Many organizations worldwide have begun preparing for the General Data Protection Regulation (GDPR), a set of rules created by European lawmakers to enhance data protection and privacy for individuals within the European Union (EU).
GDPR enforcement is scheduled to begin in May 2018, and the penalties for non-compliance are steep—as much as 4 percent of the violating company’s global annual revenue, depending on the nature of the offense Clearly, GDPR compliance is becoming a priority for many organizations—including those headquartered outside the European Union. A 2017 PwC survey of 200 security, IT, and business executives from U.S. companies showed that 92 percent considered GDPR compliance to be a top business priority for their data-privacy and security efforts this year.
Companies are prepared to invest in compliance efforts. The PwC study shows that 77percent plan to allocate $1 million or more to GDPR readiness and compliance efforts; 68 percent said they will spend between $1– $10 million, and 9 percent are expected to spend more than $10 million.
While IT and business executives may have a good grasp on the need to protect their organization’s data in general, perhaps less well understood are the requirements to protect their data in the mobile enterprise.
Mobile represents a significant opportunity for organizations, given the growing number and types of end users, that access organizationally owned or controlled information. As this opportunity also represents increasing organizational risk, it is imperative that companies have a plan in place to protect data that is stored on and accessed via mobile devices. Mobile apps used by workers in the field, such as sales reps, technicians, medical professionals, and consultants, can store massive amounts of personally identifiable information (PII), making them a prime target for hackers and other cyber criminals. Organizations must have a plan in place to protect not only the mobile devices themselves, but also the apps and their data, stored on these devices.
The effort to completely secure the mobile environment is a major challenge, exacerbated by the existence of Bring Your Own Device (BYOD) programs at many organizations. The rise of corporate mobility and cloud means that the traditional corporate perimeter is vanishing, resulting in a lack of visibility into emerging security threats.
For organizations that fall under the GDPR rules—and that includes many companies headquartered outside of Europe—the risks are high. In its report, “Revisit Your Enterprise Mobility Management Practices to Prepare for EU GDPR,” the research firm Gartner Inc. noted that by 2019, 30 percent of organizations will face “significant financial exposure from regulatory bodies due to their failure to comply with GDPR requirements to protect personal data on mobile devices.”
As businesses strive to secure their use of mobile technology to deliver business-relevant outcomes, they need to recognize that device security alone will not guarantee compliance with privacy regulations. As mobile devices become increasingly powerful, the locus of corporate intelligence is moving from the cloud back to the cloud and the edge, i.e. these mobile devices. This means that businesses must focus on securing their mobile apps, rather than simply trying to secure thousands of devices. Mobile apps are especially vulnerable to attack, as they are the dominant form factor by which corporate data is locally stored and accessed, and a large majority of attacks occur at the application layer.
In other words, organizations must be able to protect employee privacy whenever employees are using mobile devices to access corporate apps. They also need to protect customer PII at all times, especially when employees interact with customers using mobile devices. And they need to ensure that the security measures protecting customer information are cost-effective and won’t impede end user experience.
For many organizations, the answer to mobile security has been to adopt a layered approach to cyber security. To protect vulnerable apps, cyber protection implemented layers of mobile security that included the operating system, the device, the device’s users, and the app itself. In an ideal scenario, each of these layers would be foolproof. In reality, however, each has its own set of vulnerabilities.
To ensure compliance and simultaneously boost mobile security, organizations must adopt an app-centric approach to securing access to data from a mobile device. Organizations need to build security into the apps and make the apps the first barricade of protection.
This approach incorporates basic security controls directly into the mobile app. Any data written to a local device and any data that’s sent over a network is encrypted. These controls also enforce internal policies related to strong authentication, data sharing, and device posture.
This app-centric approach has proven to be highly effective in a wide array of use cases, either as an addition to or a substitute for traditional methods that place a burden on the data, service provider, and the end user.
There is so much at stake for organizations as the date for GDPR draws near. There is no doubt that this regulation will have a major impact globally, as companies today are increasingly dependent on a worldwide reach for business success.
Securing the mobile environment is a major component of GDPR compliance, and organizations that make the effort to safeguard data in this environment will be far more likely to avoid penalties for non-compliance. By taking an app-centric approach that secures access to mobile data without the need to manage devices or impede the user experience, organizations will be well on their way to achieving long-term GDPR compliance.
1. “Revisit Your Enterprise Mobility Management Practices to Prepare for EU GDPR,” Manjunath Bhat & Bart Willemsen, Gartner Inc., May 2017.