February is the month of love and this year, businesses have the best opportunity to show customers that they care about them. On the back of multiple, large-scale data breaches in 2017 and in the lead-up to GDPR in May 2018, data protection is a growing public concern.
Despite the portrayed doom and gloom in the news about GDPR, the new regulation will help organizations gain more respect from their customers by protecting their data from potential breaches, often accomplished by hackers targeting the Domain Name System (DNS).
It typically takes 99 days before a data breach is detected. This means organizations have until February 15th, exactly 100 days before May 25th, to ensure they are GDPR compliant. We are calling 15th February 2018 X-Day, short for data exfiltration day.
Businesses currently preparing and adhering to GDPR demands know it brings brand loyalty and commercial benefits. Ultimately, your customers will likely stay in love with you if you treat their data right. With limited time until the deadline, it is time for businesses to fall in love with data protection.
100 days to show your customer that you love protecting their data
At times, due to added responsibilities and reduced time to delivery, businesses find compliance hard to love. You may have read some non-EU companies are delaying plans to comply to GDPR in case the rules are not enforced in their own country, reasoning GDPR will not affect them outside the EU or are in the process of leaving the EU. This is a risky and often false assumption. Cheating in love and in data protection will inevitably end in defeat.
The regulation has been framed around the location of data subject, rather than who is the data controller or processor, meaning this regulation
has global impact if a non-EU registered business handles the personal information of EU citizens. Moreover, February 15th (X-Day) is the important milestone for organizations to be GDPR compliant – sooner than businesses may have originally thought.
Instead of focusing on fines, loss of customers and operating licences, it’s 100 days where organizational culture can change for the positive if they understand what the benefits are. For some organizations who serve fickle customers seeking ever cheaper deals such as retail and telecoms, trust is the key factor when it comes to protecting customer data. This loss of trust, was evident with the breaches at TalkTalk and Target.
Alongside trust, brands consider ‘customer stickiness’, and how loyal customers could be. In banking and healthcare, stickiness can be the difference between using data appropriately to show the real value of offerings and thus creating upsell opportunities, or continuing to flounder and not getting the best out of the data and GDPR.
Data, and the movement of it, underpins most business operations. This means trust in organizations is tied to the reliability and robustness of technology. A popular and relatively easy way for hackers to steal data is through data exfiltration by attacking the DNS server, which cannot be effectively protected by firewalls alone.
Why do hackers love DNS?
GDPR requires notification to local data authorities within 72 hours of a data breach. At the moment, we’re at the tip of the iceberg when it comes to reporting risks to customer data, as only a few companies are reporting. According to our 2017 research, one-in-five (22%) of 1,000 businesses surveyed admitted to data loss following a DNS attack. This year, every single attack will have to be reported to the regulator if personal data has been taken. Sometimes love requires complete transparency to increase trust, and notifying customers early of any breach, regardless of scale or gravity, is certainly one way to prove your intentions.
The number of unreported attacks last year proves that legacy breach prevention technology, such as firewalls, are often blind to data exfiltration. One area to protect is the Domain Name System, as over 90% of current malware uses DNS. This means DNS is an easy vector for hackers because it’s an area sometimes ignored by security or network teams. That is why the WannaCry and Petya ransomware attacks were successful in targeting unpatched systems. Hackers can still exfiltrate data completely undetected.
By first understanding how data can be accessed via DNS, businesses can better prevent more attacks from happening this year and remain compliant to data regulations like GDPR.
It’s time for businesses to start loving GDPR
The introduction of GDPR in May will be a major driving force for businesses to take greater care in safeguarding customers’ data. In order to not only avoid heavy fines, but also strengthen brand reputation and customer loyalty, organizations should look to immediately fortify their data protection strategies. If not already addressed, now is the time for businesses to protect themselves and their customers ahead of the regulatory deadline.
There’s still room for vast improvement for businesses with 100 days to go, but customers are already loving the new regulation as it will protect more of what is precious to them: their data. It’s time businesses do the same and “swipe right” for GDPR, to fully commit to data protection.
To learn more about data protection, GDPR, and how EfficientIP can help your organization prevent the loss of customer data, click here for X-Day resources.