ensuring that unauthorized software can’t run on your network.
- Timely, consistent deployment of software patches issued by providers of your operating systems.
- Timely, consistent deployment of software patches as they are issued by providers of your applications.
- Restriction of administrative privileges that give users almost unfettered access to your network – whether the users endowed with those privileges are legitimate or not.
Several vendors offer solutions for these tasks. If you already have tools in place for any of them, start with the vendors of those tools, or partners recommended by them. The more you can consolidate and harmonize tools used for these and related tasks, the more flexible and comprehensive your cybersecurity efforts can be.
By starting down a path toward better cybersecurity, you can do more than cope more effectively with threats and get closer to compliance with regulations such as GDPR. Better cybersecurity and protection and management of information about your customers and prospects can even create opportunities for new revenue streams by generating new insights into those customers and prospects.
You and your colleagues should view challenges such as GDPR, IoT, and social engineering as both serious threats and significant opportunities. And you should start addressing them as soon and as comprehensively as possible, with one or more of the basic steps outlined here. In this regard, cybersecurity is a lot like life. There’s no time like the present, and every little bit helps.