The consequences of a customer or company data breach can be catastrophic to a business of any size. The resulting damage to reputation, customers, and the bottom line are just the tip of the iceberg. Businesses could pay the price of enormous penalties, imposed by strict new compliance regulations. As firewalls are no longer enough to protect your data, businesses must implement multiple layers of protection down to every network endpoint—from PCs to printers—to build their defenses and address compliance requirements.
In today's tech-enabled world, device proliferation is leading to complex multi-device and multi-platform infrastructures as businesses continue to focus on becoming mobile organizations and meeting the demands of their workforce. Every one of these devices is an access and exit point for company data and can come at a security cost. One of the biggest challenges facing companies today is how to control and secure data without disrupting business operations. Increasingly, data is being held and processed beyond the firewall boundaries, making the task of securing data more difficult for network defenders.
The rise of cyber attacks has resulted in a wave of strict new data security regulations, which are important to businesses around the world. New directives, such as the EU General Data Protection Reform Act (GDPR), are not just relevant to organizations based in the EU but apply to any organization collecting data from EU residents.
The EU GDPR warn businesses of significant fines if they're found to be noncompliant in the aftermath of an attack. These fines are on top of the financial destruction caused by the data breach itself. Other regulations, such as the directive on security of network and information systems (NIS Directive), impose new network and information security requirements on operators of essential services and digital service providers (DSPs). Organizations will be required to report certain security incidents to competent authorities or Computer Security Incident Response Teams (CSIRTs).
Some countries are also implementing these regulations ahead of them becoming enforced. For example, the Netherlands introduced the Breach Notification Law in January 2016, which dictates the reporting of breaches to a newly independent Data Protection Authority as mandatory. Failure to comply can lead to administrative fines of up to €810,000 or 10 percent of annual net turnover. The pressure is high.
Key requirements of the EU GDPR
- Businesses must comply if they collect data in the EU. If an organization collects and uses personal data in the EU, they need to comply. This includes people buying goods and services, as well as monitoring customer behavior to use that data. For example, if your business tracks online activity to improve customer targeting, even if your business is outside the EU, every device that can access customer data must be secure.
- Businesses must be meticulous with maintaining documentation. The requirements related to maintaining documentation, conducting impact assessments, and reporting breaches is time-consuming. Every time a new device is added to the network, it should be secured to your policies and monitored by a SIEM (Systems Information and Event Management) tool to track issues, enable remediation, and support compliance reporting.
- Businesses must report a breach within 72 hours. Businesses must notify the Data Protection Association without undue delay and—where feasible—within 72 hours. If they don't, a reasoned justification must be provided. This new requirement has been introduced to protect the rights of individuals to know what is happening with their personal data and understand if the organizations that hold their data have the correct procedures, tools, and products in place to monitor, identify risks, and stop attacks to protect customer data.
- Businesses will pay heavy penalties if they do not comply. The new regulation is introducing a tiered approach to penalties and the severity of the breach will dictate the size of the fine. The maximum penalty to pay could be 4 percent of a company's annual turnover up to €20 million.1 As mentioned in some countries, like the Netherlands, even steeper fines have been introduced—up to 11 percent of annual revenue.2
How can IT teams ensure PCs and printers are compliant?
When it comes to PC and printer protection, there are practical steps to take to ensure your endpoints comply, in preparation for the introduction of these new regulations.
- Prepare for compliance audits. To prepare for a compliance audit, IT teams should ensure they can effectively monitor their entire IT infrastructure, including endpoint devices, like PCs and printers. They should also schedule regular assessments to keep every endpoint device, including the entire printer fleet, in compliance with the policy.
- Carry out a complete audit. IT teams must identify every device that can access their company and customer data and assess the level of security it has built in. It's also recommended they use a fleet security management tool that can immediately identify new devices and automatically apply corporate security policy settings.
- Embrace security by design. IT teams must put the right IT policies in place so that compliance requirements are not an afterthought but an intrinsic way that new devices and services are introduced into the network. Ensure you are able to monitor every device, including your printers, and feed anomalies or incident information into your network-wide vulnerability assessment and monitoring tools, like a SIEM tool.
For more information on how to implement layers of security that includes every endpoint on your network, start with the Centre of Internet Security Critical Security Controls, a handy checklist of the top security actions.