The EU General Data Protection Regulation (GDPR) is finally upon us. That means if your organisation handles data on any European citizens, you will need to pay attention. The good news is that the rising profile of cyber-threats over recent years has brought security to the forefront of business concerns rather than being part of purely IT discussions. However, worrying research has revealed that senior executives shun GDPR responsibility in 57% of businesses.
Given that the GDPR brings the biggest changes to Europe’s privacy laws in a generation, it is worth C-level executives revisiting what they need to know about cyber. It’s key to remember that building a strong security posture requires not only the latest technologies but also a focus on people and process.
Focus on the GDPR
The GDPR is a huge piece of legislation that threatens to impact just about every organisation out there. Its primary aim is to give European consumers greater control over how their data is used — which means placing strict new obligations on organisations to ensure they act in an accountable, transparent manner, bearing in mind key principles such as “data protection by design”.
As well as baking security and privacy into products and services from the start, both data controllers and processors must also ensure that current business processes are fit-for-purpose. Mandatory 72-hour breach notifications put extra pressure on incident response plans and ensure there’s no room to hide if your security is found wanting.
Article 32 is central to the GDPR’s security requirements. It says organisations must take account of the “state of the art” and “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk”. They must do this to “ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services”, as well as to be able to restore in a timely manner after an incident. Regular testing and assessments are also required.
With such a broad set of requirements it can be tough knowing where to start. The first job should be on data classification and mapping, to ensure you know what data you hold, how much of it is “in-scope” and where it’s stored and sent to. Then you can evaluate the processes and security controls in place to protect it and see if they need updating. Aside from encryption and pseudonymisation, the GDPR does not refer to explicit technologies — so that it can remain relevant over the years as tools evolve. That means you need to follow current industry best practices to stay on the right side of the regulators. The GDPR even states that “adherence to an approved code of conduct” or “an approved certification mechanism” may be used to demonstrate compliance.
Current “state of the art” tools and techniques include pen testing and vulnerability management, multi-factor authentication, IDS/IPS, behavioural analysis, network monitoring, advanced cloud security, breach detection tools and many more. Tokenisation, which is related to pseudonymisation, could also help to reduce your risk exposure, although it’s tricky to implement. However, its not all about spending millions on new flashy technologies. You must also pay attention to process and policy.
Important foundational policies should address proper inventorying of hardware, software and data — including baselining of systems and establishing standard configuration templates in line with best practices. Shadow IT is also a major and growing risk which must be mitigated. Highly accessible cloud and mobile platforms have led to non-IT staff creating corporate accounts, meaning data is often stored on improperly configured cloud systems or insecure mobile devices. Many of the recent Amazon S3 leaks came about because services were left open by default. Incident response is another vital process that should be developed and tested at regular intervals in the event the worst should happen.
The insider threat
Alongside process comes people: arguably the organisation’s weakest link. A SANS survey found that 76% of security and IT professionals globally felt the greatest potential for damage comes from a possible data breach involving employees or contractors trusted with insider access. Less than a quarter (23%) thought most damage could be done from third-party attackers outside the company. Whether it’s malicious insiders (40%) or careless employees (36%), the insider risk is clearly top-of-mind for your IT teams. These findings chime with recent Verizon research that found over a quarter (28%) of breaches last year were down to insiders.
Phishing remains one of the key ways for attackers to exploit a lack of awareness among employees to spread ransomware, info-stealing malware and more. It was present in 93% of all breaches investigated in the Verizon report, with email the main entry point. Other common mistakes include visiting malicious websites, storing sensitive information on insecure devices or unauthorised cloud storage platforms, or ignoring security updates which can subsequently leave systems exposed.
Many employees can also expose their corporate network to greater risk by connecting personal devices, and/or downloading content and applications not approved by IT. This is not done out of malice, just a lack of cyber-savvy which the C-suite must work to address.
A first line of defence
Put in place the right training and awareness raising programme and you could turn that weakest link into a formidable first line of defence. It should cover the full gamut of cyber-risks including data classification and handling, desktop security, wireless networks, passwords and phishing, social engineering, malware, file sharing and more. The emphasis here should be on creating a regular series of classes which offer students real-world scenarios to test them. You could do it in a formal classroom setting or simply conduct online modular training sessions. Dedicated cybersecurity training providers can usually provide more effective programmes as in-house teams sometimes lack the resources and know-how.
The most important thing is to understand where people are making mistakes and provide regular feedback to help them learn and grow in confidence over time. Also, ensure any training programme is carried out across the organisation, including temporary staff and contractors. It only takes one misplaced click to land you in trouble. With the right approach, their understanding of cybersecurity policies and procedures will evolve to the point where best practice becomes second nature — creating a culture in the organisation which values data and is aware of the risks lurking inside and outside the company.
That’s what the GDPR regulators will be looking for and that’s the way to help minimise cybersecurity risk going forward.
Sharon Heys, Legal Counsel for the SANS Institute
Image Credit: Wright Studio / Shutterstock