The internet economy now accounts for 8 per cent of GDP in G-20 economies. As we become increasingly dependent on technology and as threats to data have become more sophisticated, responses have evolved in tandem. The European Union is introducing new laws to improve confidence, impacting both consumers and businesses. This is a pivotal year for cyber security and data protection in the EU and therefore the UK.
Last year, the EU preliminarily agreed on two new pieces of legislation – General Data Protection Regulation (GDPR) and Network and Information Security (NIS) Directive. GDPR, which replaces the 1996 Data Protection Directive, stipulates rules on protecting EU residents’ personal data. GDPR applies to entities that control or process such data, even if they’re not based in the EU. The NIS Directive establishes security requirements and incident notification obligations for “operators of essential services” and “digital service providers”. Both laws are expected to be published in final form early this year, when implementation timelines start – essentially a period of two years.
The NIS Directive directs member states to ensure that entities in scope take “appropriate and proportionate technical and organisational measures to manage risks” to security of their networks and information systems, and that measures “have regard to the state of the art…” GDPR similarly directs data controllers to implement such measures “with regard to the state of the art” to protect the rights of data subjects, and directs data controllers and processors to implement such measures “to ensure a level of security” appropriate to risk.
Both the NIS Directive and GDPR are opportunities to manage cyber and data protection risks with a new approach. Although the ink is not dry on either law, they refer to “state-of-the-art” processes and technologies. They require companies to identify and manage security risks dynamically. Notification requirements make it essential to prevent incidents before they happen. Retrospective incident detection could be too late, and won’t protect companies from reputational risks and regulatory scrutiny.
Companies will have to keep pace with capabilities to protect EU residents’ personal data and sensitive business data. Chief information security officers and chief information officers face many challenges – identifying and mapping data assets, assessing risk, determining what state of the art means for them, and documenting and continuously improving security policies and practices.
To evolve our digital world continually, we need next-generation capabilities that match the state-of-the-art cyber world, so cyber security empowers trust and enablement of IT
Greg Day, vice president and chief security officer, Europe, Middle East and Africa, for Palo Alto Networks, says: “Businesses have built out security on outdated principles, leveraging people skills as glue holding together fragmented approaches. Challenging businesses to leverage state of the art requires them to re-examine fundamental principles to manage today’s risks and enable modern digital business.
“This requires a conscious decision to focus on preventing business impact, not simply responding to something – next-generation capabilities designed for today’s internet, not the old capabilities on which the internet is based.
“Companies can no longer afford to keep extending what’s broken. They must go back to fundamental principles and adopt a cohesive, automated and integrated single-analysis approach. They must work at internet pace, providing consistent coverage across today’s modern digital world – devices, networks, datacentres and the cloud – leveraging collaborative and automated cloud intelligence and analysis to keep pace with the modern attackers.
“To evolve our digital world continually, we need next-generation capabilities that match the state-of-the-art cyber world, so cyber security empowers trust and enablement of IT.”
