Companies in the UK are leading their CEO to believe they compliant with GDPR (General Data Protection Regulation), when they actually have significant amounts of unprotected personal data, according to a data virtualisation platform. Delphix spoke to custodians of data to hear what they have to say when it comes to balancing access to data with data security.
Companies are rushing to be more digital and that makes it easier for things to fall through the cracks, and development / testing can become a security minefield as a result, the firm suggests. With so many loosely managed and often unrefreshed development and test environments – on-premises and in the cloud – Delphix spoke to CISOs, CIOs, testers and developers at UK companies.
A finding that emerged was that many businesses are either unaware or worse yet, unperturbed by the non-compliance of their test data – despite GDPR having cemented its position as a key business consideration in Europe. The Vice President at an organisation revealed to Delphix that they do not mark personal data at all. This was further echoed when a developer revealed that he did not know if any of their test data is GDPR compliant at all. And a CISO admitted to telling their CEO that the company was GDPR compliant, despite having terabytes of unprotected personal data in non-production.
Another finding pointed to how many unauthorised personnel within companies were privy to confidential information they shouldn’t have access to. From salary details to private employee details, sensitive personal data is often held in test systems – a recipe for an embarrassing data breach.
One developer Delphix spoke to admitted to finding out the salaries of everyone who works in Accounting because of unmasked HR data. Another developer echoed this with the revelation that the server sitting under their desk contained a multitude of data they should not have access to.
On the other side, it was revealed that those who should be aware of sensitive data were in the dark with a CISO of an organisation disclosing that he had no idea how to find all of the company’s sensitive data and was certain that the vast majority of it is completely exposed.
When trying to get to the root of the problem, Delphix found that a key reason for these bad – and at times non-compliant – data practices was due to frustrated developers who require data fast but aren’t able to get them due to data environments being expensive and time-consuming to create.
A DevOps Engineer let slip to Delphix that he averages 100 Battle Stars on Fortnite while waiting for data. Meanwhile, a tester admitted to spending at least 1 day a week browsing the web because of the time they spend waiting on data.
This points to a significant issue amongst UK businesses the cyber firm says – private data is not being treated with the care that it should be and key decision-makers within organisations are completely unaware of this. Eric Shrock, CTO at Delphix, said these confessions should come as a wake-up call to the C-suite.
He said: “It is clear that the vast majority of top-level execs are blissfully unaware of how easily accessible their highly sensitive data is. Pair that with growing frustration amongst developers looking to acquire data quickly and we have the perfect recipe for disaster.”
