The EU General Data Protection Regulation (GDPR) extends data protection law to all companies processing data of EU residents irrespective of where the data controller and data processor are based. The penalties for non-compliance could be severe with fines of up to 4% of annual company turnover or €20m, whichever is greater. The regulation has clearly been designed with social networks and mobile apps as their core focus but the wording of the law means it can be applied everywhere – including the cloud services that process data, even if they are not the controller of the data. That means everyone must take this seriously and, with less than two years until it comes into force (remember it can affect you even if you aren’t an EU member), the time has come to start getting ready for 25 May 2018.
“Where to start” and “what to do” are undoubtedly the first questions you are asking. Here are five key points to focus on to help you toward compliance with this extended legislation:
1. By Design, By Default
This regulation provides a perfect opportunity to make IT security a fundamental practice within your organisation. Data protection by design and by default is a key tenant of the new legislation, which means that data protection safeguards should be fundamental to your products and services from the first principles. Don’t start any new project, software development or service without having data protection front and centre of the activity. Anything underway but not yet released or currently operational should be reviewed to ensure that DP is covered. Without this kind of diligence, you aren’t going to know if you are in breach until it’s too late.
2. Prevention is Better than Cure
Address the preventative actions first when looking at your DP strategy. Privileged Access Management (PAM), specifically Privileged Password Management (PPM), should be your first port of call to ensure that no-one has direct, unmonitored access to data stores.
- Use capabilities such as approval workflows to include human approvers into the process for accessing potentially sensitive data.
- Record sessions to allow for detailed forensic analysis in the event something does happen.
- Review the recordings frequently and track those reviews recording who reviewed and any comments they had.
This will save you a lot of trouble when you are trying to recover from an event and may even allow you to identify the precursory activity prior to an actual data loss.
Once you have the shared access under control, look to least privilege as a best practice to prevent anyone gaining inadvertent access to sensitive data through rights granted for an unrelated requirement. Good least privilege solutions enable you to know exactly what the user can do, where and when they can do it, as well as giving you the granularity to restrict users to exactly what they need without impacting productivity.
Don’t forget vulnerabilities. Just as you wouldn’t forget a broken lock on your office building, don’t forget to scan regularly (at least once a week) and fix those vulnerabilities that have published exploits. We see the banner, “It’s not if, it’s when,” at every security conference; those vulnerabilities with known exploits are the ‘when’ in that statement. You only need to look at the Verizon Data Breach Investigation Report (DBIR) to see that most successful exploits are the result of well-known and entirely preventable vulnerabilities. In 2015, for example, that included vulnerabilities dating back to 1998.
3. Detection, Mitigation, Protection
When you’ve got the preventative measures covered, look to the technologies that will help you detect, mitigate and protect against attacks. No preventative solution can be 100% effective but with good post-compromise technologies you will get as close as possible to that mystical 100%.
Early detection will be important in avoiding some of the heftier fines the GDPR threatens. The better your prevention and detection, the less data is exposed and the better it is for everyone.
Make sure your tools communicate well, not just within their own family. You aren’t going to find a solution for absolutely everything with one vendor and just as a carpenter, you are going to find yourself with a bag of tools from a handful of trusted vendors rather than a single tool from a single vendor that sounded great in the brochure but is completely unwieldy.
Each tool should be great for its intended purpose but also should complement and enhance the other tools you have. Integration in your eco-system should be a key requirement for tool selection.
4. Standing on the Shoulders of Giants
Regulatory compliance/requirements with security concerns, even if they don’t specifically apply to your organisation, provide good frameworks that you can use to shape your approach to effective security. This is particularly useful when first approaching a comprehensive security policy as they are going to help you with a basic approach and ensure you are covering many of the nooks and crannies that might otherwise be missed.
If you already have a well-developed security policy they can provide a spotlight to focus on where the gaps may still be.
5. Be Honest, Honestly
Review your security honestly. If you don’t have the skills in-house, then use external consultants to review and test your security and to advise on what to do next. Good security vendors are keen to help you develop the best possible security approach across your environment, not just within the scope of their product range, so make a good partner in this process. It may seem counter-intuitive but engage your local hacking community to help you craft better defences and detection. They know exactly what the currently popular tools are and how to defend against them. The only real failure in cyber security is in thinking that you’ve finished it. It’s an iterative process that is an everyday activity.
The GDPR doesn’t demand that you do anything you shouldn’t already be doing. What it does is make sure that those who haven’t taken necessary precautions, or haven’t been open about being breached, are held accountable for it. It also makes it easier to comply by having just one regulation for the EU as opposed to the 28 current sets of legislations around data protection. The fines are scary, and appropriately so, but we should welcome the simplification and embrace it.
If you are currently assessing your level of compliance with GDPR, contact us for a strategic consultation today. In the meantime, we offer a host of resources to benchmark your current privileged access management and vulnerability management practices against your peers.
Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.