How the GDPR Will Trigger a Shift in Enterprise Operations
More and more enterprises, across different industries, have been integrating data analytics into their business operations. A 2017 market study showed that 53 percent of companies surveyed were using big data analytics, a large leap from only 17 percent of companies in 2015. Digging into data undoubtedly provides valuable insight to enterprises, helping them build successful strategies for the future and tailor their products and services for their market. However, some types of data collected by these enterprises can be sensitive, such as personal data. In response, legislators in some countries have put regulations in place to ensure that enterprises can continue using such data while at the same time protecting the data and its owners.
The EU’s General Data Protection Regulation (GDPR) is one such regulation, and it has set new requirements that will impact the data policies of organizations across the globe. Importantly, even though an EU regulation, the GDPR has a long arm that stretches across geographical and industry lines, affecting any company collecting and processing EU citizen data. For example, organizations that sell manufactured goods to consumers in the EU are affected by the GDPR if they have personal data about their customers, even if they don’t have a facility in the EU. It also impacts multiple aspects of enterprise operations. For example, the “monitoring” of a customer’s behavior will be regulated by the GDPR, as well as common collection of data through online portals.
We dive into three different industries to illustrate how wide the reach of the GDPR is, and what enterprises in different fields can do to improve their data protection policies.
Manufacturing
Many in the manufacturing industry have embraced big data, using smart solutions and Industry 4.0 technologies to improve their operations as well as their bottom line. The use of data has increased with analytic tools which give manufacturers valuable and actionable insight.
Manufacturing enterprises also hold different types of data from the extensive network of people and organizations they deal with — subcontractors from around the world, global shipping services, third-party suppliers, and numerous employees. Of course, customer data is also collected, sometimes through the very products they purchase.
Holding all types of information, as well as using different processing and analysis techniques, manufacturers who manage EU citizens’ data need to be more cognizant about protecting their data. The many data breaches and attacks on unsecure industrial control systems show that data protection is a necessary investment for this sector. Unfortunately, manufacturing systems are particularly hard to secure.
In many new manufacturing facilities, the attack surface is broadening as more systems are being brought online. There is actually a large number of exposed industrial cyber assets — devices and systems easily found and accessible on the public internet without any security protecting the infrastructure. And for many of these factories, systems are specifically developed per manufacturer, calibrated and tailored to its needs, making security solutions hard to integrate.
How can manufacturers do better?
Manufacturers can function as controllers and processors under the GDPR, which generally means that they both collect data and also analyze it. They should follow the rules and perform specific responsibilities for entities collecting and processing the data — from appointing a data protection officer (DPO) to providing employees and customers with more access and control over their data.
Manufacturers also have to upgrade their security systems to make sure they can meet all the requirements laid out by the GDPR. There needs to be integrated privacy features installed to make sure that the personal data and the processing of that data is secure. In particular, since manufacturers work with many suppliers, protecting the supply chain and employing secure third parties are essential.
Aside from that, manufacturers should also adopt the policy of “privacy by design,” a key concept of the GDPR. This means that privacy should be built into the infrastructure — a big investment that might mean customized security applications for systems, but a necessary investment. Privacy should also be embedded in each application, device, or product made — any hardware and software created should protect the user by default. New features should not simply be added on after the fact; privacy must be part of the design process from the very beginning. Not only is this a necessity for compliance (it is part of the GDPR’s provisions, and the regulation will be enforced on May 25, 2018), but it will help manufacturers manage and protect their data, and the data of their customers, better.
To get an idea of effective layered security and privacy, manufacturers can look at defensive strategies for Industrial Control Systems (ICS). There are also network solutions that can be installed to help keep manufacturers compliant with the GDPR, as well as security solutions that can be installed on manufacturing ICS and SCADA devices to protect them from vulnerabilities that could be exploited to breach the organization.
Network Security
Trend Micro provides a variety of solutions which can be used to protect ICS and SCADA devices, enabling the monitoring of traffic to and from these systems. These solutions are good options for devices running non-standard operating systems or those that cannot support an agent.
- Trend Micro TippingPoint® Threat Protection System is a high-performance IPS appliance that goes beyond next-gen IPS, detecting and blocking network traffic from threat actors attempting to exploit vulnerabilities on ICS and SCADA devices.
- Trend Micro Deep Discovery™ is an appliance that can detect malicious traffic including command-and-control communications that may be found within these networks and associated with a breach. Unusual SCADA traffic can also be identified.
Device Security
Trend Micro provides a variety of solutions which could be installed on ICS and SCADA systems.
- The Trend Micro Hybrid Cloud Security solution, powered by XGen™ security, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads. It includes key capabilities like virtual patching for known vulnerabilities associated with operating systems and applications that may be running on these devices. Application Control only allows known and approved OS/applications to run on these devices. Malware can be detected and removed using multiple technologies, including behavioral analysis and machine learning. Integrity Monitoring can quickly identify any unauthorized changes to critical files or processes.
- Trend Micro Smart Protection Suites include a variety of technologies, including malware scanning, behavioral analysis, and high-fidelity machine learning, to detect and defend against threats, as well as web reputation to detect malicious URLs and command-and-control communications. Vulnerability protection for endpoints and USB device control are also included.
- Trend Micro Portable Security 2™ tool is a malware scanning and cleanup tool designed as a USB flash drive for environments where an internet connection is not available or security software cannot be installed.
- Trend Micro Safe Lock™ software can be used for smart whitelisting protection that can keep the system locked under maintenance, and just allow approved software to be updated.
Many in the manufacturing industry have embraced big data, using smart solutions and Industry 4.0 technologies to improve their operations as well as their bottom line. The use of data has increased with analytic tools which give manufacturers valuable and actionable insight.
Manufacturing enterprises also hold different types of data from the extensive network of people and organizations they deal with — subcontractors from around the world, global shipping services, third-party suppliers, and numerous employees. Of course, customer data is also collected, sometimes through the very products they purchase.
Transportation
The transportation sector is relying more and more on data to create smooth and comfortable experiences for travelers. Airlines track passengers as they move from connecting flights and “smart ticketing” allows transport organizations to see personal passenger details as well as location. Suppliers along this mobility supply chain are also privy to passenger information. Agencies can share data to create mobility-as-a-service networks, and third parties (like retailers and advertisers) sometimes use passenger data to craft special sales or travel deals. This opens up questions on accessibility — who can see sensitive traveler information? Is the data properly secured?
Also, in certain cities there has been a move to build intelligent transportation systems (ITS), which is the application of emerging and advanced technologies to improve the efficiency of urban transportation. A part of ITS is collecting data on the movement of vehicles and commuting passengers, then analyzing traffic flow and transit times. These systems create a more efficient and organized system, but they are also open to different types of cyberattacks. Last year, storage devices that record data from Washington D.C. police surveillance cameras were infected with ransomware, and some European railway systems were affected by the WannaCry outbreak.
How can transportation companies do better?
A host of different threats can impact modern transportation enterprises, which necessitates better security. The data managed by these companies — including travel patterns, real-time location, passport details, visa information and travel plans — should be collected and protected properly. One big step in the right direction would be complying with the GDPR. Most travel organizations will have to comply with the GDPR since they will inevitably handle EU citizen’s data, so the processing, sharing, and collection of this data should follow the requirements outlined in the regulation.
It is important, since the transportation industry is still adopting new technologies, to adopt “privacy by design.” From the ground up, new applications and systems need to be built with privacy in mind. As connected cars gain traction in the automotive sector, applications and built-in systems that use geolocation data for drivers should be designed to keep the data secure. There should be security features that allow drivers to opt out of any geolocation sharing outside of driving purposes, and the automotive companies that store and process the geolocation data should comply with GDPR standards on securing that information.
And since many transportation entities share data, they also have to make sure each organization they work with is aware of and compliant with privacy and data protection standards as well. Under the GDPR, an organization can still be held liable for a data breach from a supplier who processes data for it.
[Read: Avoiding Traffic Violations on the Road to GDPR Compliance]
Of course, there are necessary state-of-the-art security solutions that have to be applied to the servers and networks that contain personal data.
Cloud Protection
- The Trend Micro Hybrid Cloud Security solution, powered by XGen™ security, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads. Legacy security products can introduce unforeseen vulnerabilities in virtual and cloud-based environments, impede performance, and compromise compliance.
Network Protection
- Organizations have to be acutely aware of all activities on their networks. Powered by XGen™ security, the Trend Micro Network Defense solution provides world-leading insight into threats, zero-day vulnerabilities and proactive countermeasures provided by Trend Micro Research and the Zero Day Initiative.
The transportation sector is relying more and more on data to create smooth and comfortable experiences for travelers. Airlines track passengers as they move from connecting flights and “smart ticketing” allows transport organizations to see personal passenger details as well as location. Suppliers along this mobility supply chain are also privy to passenger information. Agencies can share data to create mobility-as-a-service networks, and third parties (like retailers and advertisers) sometimes use passenger data to craft special sales or travel deals. This opens up questions on accessibility — who can see sensitive traveler information? Is the data properly secured?
Digital Marketing
Data collection and analysis is an integral component of digital marketing today. Marketers are increasingly able to profile their users through the data they collect, and then tailor or automate their marketing strategies to gain a bigger audience. This has become such a widespread practice that the GDPR has already specified rules limiting automated decision-making and profiling of individuals and outlined stricter guidelines for objecting to being profiled for direct marketing.
Marketers have come up with many different ways to gather personal information—online sign-up forms, scanning badges in tradeshows to quickly get details, asking for contact details in exchange for content, and others. Not only is this data collected and processed, but it is sometimes shared with third parties.
Given the number of high-profile data breaches that have occurred, from the Yahoo breach to the Uber and Equifax incidents, securing data becomes a brand issue as well as a security issue. It is a hit to an enterprise’s reputation if a breach occurs, and on the other hand, promoting a more secure data protection system will draw in customers who are looking for better privacy.
How can digital marketers do better?
The GDPR outlines strict rules on how data should be collected and processed, so digital marketers might need to revise and rethink some of the strategies they implement. Specifically, these areas need to be considered:
- Sign-up forms and data capture fields: Language should be specific and clear, stating exactly what the user is agreeing to. Privacy should also be the default (for example, users need to check the box to consent to sharing, not the opposite). And the user should be informed of what specific kind of processing their data will go through and for what purpose.
- User consent: The GDPR maintains that the user must give explicit consent for collection of personal data. Also, companies must create a simple procedure to allow individuals to opt out of processing activities. One major issue is the use of cookies, which have been widely used to track user browsing activities and are sometimes shared with third parties. Enterprises need users’ explicit consent before cookies are dropped.
- Right to be forgotten: The user can request to have his or her data deleted. This may be complicated since the company has to provide an easy system for erasure requests. Google has set up a system to address millions of demands for deletion.
- Data portability: According to the GDPR, data subjects need to be able to access and reuse their own data. They should also be able to transfer it across different services. Enterprises need to create a simple process to allow individuals to do this.
- Third party compliance: Marketers have to make sure that any data sharing meets the standards set by the GDPR, and that the organizations they share data with are also compliant with privacy standards. A recent incident involving a Facebook app highlights the value of third party compliance.
Digital marketing companies have to shift to a more privacy-centric standpoint. Their operations have to comply with all GDPR requirements: adopting new policies for collection, setting up new deletion and retention policies, making sure third parties are secure (particularly third-party apps aiding automated marketing), building in-house apps with privacy in mind, and much more. Although it seems like a major overhaul and a definitive shift from what was done in the past, GDPR compliance is a necessary step to take. More than ever, customers are becoming aware of privacy rights and are looking for improvements in security.
Apart from developing more secure processes, marketers should also use effective security solutions that can be applied to the servers and endpoints that contain personal data.
Endpoint Protection
- The Trend Micro User Protection solution, powered by XGen™ security, protects your users against today’s ever-changing threats.
Cloud Protection
- The Trend Micro Hybrid Cloud Security solution, powered by XGen™ security, delivers a blend of cross-generational threat defense techniques that have been optimized to protect physical, virtual, and cloud workloads. Legacy security products can introduce unforeseen vulnerabilities in virtual and cloud-based environments, impede performance, and compromise compliance.
Network Security
- Organizations have to be acutely aware of all activities on their networks. Powered by XGen™ security, the Trend Micro Network Defense solution provides world-leading insight into threats, zero-day vulnerabilities, and proactive countermeasures provided by Trend Micro Research and the Zero Day Initiative. These insightful capabilities can also provide critical information for meeting the 72 hour breach reporting requirement.
Data collection and analysis is an integral component of digital marketing today. Marketers are increasingly able to profile their users through the data they collect, and then tailor or automate their marketing strategies to gain a bigger audience. This has become such a widespread practice that the GDPR has already specified rules limiting automated decision-making and profiling of individuals and outlined stricter guidelines for objecting to being profiled for direct marketing.
Adding new security layers to an enterprise takes time and effort, especially for multinational companies that have to deal with extensive networks and large amounts of data. But it is a much-needed change — there are malicious actors taking and profiting from data caches, customers are more keen on data protection, and more regulations are coming up that require tighter protection for personal data. Approaches and attitudes towards cybersecurity have to evolve and keep up with the tools and practices that enterprises are so quick to adopt.
For an example of what enterprises can do to comply with the GDPR and build better data protection policies, you can find Trend Micro’s journey documented here.
Like it? Add this infographic to your site:
1. Click on the box below. 2. Press Ctrl+A to select all. 3. Press Ctrl+C to copy. 4. Paste the code into your page (Ctrl+V).
Image will appear the same size as you see above.