GDPR and Patch Management: The Lessons We’re Still Learning from Equifax

Since May 25, when the European Union (EU) began enforcing the General Data Protection Regulation (GDPR), companies of all sizes and across industries have been working to ensure they are in compliance. This scramble has been apparent externally through the updated privacy policy and opt-in messages on websites, but are businesses doing enough internally to protect the security of the personal data they handle?

Looking the Other Way Won’t Protect Your Data

Some companies simply haven’t assessed vulnerabilities or applied patches to the level required by GDPR. As the seventh principle of the regulation states: “Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.” However, ignorance will seem considerably less blissful to organizations that face GDPR enforcement. This means a failure to apply patches and take action to secure holes and vulnerabilities isn’t an acceptable excuse for non-compliance. The head of technology policy for the United Kingdom’s Information Commissioner’s Office (ICO) was recently quoted, “We strongly recommend that organizations with affected hardware test and apply patches from suppliers as soon as they are released.”

We Know How This Story Ends

The need to apply patches quickly and effectively to protect against data breaches isn’t a new development. In fact, after the 2016 breach, Equifax ex-CEO Richard Smith even used one employee’s failure to patch an exploit as the cause of hackers’ successful attempts to expose more than 160 million U.S., British, and Canadian personal data records. However, a deeper dive into the Equifax breach revealed that poor patch and vulnerability management was an organization-wide problem. So how can companies across the globe learn from the Equifax breach and come into compliance with GDPR?

Use Compliance Requirements to Jump Start Better Security Practices

The hefty fines associated with failure to comply with GDPR (as much as ~$20 million or 4% of a company’s annual global sales revenue, whichever is greater) can serve as motivation for smart companies to step up their patch and vulnerability management. It's important to remember: at the end of the day, these measures are designed to help (not hinder) an organizations security posture. And, the businesses investing in audit services and addressing their shortcomings right now will have a head start on meeting future compliance requirements.