Data privacy regulations are rapidly reshaping the way companies monitor, manage, and even define the data they collect and store. Prior to new privacy regulations put in place by the European Union and the state of California, the data lifecycle focused solely on collection and dissemination. This meant that the enterprise would collect as much information as possible then store it in a way that maximized accessibility, particularly with the rise of mobile. Cybersecurity, when it was discussed, focused on establishing defensive perimeters to mitigate external threats.
However, since GDPR was implemented in 2018 and reinforced by CCPA in 2019, companies have been required to reconsider how that information lives in their organization and identify who has access to it in order to meet basic compliance standards. Security teams that can adapt to the new requirements are critical to tackling the ballooning costs in compliance, particularly as other states and countries look to pass their own privacy regulations.
The CCPA and GDPR have elevated customer data security to become a key priority across multiple departments. Since both laws are in the early stages of implementation and interpretation by enforcement agencies, legal departments have become an essential ally in compliance. In the case of the GDPR, the right to be forgotten has been contested by search giant Google in several high-profile court cases, adding greater nuance and detail to how the law impacts data management. Human resources is also a valuable partner in compliance management as they are best positioned to engage employees on new security protocols and assist in the successful deployment of new technology to ensure that workflow is not disrupted.
Legacy infrastructure increases compliance costs
The CCPA alone is expected to cost enterprises $55 billion in initial compliance costs, with additional costs to be expected in maintenance fees, with IBM’s 2019 Cost of a Data Breach Report states that the average total cost of a data breach increased to an average of $3.92 million in 2019, though in the United States the average cost per breach rose to $8.9 million. Much of that cost is driven by the recovery process, which involves understanding how the system was breached, what information was affected and bringing systems back online. For many organizations, understanding the scope of damage is difficult because current security systems aren’t designed for data visibility or access management, both of which enable security teams to track who has accessed what data and when.
Data visibility is a particularly acute challenge in ERP systems because they contain highly sensitive business data, such as financial information, intellectual property or insurance details. Since ERP systems hold so much valuable data, they’re often the last piece of the digital infrastructure to be updated. This results in security gaps when patches are missed, or new security features are added to a legacy system. The “black box” of ERP systems can cause delays in damage assessments, resulting in the risk of hefty fines as the GDPR requires affected customers to be notified within 30 days of when information is compromised.
Organizations lack tools to comply with “right to know”
Compliance costs have largely been driven by the wave of “right to know” and “right to be forgotten” requests from their users. The right to know establishes the right of the consumer to know exactly what data a company has collected on them, and to download that data. For the enterprise, this requires being able to identify, organize and share all information pertaining to every single user, breaking the black box paradigm that existed before GDPR. Recent research shows that each request is estimated to cost approximately $1,400, quickly adding to compliance costs.
The right to be forgotten allows consumers to request that any data related to them be deleted from an organizations’ database. Though the rule is less broadly applicable than the right to know, organizations should be careful of potential violations in their third-party partners or even of careless practices by employees.
For GDPR and CCPA compliance, outdated and disparate infrastructure also adds major challenges, especially when adhering to the response time limits set out by GDPR. The law requires that organizations respond to right to know requests within 30 days. Yet a global survey of 103 companies worldwide across various industries found that 58% of respondents were unable to meet data access and portability requests within the one-month time limit. One of the main barriers to timely right to know requests was the lack of consolidated, transparent data structures that made finding all relevant information on each individual a costly and long process.
When organizations don’t understand where collected data is or who can access it, compiling a right to know report is next to impossible. Without any means of tracking access within their internal databases, most enterprises have no idea if the personal information of any user has been accessed, copied or stored in multiple places, forcing compliance teams to track down each piece individually and risking fines when request response takes longer than 30 days. Not only does this heighten the likelihood of compliance violations, but also contributes to the rise of insider security threats, particularly in highly sensitive fields like healthcare and finance.
As a result, security and compliance teams have begun joining forces to better understand the lifecycle of business data in the enterprise and how it can be effectively secured.
Regulations align with industry trends
In many ways, the new regulatory pressures brought by the CCPA and GDPR align with emerging trends in cybersecurity. Insider threats are one of the fastest growing trends in data breaches, accounting for 34% of attacks in 2019. Security features that enable granular tracking of user behavior in real-time addresses ensures access management can be done accurately while also adhering to privacy standards set forth by the GDPR and CCPA. As a result, organizations improve both security and compliance because they can be better prepared to respond to insider threats, minimize direct damage caused by a breach as well as void penalties incurred by compromising customer data. With greater means to identify and differentiate users, security teams are also able to increase access controls as well as better understand who has modified data and when.
The GDPR and CCPA have had a significant impact on the public expectation for privacy and security. While security measures like multi-factor authentication (MFA) and complex passwords have existed for years, consumers and developers frequently opposed requiring them due to concerns over adding too much friction to the user experience. With cybersecurity concerns entering the mainstream, many consumers are actively seeking out additional ways to protect and manage their personal data. For the enterprise, this has increased employee’s receptiveness to new security features such as MFA to internal systems. Particularly with complex ERP systems, system administrators can unify the heightened expectations for security created by the GDPR and CCPA to reduce the costs of compliance.
Advanced security tools can address challenges experienced across all departments by supporting secure migrations, enabling better data visibility in new systems, and reducing the long-term costs of compliance. As the security discussion evolves to when not if a hack takes place it is essential to have a holistic program in place to understand what actions will be taken when data is compromised. By hiding their head in the sand, the unprepared enterprise not only risks more damaging attacks but also larger fines. The right security tools can lay the foundation for a program that effectively fulfills the multidisciplinary role of security and engages all necessary experts to protect data and minimize compliance costs.
This article was originally published by CPO Magazine.
On April 19, 2020, Oracle announced on its PeopleSoft Support blog that the company is extending support for the ERP application through 2031. As stated on the blog, Oracle remains “committed to a rolling ten years of support for PeopleSoft. We will review and plan to extend support again next year, and the year after that, so that you have a decade of committed support and can plan your enterprise software investments accordingly.”
This news should give PeopleSoft customers a sense of certainty that investing in the long-term success of their PeopleSoft applications is mission-critical. Thanks to COVID-19, organizations may be concerned about their short-term financial stability. Add in the newfound uncertainly of continuing large-scale IT projects in this climate (like a cloud ERP migration) – organizations have now found themselves looking for ways to reap maximum benefits with the lowest degree of overhead and project completion time.
Three “Home Improvement” PeopleSoft Data Security Projects
With large-scale projects on hold, it’s a good time to invest in smaller-scale projects that focus on what is truly mission-critical today (and for the near future) – PeopleSoft data security. You’re already working hard to secure data while users are accessing remotely and while bandaids may be in place right now, organizations must consider strategies that scale long-term.
Here are three smaller “home improvement” projects that strengthen your PeopleSoft data security posture:
Integrate your SAML Identity Provider (IdP) for Single Sign-On (SSO)
When you count the hours spent managing passwords (80% of help desk calls) or tackling SSO projects using customizations and home-grown solutions, you find that removing the complexity of PeopleSoft password management is an ROI positive project. Add in the lost productivity of users not being able to access business transactions (because they’re waiting for their password to be reset), then the ROI increases. The bottom line, a SAML-configured Single Sign-On for PeopleSoft will make everybody happy. A SAML SSO provides the combination of security and productivity that organizations are striving for. And, given the alarming uptick in phishing attacks – user credentials have become an obvious liability.
Strengthen IAM with Adaptive Multi-Factor Authentication (MFA)
When you’re buying new appliances for a remodeling project, you buy a washer and dryer in pairs. Yes, you can wash and dry your clothes using one or the other, but using both is a better option. Same with applying an adaptive multi-factor authentication (MFA) with your SSO as an effective method for verifying identity. Adaptive MFA ensures that contextual attributes (ex. device, network, location) are the determining factor for deploying MFA challenges. The context of access varies in mobile and work-from-home environments, and your level of control should do the same. This is essential if your users are accessing remotely, as managing authentication (especially for high privilege users) can be challenging.
It is also recommended to expand the use of MFA and apply step-up challenges on transactions that may be considered ‘highly sensitive.’
Real-Time Visibility for User Activity Monitoring and Transaction Logging
Just like a rug can tie a room together, real-time visibility via user activity monitoring and transaction logging can be the perfect complement to your PeopleSoft data security fixer upper. There are a lot of sensitive transactions being executed outside of the office these days, and monitoring user activity gives you a better sense of how your data is being accessed and used.
Invest in Today and Plan for Tomorrow
Now is a good time to take Oracle’s lead in their extension of PeopleSoft support – and alleviate a lot of the complexity around PeopleSoft data security, identity, and access management. Securing remote access with SSO and adaptive MFA today provides significant PeopleSoft ROI – along with applying a strong data security framework that can scale with a myriad of workforce and landscape changes.
Best yet, you can complete these projects in only two to four weeks, and we guarantee you won’t be cleaning up any sawdust when you’re done.
Request a demonstration of the Appsian Security Platform today.
How companies approach data security controls is changing. Segregation of Access (SoAx) is now just as critical as Segregation of Duties (SoD). Who sees sensitive data is just as important as who changes it.
And just to make sure organizations take access controls seriously, regulations such as GDPR are inflicting major penalties for breaches of private data. And soon, it won’t just be about breaches, it’ll also be about fines being levied for data security audit failures.
When GDPR was enacted, there was alot of confusion around the penalties that would be associated with the exposure of sensitive data. Many companies took a wait and see approach in lieu of enacting data protection measures. Especially around legacy applications, such as ERP systems, where the keys to a company’s kingdom are typically stored.
Couple of reasons. Most companies don’t even have a handle where their sensitive data is even stored. And, in addition, most companies don’t focus on regulatory controls until the penalties are real.
GDPR penalties are real. The penalties associated with many of the state-driven data privacy regulations are real. And now we have some guinea pig companies that show just how real they are.
GDPR was enacted in May of 2018. It took a year before the Information Commissioner’s Office (ICO) nailed a company for a breach of sensitive data.
In 2019, British Airways was hit with a proposed fine of $230m for the exposure of sensitive information. Less than a week later, a second culprit was reported. The ICO has proposed a $124m fine to be assessed to the Marriott hotel chain related to the exposure of sensitive data in over 339 million guest records.
But that’s a European regulation that doesn’t apply to us.
We hear that alot. So, let’s talk about some of the recent US-based breaches and their associated penalties.
In 2013, Yahoo was fined $35m by the SEC and paid an additional $50m in a class action suit for a major exposure of customer data.
In 2015, health insurer Anthem was fined $16m for violating HIPAA regulations and allowing the breach of over 79 million customer records. And that was in addition to the $112m they paid to settle a national class action suit.
In 2017, a breach of Target’s customer information was settled for a $18m fine.
Uber, in 2018, was fined $148m for a major breach of driver and rider records. An unusually large fine for that time that was increased due to their efforts to cover up the breach.
The key takeaway is that, while some of those US fines are relatively low when compared to the GDPR offenders, that is changing. With the introduction of the California Consumer Privacy Act and other state initiatives, fines are being structured to follow the GDPR model. That is they will be calculated as a percentage of an organization’s revenue.
All of sudden that $18m that Target paid blows up to hundreds of millions of dollars.
Still want to take a wait and see approach?
Contact us to see how Appsian can help you address your data security controls.