Unless you’ve been living under a rock for the past two years, you’ll know that come May 25, 2018 the EU will begin enforcing the new General Data Protection Regulations (GDPR) that will create one data protection standard across Europe and could be the most significant regulatory framework to hit organisations since Sarbanes-Oxley in 2002.
Its purpose is to replace the varying implementations across Europe with the intended outcome of a standardised set of expectations about how an organisation must manage and protect personally identifiable information on employees, clients and other applicable data subjects.
There is little doubt that the demands of GDPR will absorb a lot of business resources, time and attention (if it hasn’t already done so) and you're quite likely a little tired hearing ‘GDPR’ being bantered around the office and across all forms of media.
However, if you’re an IT professional – have you considered re-framing the story-line to promote a strong security agenda for your organisation? GDPR can provide a great opportunity to drive hard your cyber security agenda based on a pragmatic, holistic and risk-based approach that works to create business enablement as well as regulatory compliance.
The Impact on your business's cyber security approach
Any security threat has the potential to negatively impact an organisation's brand perception and value, this can span across your digital capital, IP, financial assets and your data. Addressing the data security requirements of GDPR comprehensively across systems will not only ensure your organisation protects the privacy of customers and other stakeholders and avoid the penalties laid out in GDPR but will also establish a valuable competitive advantage – building trust with your clients, stakeholders and end users.
GDPR calls for organisations to limit personal data access to only those users that require specific data to perform his/her job. Organisations must also prove that appropriate network safeguards are in place to protect the privacy of the data. For example, managing the endpoints of a mobile fleet represents a large risk for GDPR non-compliance.
Malware can be inadvertently delivered by trusted employees who access networks remotely using devices that may be unchecked for potential security vulnerabilities. Whether devices are BYOD or company-owned, without sufficient mobility management and security in place, they put the network at risk for viruses and malware every time they connect from an outside unsecured network.
So what does a strong GDPR-compliant security program look like?
A sound security strategy is more than just prevention – recognising that prevention is not possible 100 % of the time, a knee jerk reaction of responding to GDPR by simply buying more preventative technology a mistake.
There are three critical components to a strong security approach - protection, detection and response.
Whilst these should form the backbone of an initial GDPR focused security program, they should become ingrained in an organisation, becoming the very core of your security operations.
Protection should be based on a set of effective risk-based security controls – having completed a data audit to fully understand where a breach or misuse of data could potentially occur. An evaluation is required to determine whether your infrastructure provides real-time defense and can deal with advanced and persistent threats. Ensure only authorised individuals have access to data systems and that they know their access rights as well as the responsibilities they hold in how they access and use that data. Data assets and processes should be protected with a multi-layered approach using advanced threat intelligence so it makes breaching data much more difficult.
2. Detect & Monitor
Successful detection requires enhanced visibility across the entire enterprise, network, endpoints, mobile, cloud, software as a service and more. Once an attack penetrates your organisation, it can still remain undetected. GDPR requires the ability to detect data breaches – these can take place at any given time, day or night. So, it’s crucial that you know how to prioritise and respond to the alerts from a security platform, such as a SIEM and 24/7 monitoring capabilities that go beyond simply flagging a threat.
Your platforms need to be able to intelligently query and analyse intrusion data so can pinpoint exactly which systems are compromised, which data has been accessed, how it happened, how you can repair and restore them. It lets you judge whether a breach that is reportable under GDPR has occurred and which data it affects or whether you have caught the intrusion in time to prevent data in scope being compromised. The more precisely you can detect, the more granular and efficient your response can be.
Timely incident response above all requires preparation – it’s crucial that you have an incident response and remediation plan in place, ensuring that all aspects such as understanding statutory reporting requirements, allocating roles for decision-making etc., have been thoroughly tested and responsible participants are well trained.
With GDPR requiring notification to the regulator within 72 hours of a breach of personal data discovery, time does not allow for reinventing the wheel or to find that your incident response plans don’t work. Of course, it’s not all about reporting. Breaches must be contained, remediated and lessons must be learnt to prevent them happening again with proper policies and procedures in place to continuously improve governance and accountability.
GDPR isn’t optional and it’s happening – fact is, it’s here! And, the risk of not being compliant is simply too great. It’s an opportunity to review your security programs and take on board a risk-based approach. Ultimately, this approach can be extended to any information that is of value to the organisation, be it intellectual property, personally identifiable information, or any other core data. Irrespective of the asset, a risk driven approach to security is highly beneficial in promoting privacy, business enablement and ultimately – security.
Accelerating & Supporting Your Security Agenda
Acting on the various GDPR challenges, opportunities and implications for your own organisation is vital. Oftentimes, working with a trusted security partner can help make the challenge less daunting and the imminent deadlines less resource crippling.
About Comtact Ltd.
Comtact Ltd is one of the UK’s leading, government-approved Cyber Security and IT Managed Services Provider. We’ve built an envied reputation helping businesses, big and small transform their security agendas. From providing vulnerability assessments to protecting and defending your systems on your behalf at our 24x7x365 state-of the art UK NOC and SOC. Comtact’s team of security experts are on-hand with Garner-leading technologies to help ensure your business is both secure and GDPR compliant.