We are now just over a year on since the EU General Data Protection Regulation (GDPR) came into full effect (25th May 2018) and over 3 years on from when this regulation was finalized. Where are we on the road to compliance and how has GDPR been applied through the first 12 months?
Many organisations still are not, or do not consider themselves to be, fully compliant. Some of this failure to close the compliance gap is the ongoing confusion about exactly what needs to be done to be fully compliant and some of this may be a result of the misperception that GDPR only affects those operating in the EU. The breadth of the definition of personal information within GDPR doesn’t help either.
All that said, whatever you are doing or plan to do, you need to be basing it on solid cybersecurity foundations or you risk spinning your wheels, and no-one can afford the ‘fuel’ for that. We’ll come back to that but first let’s review the first year of GDPR.
The State of GDPR Compliance – 1 Year In
Despite fears of example-making and vigorous application of the regulation, most Data Protection Authorities (DPA) led with advice for companies, setting up dedicated lines of communication to help everyone move forward both with GDPR compliance as well as the business of business. Yet, according to a survey by Hiscox Insurance, over a third of smaller companies are still not clear on who GDPR applies to, and 9 out of 10 are not aware of the rights that GDPR gives data owners.
What’s more, this period of apparent clemency is certainly coming to an end, if it has not already done so. This change in approach was evidenced in March 2019 when a company in Poland was fined €220,000 for failing to notify users that their data would be processed. Of the 6,000,000 people on whom the company held information, only 90,000 had been informed that their data was being processed and, of those, 12,000 had objected (13% of those notified) – no breach occurred.
The first overview on GDPR implementation, published in February 2019 by the European Data Protection Board, gives us insight into how the regulation has been applied over the first nine months both by individuals and DPAs. Across 31 EEA (European Economic Area) countries there were over 200,000 cases made up of 94,622 complaints from individuals, 64,684 data breach notifications and 47,020 other issues. 52% of those cases were reported to be closed, 47% were ongoing, and 1% had been appealed in national courts.
When you see numbers such as €55,955,871 in fines being issued in just 9 months, it seems as though GDPR has been brandishing the teeth that had so many fearful leading into May of last year. When you note that €50m of that was the fine levied on Google, the remaining €5m across potentially 32,000 data breaches either means that many more companies had their houses in order or fines have been relatively kind; as we know from breach reports such as the Verizion Data Breach Investigation Report (DBIR) over many years, it’s definitely the latter.
Sharing a Unique Perspective on GDPR
As a company focused on delivering industry-leading solutions for both privileged access management and vulnerability management, BeyondTrust has a unique perspective. We know that the vast majority of successful attacks still follow a relatively small number of attack patterns facilitated through well-known, preventable vulnerabilities, which are enabled by users with excessive privileges (check out the Microsoft Vulnerabilities Report for recent research on this). Clearly, many organisations are still not getting the IT security basics right. In essence, the foundations on which the GDPR structures are built upon are not solid; not the best of starts for something that can result in fines of up to €20m or 4% of gross turnover, whichever is greater.
While many organisations outside of the EU or EEA still believe that the European GDPR does not apply to them, that Google has been fined so substantively should serve as a wakeup call. The scope of GDPR continues to be wherever the personal data of an EU resident (not just citizens but anyone residing within the EU at the time data was collected) is held; in today’s global economy, that could be anywhere and in many cases, organisations may not be aware that they have EU resident data and that they need to protect it.
We’ve seen many US organisations simply shut down access to their websites for connections originating in the EU. One example is the Chicago Tribune, one of the Tronic Media Group newspapers which, one year on, simply denies access to anyone from the EU.
Other newspapers from the same group have the same approach. While most organisations don’t have the luxury of being able to do this, it’s not a bad approach when you aren’t sure of where you stand compliance-wise with respect to GDPR. When you consider the revenue loss in denying access to your web pages against the potential penalties for non-compliance, this approach may make sense. However, when you are unsure how to proceed, you should seek legal advice—not just someone who claims to be a GDPR consultant—but from a properly qualified legal organisation that has all the protections needed to operate in these kinds of spaces.
Even if GDPR doesn’t currently apply to you, it may in the future and there’s every chance that your local authorities could already be working on substantively similar legislation for your region. California and Washington State in the USA have already made strides in that direction and more states and countries will follow.
Improving Your GDPR Compliance Posture Begins with Getting the Basics Right
There are measures you can take to better prepare yourself to take on GDPR (or any IT security-based regulatory compliance) and, as promised, we return to the basics – the foundational elements of a robust cybersecurity strategy that are so easy to get wrong. Nearly every data breach can be related to the following model:
(Vulnerability -> Privilege) -> Lateral Movement -> Data Theft
The first two are sometimes reversed (and sometimes duplicated), but it’s the same issue regardless. You need to have control over what data you collect, how long you keep it and who has access to it.
Vulnerability Management: Too many organisations don’t treat vulnerability management as a continuous activity, and those that do often don’t focus in the right area. There are many ways to prioritise the vulnerabilities identified in your environment:
- By Severity – Every vulnerability is rated for severity as High, Medium, Low, or Informational
- By CVSS – The Common Vulnerability Scoring System attempts to assign a numeric score to each vulnerability by factoring in the ease with which the vulnerability can be exploited along with the impact of the exploit along with other considerations
- By the importance of each system – Prioritising the key systems within the organisation for fixes/mitigations
- By the number of known exploits – target the vulnerabilities with known exploits and those with the most known exploits first
You can apply all of these as part of your vulnerability management program, but starting with #4 is going to deliver the biggest bang for your buck by dealing with those ‘well-known, preventable vulnerabilities’ which are the source of the majority of successful attacks.
That said, many vulnerabilities are, by themselves, not all that useful to the threat actor. BeyondTrust’s own studies indicate that 80-90% of the known vulnerabilities in Windows 10 need the logged in user to have a privileged account in order to be impactful. That leads us to the next area we can deal with today.
Privilege Management: Excessive user privilege is rife in most organisations and it’s not all that surprising. Most operating systems do not provide a clear view on what privileged users can and cannot do, which makes constraining access very difficult. There are little or no mechanisms to only grant subsets of privilege within the system—you are generally a standard user who can do virtually nothing or a superuser with access to everything.
Fortunately, there is another way, BeyondTrust Endpoint Privilege Management solutions (for Windows, Mac, Unix, Linux and Networks) enable you to implement the principle of least privilege. Applying least privilege entails granting the privileges needed to perform the role assigned to the user or process. Another way to look at this approach is to think of it as the privileges needed to be productive—nothing more, nothing less. This process starts with a standard user and explicitly grants privileges to processes and applications the user starts, never altering the user themselves. Simple rules which combine into policies allow this to evolve to meet your business needs.
By keeping the user account as a standard user at all times, you not only limit the impact of exploited vulnerabilities, you also avoid users having access to data they don’t need and/or shouldn’t have. This can have positive ramifications for ransomware attacks as well by limiting the scope of access the malware has on the system and the broader network.
Privileged Account and Session Management: Another area of privileged access comprises the shared, privileged accounts that exist in your environment – think Local Administrator for Windows, Domain Administrator for Active Directory, root for Unix and Linux, and admin for the plethora of IoT devices that have sprung up in our networks.
Managing these accounts, controlling access to them, and having a full audit trail for each access is essential when looking to prevent lateral movement in your environment; it is these accounts that are a key focus for attackers looking to locate the crown jewels in your network.
Enterprise privileged password management solutions, such as BeyondTrust’s Password Safe, allow you to take full control over these accounts across your network. Frequently changing passwords, brokering access to the accounts with extensive workflow capabilities while providing full session recordings for each instance of privileged access ensures that the risk these accounts pose in your environment is dramatically reduced.
Single User Account: Having just a single account for each user delivers benefit in a multitude of ways. It means that users only have one set of credentials (username and password) to remember, making it much easier to apply the latest NIST advice on passwords.
Don’t forget to add two-factor authentication to your environment as this one account is the sole entry point for users into the system and we want to leverage all of the something we are, something we know, and something we have that are essential for proper authentication.
Being able to leverage the capabilities of an Active Directory Bridge solution allows us to extend that single identity from Active Directory through Windows, Unix, Linux, Mac, and beyond. Combine that with Single-Sign On (SSO) for many applications and users truly have a single identity across all systems. One identity to create when they join and importantly, only one place to disable/delete them when they leave.
Keep It Sensibly Simply: Each of the areas above can be addressed independently of the others and in any order. By keeping them separate, you can keep each relatively simple making them easier to design, implement, manage, and maintain—making them easier to respond to when something does happen.
Any process or solution that complicates your cybersecurity approach should be given extra scrutiny as that complexity creates opportunity for attackers. The more complex the solution, the harder it is for you to know exactly what’s under control and what’s not and what you need to do next.
As Steve Jobs put it:
"Simple can be harder than complex: You have to work hard to get your thinking clean to make it simple. But it's worth it in the end because once you get there, you can move mountains."
Respect Personal Data: Treat everyone’s data as if it were your own. If you take that basic premise and implement the kinds of processes, procedures, and protections that you expect other organisations to apply to your data then you will be on the right path.
Don’t forget, it’s not just about what data you collect, it’s also what you do with it and who has access to it. Even if you are contracting another company to process the data you collect, you are still responsible for that data, just as you are for your company data.
To learn more on how you can address GDPR with BeyondTrust privileged access management solutions, download this white paper.
Brian Chappell, Chief Security Strategist
Brian has more than 30 years of IT and cybersecurity experience in a career that has spanned system integrators, PC and Software vendors, and high-tech multi-nationals. He has held senior roles in both the vendor and the enterprise space in companies such as Amstrad plc, BBC Television, GlaxoSmithKline, and BeyondTrust. At BeyondTrust, Brian has led Sales Engineering across EMEA and APAC, Product Management globally for Privileged Password Management, and now focuses on security strategy both internally and externally. Brian can also be found speaking at conferences, authoring articles and blog posts, as well as providing expert commentary for the world press.