With just over a year left to prepare for the European Union’s May 2018 General Data Protection Regulations (GDPR), enterprises are skeptical of their ability to meet GDPR compliance requirements in the face major IT security risks. That’s the finding of a new global survey of more than 4,200 IT or security professionals.

The GDPR concerns both companies in the EU and any companies processing the personal data of subjects residing in the EU. It requires these companies to define privacy policies, obtain consent for legitimate usage of personal data, and to ensure companies are taking steps to mitigate the risk of damaging data breaches.

To achieve those goals, companies will be required to implement relevant technical and organizational measures such as pseudonymisation, data minimalization, and controls around data collection, processing, storage, and accessibility.

Millennials in particular bring a growing number of mobile apps, devices and new methods of information sharing that pose new security risks, according to the survey conducted by the Ponemon Institute and Citrix. Survey participants were 4,268 IT or IT security practitioners in Australia/New Zealand, Brazil, Canada, China, Germany, France, India, Japan, Korea, Mexico, Netherlands, UAE, the UK and the US.

Generation gaps & other security risks

Some of the top security concerns confirmed in the study are:

  • Poor security deployments: 70% said their organization had made investments in IT security technology that was not successfully deployed (e.g. shelfware).
  • Unapproved and rogue app deployments: 65% of respondents said their organization is not able to reduce the inherent risk of unapproved applications increasing risk, including from shadow IT.
  • Unmanaged data at risk: 64% say their organization has no way to effectively reduce the inherent risk of unmanaged data (e.g. downloaded onto USB drives, shared with third parties, or files with no expiration date).
  • Talent pool is small: Only 40% said their organization is successfully hiring knowledgeable and experienced security practitioners.
Generational attitudes among employees can also be an issue, the study found:
  • 55% of security and business respondents said that Millennials, born 1981-1997, pose the greatest risk of circumventing IT security policies and using unapproved apps in the workplace.
  • 33% said Baby Boomers, born 1946-1964, are most susceptible to phishing and social engineering scams.
  • 32% said Gen Xers, born 1965-1980, were most likely to circumvent security policies and use unapproved apps and devices in the workplace.

The study found that 67% of global business respondents are aware of GDPR, but only about half have started to prepare for GDPR compliance. Companies who do business in Europe need to adapt: 74% of respondents say GDPR will have a significant and negative impact on business operations. 65% are worried about the new penalties of up to 100 million euros or 2 to 4 %of annual worldwide revenue.

Also, over half (52%) of respondents do not feel that their security infrastructure facilitates compliance and regulatory enforcement with a centralized approach to controlling, monitoring and reporting of data.

GDPR compliance strategies

Since GDPR mandates data protection “by design and by default”, compliance is no longer just a choice and results must be defensible, says Citrix Chief Security Strategist Kurt Roemer.

The good news, he says, is that GDPR compliance strategies “can be implemented today utilizing application and desktop virtualization, combined with data containerization and enclaving for mobilization and control over data distribution. Management of sensitive data is further enhanced through digital signatures, digital watermarks, contextual access, information rights management and country or region data protection specificities.”

Citrix offers these four GDPR compliance strategies and recommendations:
  • Whenever possible, centralize apps and data in the data center or cloud so sensitive enterprise data is not stored on devices.
  • When sensitive data must be distributed, mobilized or utilized offline, ensure it is protected in a secured enclave.
  • Precisely control access to resources with context-aware policies based on user, device, location, application and data sensitivity.
  • Provide visibility and management capabilities that unite your entire IT infrastructure to deliver application and data-specific security.

In short, look for “a simplified approach that delivers compliance and strengthens security without impeding productivity,” says Roemer.

Citrix is a 2016 Mobile Star Awards Sponsor and Winner in multiple categories.