Mimecast comment: GDPR Anniversary
May 2023 by Dr Francis Gaffney, Senior Director, Threat Intelligence and Future Engineering at Mimecast
As the world shifts further into a digital age, today marks the 5th anniversary of the introduction of the EU’s GDPR legislation. The comment from Dr Francis Gaffney, Senior Director, Threat Intelligence and Future Engineering at Mimecast who discusses why regulation alone is only part of the challenge when it comes to preventing cyber attacks.
“The 5th anniversary of the introduction of the EU’s GDPR legislation provides a welcome and necessary reminder of the importance of keeping data secure. The EU has played a tremendous role in setting the standard for supranational data protection. In its GDPR, it explicitly requires that sensitive data be protected from unauthorised access. This applies not only to documents stored in CRM systems, databases, and archiving systems, for example, but also to confidential data transmitted by e-mail or via collaboration tools.
Additionally, as we approach the “quantum age”, Mimecast are warning against an increasingly observed methodology of attacks based on the motto "Store Now - Decrypt Later". In other words, threat actors steal confidential information, now, that has been encrypted using common methods. With the aid of quantum systems, they could be able to decrypt this data at a later date (assessed to be in the next 2-5 years), for example technical documents, confidential e-mails, and organisational information.
Our recent State of Email security found that, globally, the average cost of a data breach is $4.35 million and it is assessed 33 billion electronic records are expected to be stolen every year. Furthermore, it is often the case that the damage to the organisation’s reputation and branding, dwarfs any fine imposed.
Regulation alone is only a part of the challenge to prevent threat actors from accessing sensitive data in the first place. In order to transform end-user and organisational behaviour, it is key that organisations build a layered approach to cybersecurity resilience, including cybersecurity responsibility, incident response, and awareness training embedded deeply into the culture and spanning across all department disciplines. Only then can organisations reassure consumers that they are safe entrusting their personal information with third parties.”