When we were young, most of us held the belief that what we couldn’t see couldn’t hurt us. We huddled in bed with the covers over our heads so we couldn’t see the monsters in the darkness, and somehow limiting our vision this way helped us feel safe.
As adults, we understand that ignorance isn’t protection, and being unaware of what’s out there doesn’t keep us safer. And yet, too many IT organizations can’t tell you what data lives on their employee’s devices. “Well, that doesn’t matter,” some IT leaders will say. “All of the valuable data in our company is on the network.”
Code42’s CTRL-Z study showed that over 60 percent of corporate data is stored on user endpoints. With the enactment of the General Data Protection Regulation (GDPR) drawing closer every day, turning a blind eye to the data on your employee endpoints could have disastrous results. To protect company assets and meet GDPR compliance standards, organizations need to have a firm understanding of where personal customer data is stored and how it moves through their system. In other words, IT teams need to be able to see where all of their data is created, stored and shared.
GDPR is concerned with the movement of customer personal data, which is broadly defined by the regulation. It’s true that your average employee may not have customer social security numbers on their laptop, but personal information can be anything that might identify an individual, down to phone call metadata. If there’s a one percent chance a piece of data could identify a customer, GDPR requires you to treat it as carefully as you would a credit card number. And like it or not, this type of data does leave your corporate firewalls. Employees take their work home with them all the time; think about the sales rep who brings home background info on a customer to prepare for a big sales pitch.
Your leadership team does this as well. In fact, according to the CTRL-Z report, C-suite executives are the most likely to violate company data security policies. These policies are crucial, but they can’t overcome human nature. You need a data visibility tool to track data no matter where it moves, so if you do get breached, you can account for what information was impacted–and where and how.
Without that kind of data visibility, staying in compliance with GDPR will be a challenge. According to GDPR, companies only have 72 hours to report an incident once it is detected. But if you don’t know where your data lives, you have no way to gauge the impact of a breach. In the event that data is compromised, knowing exactly what has been exposed will make interactions with the regulatory agency much smoother.
It might be tempting to pull a blanket over your head, ignore the data that lives on employee endpoints, and hope for the best. That may have kept you safe from the monster under the bed, but it won’t keep you safe from potential fines for GDPR non-compliance: up to €20 million or four percent of annual revenue, whichever is greater. It’s time to recognize that data protection starts with data visibility.
For more on how data visibility helps companies prepare for GDPR, read the latest article from Code42 Chief Security Officer Rick Orloff here.