Category Archives: GDPR

GDPR quick guide: Why non-compliance could cost you big

If you conduct business in the EU, offer goods or services to, or monitor the online behavior of EU citizens, then the clock is ticking. You only have a few more months – until May – to make sure your organization complies with GDPR data privacy regulations. Failure to abide by GDPR means you could get hit with huge fines. Finding and investigating data breaches: Why it’s always too little, too late Personal data protection … More

Why the cyber threat landscape could grow under GDPR

The General Data Protection Regulation (GDPR) is only 3 short months away, with the incoming regulation seeing businesses across Europe and beyond bolster their cyber security in an effort to

The post Why the cyber threat landscape could grow under GDPR appeared first on The Cyber Security Place.

Businesses need to think differently data management in the digital age?

Increased use of digital technology is creating massive amounts of data from cloud, mobile, IoT and more, resulting in data deluge Companies across industries are racing to embrace digital transformation

The post Businesses need to think differently data management in the digital age? appeared first on The Cyber Security Place.

What online attacks will dominate the threat landscape this year?

This article will focus on three different and pressing issues that the IT security industry needs to be prepared for during 2018 – the increase of cyber threats via social

The post What online attacks will dominate the threat landscape this year? appeared first on The Cyber Security Place.

German court says Facebook use of personal data is illegal

Facebook’s default privacy settings and some of its terms of service fall afoul of the German Federal Data Protection Act, the Berlin Regional Court has found. By not adequately securing the informed consent of its users, Facebook’s use of personal data is illegal – and so is the social network’s “real-name” clause, as the German Telemedia Act says that providers of online services must allow users to use their services anonymously or by using a … More

Data Governance: How prepared are enterprises for the impending GDPR?

Report reveals only 6% of enterprises are prepared for GDPR, with less than four months until the data privacy and security regulation goes into effect With less than four months

The post Data Governance: How prepared are enterprises for the impending GDPR? appeared first on The Cyber Security Place.

What does the GDPR and the “right to explanation” mean for AI?

Security teams increasingly rely on machine learning and artificial intelligence to protect assets. Will a requirement to explain how they make decisions make them less effective?”But I’m not guilty,” said

The post What does the GDPR and the “right to explanation” mean for AI? appeared first on The Cyber Security Place.

Poor data practices can ruin a company, research claims

People will not do business with companies known for misuse of personal data.A lot of consumers (41 per cent) submit false data when signing up for products and services online,

The post Poor data practices can ruin a company, research claims appeared first on The Cyber Security Place.

IT Security Expert Blog: GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.


IT Security Expert Blog

GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.

One GRC Manager’s Practical Approach to GDPR Readiness

With about four months to go before the GDPR becomes effective many companies are still struggling with where to start.  You’re not alone.  According to this survey, the majority of companies are slow off the mark. On top of that, companies require resources and budget to prepare for and comply with the GDPR.

I fully understand the challenge. It starts with the GDPR document itself.  Printed, it’s like a full tree or door stopper and reading through it is like a big sleeping pill.  With 261 pages of heavy legal reading it could take you a few days to digest the volume of information it contains.

At Imperva, our readiness to meet the regulatory requirements established by the GDPR is managed by our Privacy Office. As a GRC manager on that team, I was one of several individuals tasked with reading, understanding and communicating GDPR requirements to our internal stakeholders as we developed our compliance plan.

In this post, I’ll share with you how I approached GDPR readiness.

No doubt, your organization has a team established to work through GDPR requirements and prepare as needed. If you’re a member of that team and haven’t yet started down your own path, I’m hopeful you’ll find this a useful guide in helping jump start your project, with the ability to tailor it to your specific needs. My goal was to make it as practical as possible. And I provide timelines to give you a sense for how long each step took when I took it on. Here we go.

Step 1: Read the Regulation (Then Read It Again) and Identify Areas of Impact – Maximum 1 Week

Read the GDPR at least twice, the first time with the view of finding out what it’s all about and what principles and articles it contains. During the first read I also marked up if a principle or article required a potential action from us—either from a corporate standpoint (if Imperva needed to prepare internally as an organization) or from a business standpoint (how Imperva could help our customers prepare).    To do this of course assumes you know your organization, its products and services. If you don’t, this will be more difficult for you and may require a full-on team read. This could be fun.

Organize Findings into Related Groups

The second read was more intense and this is where I started to drill down into a more granular level of what GDPR means to us. I thought about how to break the requirements, principles and articles into related groups, both corporate and business.  When I say business that really means our services and product lines. While working with one of our GDPR professional services teams I identified a practical way to organize the groups—I put each relevant principle or article into one of four independent buckets. Each bucket was given a name and owner. The buckets are as follows:

GDPR planning

Each relevant article or principle, as outlined in the sample below (Figure 1), was put into one of the four buckets.  If I was not sure to include a reference, I did it anyway just in case it was important to the business and I needed to refer to it later.

Extract of relevant GDPR articles and principles

Figure 1: Extract of relevant GDPR articles and principles

Step 2: Get Business Teams Buy-In and Collect Feedback – Approximately 4 Weeks

Armed with this spreadsheet I was ready to approach the respective business teams.  I found the best way to do this was to present the ideas and concepts in a workshop. This took a number of sessions to include all parties, but it enabled me to explain the process, field their questions and reach agreement on the asks I had of each of them. Coming prepared with the bucketed list helped the respective teams feel more relaxed knowing they didn’t need to read the GDPR themselves as it had already been thoroughly reviewed and only required them to focus on a small subset of the requirements.

The road to GDPR compliance: securing data

Team Feedback / Business Requirements Mapping

Once I explained the GDPR review and bucketed approach to the teams I then asked for their feedback. The easiest way to collect this information was in a spreadsheet, capturing the source of details of the GDPR including chapter, section, heading and reference number as shown in the graphic above. I was not able to find the GDPR text in this format so a copy and paste was the only alternative. I never copied all the text from the GDPR, only relevant text.

The process outlined as Phase I for the business required mapping the GDPR subsets (stated above) for matches relating to GRC, Product, Feature and Corporate buckets. As a takeaway, I sent each team a follow-up email and the attached spreadsheet after the meeting(s). Over the course of a few weeks the teams captured all the relevant GDPR requirements in the spreadsheets as a “Yes” in the appropriate column where an action based on the GDPR was required:

  • Column G – Governance Risk and Compliance (GRC) requirements
  • Column H – GDPR compliance requirements your product must have
  • Column I – New GDPR features you can provide your customer beyond the “must-haves”
  • Column J – Corporate/legal requirements

I added a comment column, which I completed to include a short and sweet description of the GDPR requirements without the business having to do too much reading. That said, I also included the necessary GDPR descriptions if more information was needed.

Step 3: Review Feedback with Each Team – Approximately 2 Weeks

The next step was to review the spreadsheet with each of them.  This helped clarify certain information that was not clear and ensure they had understood the GDPR requirements correctly.  Not all GDPR requirements were marked with a “Yes”, thus further reducing the number of active GDPR requirements.  I consolidated the feedback received into a single table with some initial analytics. See Figure 2 below.

Table showing GDPR analytics based on the teams’ input

Figure 2: Table showing GDPR analytics based on the teams’ input

The table looks quite scary, but don’t worry. Not each GDPR requirement translates into an action and this was only a provisional view, not the final.

Step 4: Develop an Action Plan – Approximately 2-3 Weeks

Each group approached their action plan differently. The product and services teams created a product requirements document (PRD). The PRD outlined in great detail how the requirements aligned with changes in the product.  This included “must-haves” and new features to enhance our products capabilities. The legal and corporate team created a task list of impact areas that required action or updates. For example, updates to our web and privacy policies. Each task was assigned a timeline and person responsible. Of course, the PRD is a much larger project and requires many changes and many people. The product and services teams consolidated a number of related “data management” requirements into a single PRD and provided this to the engineering team to break down into more detail.

Step 5: Track Progress and Countdown to May 2018

We are now into actions monitoring by the teams to ensure we continue to meet our May 2018 timelines. Changes continue to filter down into the product, some extremely significant, such as regionalization of data. Legal included GDPR in our ongoing vendor risk process which relates to both the agreement side and the assessment side. Marketing has made progress with regard to data privacy opt-in requirements. As of now, we’re on track with the plan.

I hope this has given you some insights into what you should be thinking about for your own GDPR readiness project. The May 2018 effective date is around the corner (May 25, 2018, to be exact!). But there’s still time to prepare – you may just need to accelerate your project timeline to ensure you’re ready.

Can we help? Learn about professional services for GDPR compliance from Imperva.

Episode 82: the skinny on the Autosploit IoT hacking tool and a GDPR update from the front lines

In this week’s episode of The Security Ledger Podcast (#82), we take a look at Autosploit, the new Internet of Things attack tool that was published on the open source code repository Github last week. Brian Knopf of the firm Neustar joins us to talk about what the new tool might mean for attacks on Internet of Things endpoints in 2018....

Read the whole entry... »

Related Stories

7 steps for getting your organization GDPR-ready

While the EU has had long established data protection standards and rules, its regulators haven’t truly commanded compliance until now. Under the General Data Protection Regulation (GDPR), financial penalties for data protection violations are severe – €20 million (about $24.8 million USD) or 4 percent of annual global turnover (whichever is higher), to be exact. What’s more is that GDPR does not merely apply to EU businesses, but any organization processing personal data of EU … More

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Many businesses lack proper plan for alerting customers to a data breach

This is despite GDPR being clear that organisations need to notify victims of a data breach within 72 hours.Less than a fifth of organisations are fully prepared to notify customers

The post Many businesses lack proper plan for alerting customers to a data breach appeared first on The Cyber Security Place.

Three IT steps to make your GDPR compliance journey smoother

Is your organisation prepared to comply with the upcoming regulation?Businesses are constantly having to overcome the various obstacles that come their way — some might argue this is a large

The post Three IT steps to make your GDPR compliance journey smoother appeared first on The Cyber Security Place.

Survey: How Well Will Organizations Respond To The Next Data Breach?

The European Union’s General Data Protection Regulation (GDPR) goes into effect this May, and lawmakers in the U.S. are proposing stricter data breach legislation. With the pressure on to better protect data and improve notification procedures in the event of a data breach, Tripwire surveyed 406 cybersecurity professionals to see how prepared organizations are feeling. […]… Read More

The post Survey: How Well Will Organizations Respond To The Next Data Breach? appeared first on The State of Security.

Facebook, Microsoft announce new privacy tools to comply with GDPR

In four months the EU General Data Protection Regulation (GDPR) comes into force, and companies are racing against time to comply with the new rules (and avoid being brutally fined if they fail). One of the things that the regulation mandates is that EU citizens must be able to get access to their personal data held by companies and information about how these personal data are being processed. Facebook users to get new privacy center … More

GDPR: Great Data Protection Rocks – Especially on Data Privacy Day

International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized the importance of the right to privacy with a treaty. *

This Data Privacy Day, Jan. 28, finds Europe looking ahead to major new privacy rules in the form of General Data Protection Regulation (GDPR) to be enforced starting on May 25. And this has given us an opportunity to address privacy the way we have come to respect environmentalism. It’s everywhere, it’s everyone’s business, and it’s good business.

As I have worked to ready McAfee for GDPR, one thing I have learned is that it truly takes everyone to focus on the protection of data.  I’ve been privileged to meet and work with hundreds of my McAfee colleagues to sort out what GDPR prepared means to us, from security architects, lab folks, the product teams, and great messaging people.  It takes a city, not just a village, to get ready for GDPR.

This year, most data protection professionals will celebrate Data Privacy Day on Thursday, January 25th, just four months before the official enforcement date for GDPR.  One of my favorite things to come out of the many conversations about GDPR is a new slogan: Great Data Protection Rocks.  The slogan, compliments of our senior writer Jeff Elder, captures my thoughts perfectly — Great Data Protection is not just good digital hygiene and good technological maintenance. It’s an admirable, even cool, ideal, and it’s part of McAfee’s Culture of Security, described by chief executive Chris Young in December in New York. “Ten years ago, if I were to ask a CEO about cybersecurity, he might say, ‘Yeah, I’ve got some guy in IT that’s working on this.’ Now everybody cares and I think that’s going to make a big difference,” Chris told CNBC’s Jim Cramer.

He’s right: Security in general and data protection are not big, monolithic initiatives achieved with one initiative, but rather require the whole city to have a Culture of Security – and you don’t get that by writing checks, or by formulating one list of best practices. We won’t be washing our hands of data protection and putting a bow on top on Data Privacy Day, on May 25 when GDPR goes into effect, or ever. If that sounds ominous, you may be looking at it the wrong way.

My colleague Mo Cashman, Director Sales Engineering, Principle Engineer lays out the journey to real culture change: “First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.”

Great Data Protection means all of us being advocates for good practices. It means making sure you know where you are putting your data, and knowing what protections exist when you use cloud applications… It means saying no to an organization that wants to bypass privacy, security, or vendor practices and do a quick-and-dirty connection to your database or even your brand’s social media accounts. That’s not cool. It’s the equivalent of your company disposing of waste in environmentally harmful ways.

It’s also bad business because winging it every time you handle data is a waste of time and energy. Nailing down good practices that everyone can adhere to every time is economical in many ways. Making that effort a real and admirable value of your company is a beautiful thing.

I confess to being a bit of an International Privacy Day geek (my mother has it written on her calendar and calls and wishes me a happy day).  I generally get a cake and try to touch base with far-flung data protection colleagues.  But the early companies that embraced Earth Day look good now. If Great Data Protection Rocks seemed a little dorky in 2017, I’m good with that. We’ll keep your data safe until you come around.

For additional information about GDPR please visit our Solutions Page, or join in on the conversation by following @McAfee or @McAfee_Business on Twitter.

*  The treaty, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,anticipated the cross-border transfers of data that we take for granted now.

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.

McAfee Blogs: GDPR: Great Data Protection Rocks – Especially on Data Privacy Day

International Data Privacy Day might seem like an odd holiday, especially for businesses to observe. That’s what we thought about Earth Day, launched in 1970, and today companies around the world announce their public support every year. International Data Privacy Day marks the day – back in 1981 — that the Council of Europe recognized the importance of the right to privacy with a treaty. *

This Data Privacy Day, Jan. 28, finds Europe looking ahead to major new privacy rules in the form of General Data Protection Regulation (GDPR) to be enforced starting on May 25. And this has given us an opportunity to address privacy the way we have come to respect environmentalism. It’s everywhere, it’s everyone’s business, and it’s good business.

As I have worked to ready McAfee for GDPR, one thing I have learned is that it truly takes everyone to focus on the protection of data.  I’ve been privileged to meet and work with hundreds of my McAfee colleagues to sort out what GDPR prepared means to us, from security architects, lab folks, the product teams, and great messaging people.  It takes a city, not just a village, to get ready for GDPR.

This year, most data protection professionals will celebrate Data Privacy Day on Thursday, January 25th, just four months before the official enforcement date for GDPR.  One of my favorite things to come out of the many conversations about GDPR is a new slogan: Great Data Protection Rocks.  The slogan, compliments of our senior writer Jeff Elder, captures my thoughts perfectly — Great Data Protection is not just good digital hygiene and good technological maintenance. It’s an admirable, even cool, ideal, and it’s part of McAfee’s Culture of Security, described by chief executive Chris Young in December in New York. “Ten years ago, if I were to ask a CEO about cybersecurity, he might say, ‘Yeah, I’ve got some guy in IT that’s working on this.’ Now everybody cares and I think that’s going to make a big difference,” Chris told CNBC’s Jim Cramer.

He’s right: Security in general and data protection are not big, monolithic initiatives achieved with one initiative, but rather require the whole city to have a Culture of Security – and you don’t get that by writing checks, or by formulating one list of best practices. We won’t be washing our hands of data protection and putting a bow on top on Data Privacy Day, on May 25 when GDPR goes into effect, or ever. If that sounds ominous, you may be looking at it the wrong way.

My colleague Mo Cashman, Director Sales Engineering, Principle Engineer lays out the journey to real culture change: “First think of security strategy in terms of governance, people, processes and technology. Then consider the security outcomes you need to be GDPR-ready, and the relevant solutions.”

Great Data Protection means all of us being advocates for good practices. It means making sure you know where you are putting your data, and knowing what protections exist when you use cloud applications… It means saying no to an organization that wants to bypass privacy, security, or vendor practices and do a quick-and-dirty connection to your database or even your brand’s social media accounts. That’s not cool. It’s the equivalent of your company disposing of waste in environmentally harmful ways.

It’s also bad business because winging it every time you handle data is a waste of time and energy. Nailing down good practices that everyone can adhere to every time is economical in many ways. Making that effort a real and admirable value of your company is a beautiful thing.

I confess to being a bit of an International Privacy Day geek (my mother has it written on her calendar and calls and wishes me a happy day).  I generally get a cake and try to touch base with far-flung data protection colleagues.  But the early companies that embraced Earth Day look good now. If Great Data Protection Rocks seemed a little dorky in 2017, I’m good with that. We’ll keep your data safe until you come around.

For additional information about GDPR please visit our Solutions Page, or join in on the conversation by following @McAfee or @McAfee_Business on Twitter.

*  The treaty, the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data,anticipated the cross-border transfers of data that we take for granted now.

The post GDPR: Great Data Protection Rocks – Especially on Data Privacy Day appeared first on McAfee Blogs.



McAfee Blogs

Bomgar Enables GDPR Compliance for Privileged Users

Bomgar, a leader in secure access solutions, today announced its secure access solutions can help organisations comply with the upcoming EU General Data Protection Regulation (GDPR) mandates. The amount, sources, and types of data that are collected and used by organisations today has grown exponentially, along with the value that can be gained from obtaining this data. How and where companies store and process data has moved from inside the traditional IT perimeter to hybrid and cloud environments that span systems and data centres around the globe. With the fast-approaching enforcement of GDPR going into effect 25 May 2018, organisations need to be prepared to meet the new standards to maintain data privacy.

Bomgar’s solutions have always focused on security at the heart of their design. This ensures that every remote access connection made by our customers—whether a privileged user connecting to a critical system or device or a help desk connecting to an end-user’s system—is secure, protecting critical systems and data and helping organisations meet the GDPR requirements.

 

Bomgar’s solutions include:

  • GDPR Pseudonymization Support – Meet GDPR initiatives through responding to Right to Erasure requests by searching for specific criteria supplied by the requestor.
  • Improved Customer Agreement Enhancements – Improve security among support teams by reassuring customers they’re dealing with the intended organization, and keep your brand front and center while presenting and capturing consent.
  • Enforce Policy of Least Privilege – Only give access to data to those who need it, when they need it, with granular levels of access controls that eliminate “all or nothing” access.
  • Manage Privilege ‘Sprawl’ – Identify and secure all your privileged accounts centrally across your organisation, including dormant credentials, eliminate insecure practices of employees sharing or writing down passwords, and integrate your security policies.
  • Secure and Protect All Privileged Accounts – Store, rotate, and manage privileged credentials within a secure enterprise password vault, and grant access based on job roles and requirements creating a reliable “privilege on demand” workflow.

 

“Security must be central to an organisations’ data privacy strategy to ensure they can control and protect access to the systems that hold personal data,” said Martin Willoughby, SVP, general counsel and chief privacy officer at Bomgar. “Organizations must also ensure all remote access methods are secure to protect their data as this is the number one method of compromise. Bomgar’s Secure Access solutions enable businesses to control, monitor, and manage access to critical systems and data, while ensuring that people remain productive and are not impeded in their day to day job tasks.”

For more details about how Bomgar can help your organisation meet the new GDPR standards, download this free whitepaper and register for our upcoming webinar: GDPR and Remote Access Security: What You Need to Know.

The post Bomgar Enables GDPR Compliance for Privileged Users appeared first on IT SECURITY GURU.

72 hours and counting: The role of AI in GDPR

Written By  John Titmus, Director, EMEA – Sales Engineering, CrowdStrike

The need to be GDPR-ready may be attention-grabbing right now, but turn this on its head; would you rather be compliant or protected against breaches? If you more concerned about compliance without understanding the role of security and protection, you may face the ticking of the breach notification clock – 72 hours and counting and the related penalties associated

 

Compliance does not equal protection

Fear can be a positive emotion, preventing us from straying into dangerous situations, but it can also be crippling – stopping us from pursuing the correct course of action when required. With the looming GDPR deadline, are businesses seeing compliance as a tick box only activity, or should they be seeing the new regulations as an opportunity to improve their defences against an unprecedented rise in cyberattacks?

A ‘tick box’ mentality might help achieve compliance within the requirements of GDPR, but there is much more that they can do to abide by its spirit. What does that tick in the box really mean? When can you start to celebrate? The truth of the matter is, you are only compliant for that brief moment in time.

Businesses need to demonstrate more than mere compliance: they need to show that they are sophisticated enough to deal with any breach that occurs, and have the right processes in place to minimise the damage and effectively report the extent of the breach. Stating you were compliant when a breach happened doesn’t protect your organisation or your customer data.

 

Beyond compliance

One of the most high-profile recent breaches – targeting Equifax – highlighted the reputational damage that delayed breach notifications can cause. Under GDPR, any delay will come with a hefty financial cost. The penalties for non-compliance with GDPR are well-known – a fine of up to 4% of revenue or €20m, whichever is the greater. An organisation can still be compliant yet suffer serious financial and reputational consequences from a breach that goes undetected. It’s therefore incumbent upon any organisation to ensure they are not only compliant, but always prepared for any breach. And the only way to build the right defences is to take the focus away from the breach and re-direct it to stopping the malware and demonstrating that you have mature processes in place to help detect, prevent and respond.

 

The Role of AI in GDPR

The key to defeating cyber attackers is to master huge volumes of data about threats in real time; and this simply isn’t possible without the use of AI due to the volumes of data that need to be processed. To give you an idea of the scale of the analysis, CrowdStrike collects and analyses around 67 billion events every single day. AI is used to access and contextualise all this data in under five seconds providing a real-time view of current threats, organisations need to be protected from.

The real essence of GDPR lies in the ability to demonstrate maturity from both a technical and process perspective, to be able to deal with a breach, should it occur. Harnessing technologies that use automation to operationalise data and artificial intelligence (AI) will make a big impact and also help to approach GDPR with a proactive ‘stopping malware’ mind-set.

AI can provide the ability to scale, provide visibility and therefore protect us at speed, as time can be the enemy. Used intelligently, AI enables us to see what’s happening in the world at any given moment, and to interrogate data to identify indicators of attack (predictive methods) as well as indicators of compromise. When combined with machine learning, it’s an incredibly powerful capability in the fight against hackers; constantly collecting, analysing and adapting security algorithms. Without the ability to understand if there are indicators of compromise in real-time, you will never be able to establish IT hygiene and, more importantly, have a security posture that is ready to face any future threats.

 

From compliance to security hygiene

Organisations also need to invest in processes to protect data and identify how that data is being accessed. Early warning systems that detect intrusions by external threat actors or insiders trying to gain unlawful access are key – but so are established guidelines for how to respond to a breach, such as isolating infected devices, remediating the estate, and working with legal and PR to formulate the right public response.

Preventative measures are also a fundamental part of the approach. With the rise in IoT, organisations should question which devices are WiFi-enabled and if they really need to be connected. Simple measures like this can ensure that they minimise the chance that they are compromised or become vectors for an attack.

We see this as ‘security hygiene’; a posture that focuses on cross-organisational measures to combat breaches, rather than a narrow focus on point security such as AV or endpoint protection.

 

Conclusion

Organisations should not fear the 72-hour deadline for breach notification but use this as an opportunity to review their existing processes and security. Achieving this target might mean that an organisation protects itself from huge fines mandated under GDPR, but it also provides the opportunity to make those updates to their technology and processes that may be overdue; being able to discover indicators of attack in real-time and prevent a breach. This might sound like another impossible requirement to add to the already stringent demands of the GDPR, but in fact the right tools and processes, can achieve this easily.

Don’t let fear be your motivation for achieving GDPR compliance. Instead, focus on how your business can give itself – and its customers – the best protection possible.

The post 72 hours and counting: The role of AI in GDPR appeared first on IT SECURITY GURU.

GDPR: Whose problem is it anyway?

With the GDPR deadline looming on May 25, 2018, every organization in the world that transmits data related to EU citizens is focused on achieving compliance. And for good reason. The ruling carries the most serious financial consequences of any privacy law to date – the greater of 20 million EUR or 4 percent of global revenue, potentially catastrophic penalties for many companies. Compounding matters, the scope and complexity of GDPR extends beyond cyber security, … More

5 steps to boost your application security testing ROI

Even in the era of AI hype, spending more does not necessarily means spending wiser.While Gartner forecasts global cybersecurity spending to reach $96.3 billion already this year, Gemalto reports a

The post 5 steps to boost your application security testing ROI appeared first on The Cyber Security Place.

Why GDPR will drive a best practice approach

When GDPR was first discussed, many feared that it would force businesses to act more insular and become more defensive about their data. Some even believed there would be a counter-movement against the cloud with organisations taking back data into their internal systems. Thankfully, the reality has been very different. Instead we’ve seen a new willingness to work together with partners and specialist cloud providers. Now it looks likely that this collaboration will help to … More

Coprocessor Attacks: the Hidden Threat

Botnets, DDoS and ransomware attacks, vulnerabilities in Internet of Things devices and Open Source Software, and the generally poor state of information security, dominate the discussion of cybersecurity. These same

The post Coprocessor Attacks: the Hidden Threat appeared first on The Cyber Security Place.

From 1980 to 2018: How We Got to the GDPR

In 1980, the Organization for Economic Cooperation and Development, or OECD, established frameworks to protect privacy and personal data. From then until now, we have experienced several profound changes in legislation, notably the EU Data Protection Directive. Now in 2018, the General Data Protection Regulation, or GDPR, will begin to take on its true value, as May of this year will be when the adaptation period will be over.

The first moves toward a data protection law

The development of the OECD Guidelines, stemming from the need to adapt the already obsolete OEEC, was the first step to committing the thirty-five participating countries to mutual respect and clarity in the transfer of information.

As the importance of the Internet and data grew and became global, the OECD guidelines established the first comprehensive personal data protection system in all its member states.

These guidelines were based on eight principles to ensure that the interested party was notified when their data were collected; that this data was used for the stated purpose and for nothing else; that, in addition, these purposes were defined at the time of collection; that your data would not be disclosed without your consent; that the data record be kept secure; that the interested party be informed of everything; that they could access their data and make corrections; and, finally, that the interested party had at their disposal a method to hold the data recorder accountable for not following said principles.

And then came the data protection framework

In 1995, it was time to update the regulation of personal data and its management. Directive 95/46/EC of the European Union, also known as DPD, or Data Protection Directive, was a step forward that included the eight OECD guidelines and extended the application in a context where privacy was much more important.

But the fundamental change was in the legal section. Specifically, the OECD guidelines consisted of the Council’s recommendations regarding the guidelines that govern the protection of privacy and the cross-border flow of personal data and, therefore, non-binding.

Directive 95/46/EC changed this aspect, providing more concise definitions and specific areas of application. Although the directive itself is not binding for citizens, the member states had to transpose the local directives before 1998. This modification was also intended to create an administrative homogeneity and an equal legal framework for all member states.

Adopting the GDPR

Despite the considerable efforts involved in the implementation of the Data Protection Directive, in just a decade the progress proved to be insufficient. One of the main criticisms of the previous directive was the limited control of the interested parties over their data, which includes their transfer outside the European area.

This directly involves multinationals and large companies that were able to take advantage of the deficient framework of the previous directive for their own interests. To resolve this, in 2016 the adoption of the General Data Protection Regulation, or GDPR, was approved.

Since then, and until May 2018, everyone has had time to adapt to the regulations. The most remarkable thing about the GDPR is that, unlike the previous directives, it does not require local legislation, homogenizing, once and for all, legislation regarding protection within the member states and companies that work with EU citizens’ information, inside and outside of this region.

Is your company ready?

The European Union foresees that the application of the GDPR will suppose sanctions of up to twenty million euros or 4% of turnover of the previous period for non-compliance. Now that we are in the final stretch, it is convenient to determine whether our company is prepared to meet the challenges.

All companies that collect and store the personal data of their employees, customers and suppliers residing in the EU are affected. This is important if we take into account that 80% of the data handled by the organizations is unstructured.

The increase of confidential data stored in an array of databases puts protection in the spotlight. Cyberattacks could lead to a serious sanction. Good practices in Data Security Governance are the key to mitigating these risks and ensuring compliance.

Luckily we have tools such as Panda Adaptive Defense and Panda Adaptive Defense 360, which have a Data Control module to help with such tasks. This tool is specialized in simplifying the management of this personal data since it discovers, audits and monitors in real time the complete life cycle of these files. And do not forget that keeping up with the GDPR is an active and meticulous process, but one which can be simplified and automated if with the right help. Don’t wait until May!

The post From 1980 to 2018: How We Got to the GDPR appeared first on Panda Security Mediacenter.

Episode 78: Meltdown and Spectre with Joe Unsworth of Gartner and will GDPR spark a Data War in 2018?

In this week’s Security Ledger podcast, Joe Unsworth has been covering the semiconductor space for Gartner for 15 years, but he’s never seen anything like Meltdown and Spectre, the two vulnerabilities that Google researchers identified in a wide range of microprocessors. In this podcast, Joe comes in to talk with us about what the flaws...

Read the whole entry... »

Related Stories

Three Reasons Why GDPR Encourages Pseudonymization

The General Data Protection Regulation (GDPR) is the European Union’s new data regulation designed to provide individuals with rights and protections over their personal data that is collected or created by businesses or government entities. It unifies data protection regulation across all member states of the European Union (EU) and is set to replace the Data Protection Directive. The GDPR applies to organizations of all sizes that collect or process personal data originating from the EU. Most importantly, it provides a mechanism for enforcement of the regulation, which begins on May 25th, 2018. Anyone who fails to comply with the GDPR could face fines as large as €20M (~$22M) or 4% of global annual turnover (revenue) from the prior year.

What is Pseudonymization?

While the GDPR doesn’t call out any specific technology (as technology evolves over time), it does encourage pseudonymization of personal data. Pseudonymization is a security technique for replacing sensitive data with realistic fictional data. The concept of personally identifiable information (PII) lies at the heart of the GDPR, and the idea of pseudonymization is to separate data from direct identifiers, so that the data cannot be linked back to an identity without additional information. In other words, the data subject is no longer identifiable once the data is pseudonymized.

Use Case 1: Removes Sensitive Data

Pseudonymization enhances privacy by de-identifying sensitive information. It removes or obscures direct identifiers, such as name, social security number, credit card number, or contact information. As a result, pseudonymization helps reduce the risk of data breach, data loss, and data theft. Even if hackers obtained privileged users’ credentials or malicious insiders gained legitimate access, with pseudonymization they wouldn’t get ‘real’ data. Data controllers can utilize this technique to handle directly identifying data securely and separately from processed data to ensure non-attribution.

Use Case 2: Enables Data-driven Business

Pseudonymization not only helps protect the rights of individuals, but also enables data utility. Nowadays, for companies big and small, using data is an essential part of doing business. While the GDPR requires data controllers to collect data only for “specific, explicit and legitimate purposes”, it provides data controllers who pseudonymize personal data more flexibility to process the data for a different purpose than the one for which it was originally collected.

Take data masking as an example, it is considered a means of pseudonymization that replaces sensitive data with fictitious but realistic values. Let’s say a record shows that a man named John Smith who is 65 years old has a Social Security number (SSN) of 123-45-6789. After the data is masked, John Smith might become Tom Potter who is 58 years old and has an SSN of 223-56-7890. The masked data maintains the referential integrity and operational accuracy, so that personal data can be securely processed for scientific, historical and statistical purposes. This is why pseudonymization may facilitate processing of personal data beyond original collection purposes.

data masking example

Figure 1: Data masking replaces original data with fictitious, realistic data.

Use Case 3: Practices Data Minimization

Last but not least, pseudonymization allows data controllers to practice “data minimization”, another concept introduced by GDPR, which limits the use of data to what is necessary for a specific purpose. For example, an insurance company collects personal information for the purposes of issuing a policy. Later on, the company wants to analyze this data to improve pricing of policies. Under the principle of data minimization, the company would not be able to do so because the personal data collected for one purpose (e.g., issuing a policy) cannot be used for a new purpose (e.g., creating a database for pricing analysis). Nonetheless, if the data is pseudonymized, for instance, via data masking, then the company could use the masked database for pricing analysis, as pseudonymization meets GDPR’s data security requirements to safeguard personal data.

Data Protection and Flexibility

The GDPR introduces pseudonymization as a means of protecting individuals’ rights while allowing data controllers to benefit from the data’s utility. This technique significantly reduces the risk of data exposure while maintaining the referential integrity for scientific, historical and statistical purposes. Pseudonymized data falls within the scope of the GDPR and provides more flexibility to data controllers. Those who adopt pseudonymization techniques will have an easier time utilizing personal data for secondary purposes, as well as meeting the data security and data by design requirements of the GDPR.

Want to better understand the impact of the GDPR on your organization and steps security teams need to take to be compliant? Download our eBook: Steps for Securing Data to Comply with the GDPR.

Learn more about data masking solutions from Imperva:

Imperva’s Top 10 Blogs of 2017

I recently took a step back to review all the content we shared in 2017 on the Imperva blog. We covered a broad range of topics including data security, cloud migration, application and API security, AI and machine learning, cybersecurity research, GDPR, insider threats and more. We were busy! Cybersecurity certainly held the world’s attention in 2017.

Several stories rose to the top as either most read by you, particularly relevant to today’s cybersecurity industry or exceptionally newsworthy (and in some cases, all of the above). For an end-of-year reading shortlist, I’ve compiled our top 10 blog posts from 2017.

1. What’s Next for Ransomware: Data Corruption, Exfiltration and Disruption

The WannaCry ransomware attack caught everyone off guard, infecting more than 230,000 computers in 150 countries by encrypting data on networked machines and demanding payments in Bitcoin. We wrote about how to protect against it, but our post on what’s next for ransomware garnered even more attention—it was our most read post of the year.

2. CVE-2017-5638: Remote Code Execution (RCE) Vulnerability in Apache Struts

Apache Struts made headlines all over the place in 2017. The vulnerability we wrote about in March hit it big and just kept on going. You might remember it reared its ugly head later in the year when it was tied to the Equifax breach. (We also wrote about two other Apache Struts vulnerabilities: CVE-2017-9791 and CVE-2017-9805.)

3. Top Insider Threat Concern? Careless Users. [Survey]

We surveyed 310 IT security professionals at Infosecurity Europe in June on their thoughts on insider threats. The big reveal? More than half (59 percent) were concerned not primarily about malicious users, but about the careless ones who unwittingly put their organization’s data at risk.  (We shared more about insider threats in this infographic.)

4. Uncover Sensitive Data with the Classifier Tool

In July we launched Classifier, a free data classification tool that allows organizations to quickly uncover sensitive data in their databases. The response was immediate—over 500 downloads and counting—not surprising given it helps jump start the path to compliance with the GDPR. Our blog post walked through the steps of how to use the tool.

5. Professional Services for GDPR Compliance

Speaking of the GDPR, the new data protection regulation coming out of the EU was on everyone’s radar this year. We wrote a LOT about GDPR, including who is subject to the regulationwhat rules require data protection technology, and the penalties for non-compliance. However, our post on the professional services we offer for GDPR compliance drove the most traffic on this topic by far.

6. The Evolution of Cybercrime and What It Means for Data Security

Hackers tactics may change, but what they’re after doesn’t—your data. Stealing or obstructing access to enterprise data is the foundation of the cybercrime value chain. We discussed how the changing nature of cybercrime and app and data accessibility create risk and the essentials of application and data protection in this ever-changing world.

7. Move Securely to the Cloud: WAF Requirements and Deployment Options

Moving to the cloud has become an overwhelmingly popular trend even among those who were at first reluctant to make the move. In this post, we discussed requirements and deployment options for evaluating a WAF for the cloud.  (We also wrote about the benefits of a hybrid WAF deployment and the pros and cons of both cloud and on-prem WAFs.)

8. Clustering and Dimensionality Reduction: Understanding the “Magic” Behind Machine Learning

Everywhere you turned in 2017 you heard about AI and machine learning and the impact they’re having, or will have, on essentially everything. Two of Imperva’s top cybersecurity researchers explained in detail some of the techniques used in machine learning and how they’re applied to solve for identifying improper access to unstructured data. (Those two researchers were also awarded a patent for their machine learning work this year!)

9. Can a License Solve Your Cloud Migration Problem?

Gartner published their 2017 Magic Quadrant for Web Application Firewalls (WAF) in August and Imperva was once again named a WAF leader, making it four consecutive years. We stood out for offering security solutions for today’s changing deployment and infrastructure model. In this post we wrote about our flexible licensing program, which lies at the core of the move to the cloud: helping customers secure apps wherever they need, whenever they need, for one price.

10. The Uber Breach and the Case for Data Masking

Last but not least, we couldn’t ignore the Uber breach. Hard to believe in today’s world that log in credentials were shared in a public, unsecured forum, but that’s what happened. The breach did highlight an important issue, that of production data being used in development environments. It’s a bad idea; we explained why in this post. Had data masking been used at Uber, hackers would have been left with worthless data, or as we called it, digital fools gold.

Take our FREE GDPR readiness assessment and download your report today.

Companies that collect data on citizens in European Union (EU) countries will need to comply with strict new rules around protecting customer data. The General Data Protection Regulation (GDPR) is expected to set a new standard for consumer rights regarding their data, but companies will be challenged as they put systems and processes in place to comply.Find… Read More

The post Take our FREE GDPR readiness assessment and download your report today. appeared first on .

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Don’t fear GDPR – it’s the Key to Creating a Culture of Secure IT

With just a few months to go, reports and surveys frequently indicate that CIOs and business owners are concerned about and unprepared for GDPR. And the race is on, with a Veritas study indicating that more than half of organisations are yet to start work on meeting the minimum requirements set by GDPR.

Many organisations are looking to bring their cyber procedures and capabilities up to scratch ahead of its becoming enforceable, May 2018. But, with an evolving IT threat landscape, new technologies introducing new risk, and a cyber-skills deficit, it’s important that CIOs and IT directors not only focus on this critical deadline but also look beyond it.

The GDPR presents CIOs and IT directors with a once-in-a-professional lifetime opportunity to transform both their company’s IT procedures and security capabilities, to future proof the way it approaches cyber and provides services.

A British Approach to GDPR

While many organisations have been slow to prepare, GDPR will dramatically change the way companies globally deal with EU citizens’ data. The new European legal framework provides rules that affect the full data lifecycle from collection, processing, storage, usage and destruction.

While not prescriptive in the controls, the regulation requires organisations to implement appropriate measures to protect personal data. And failing to take the right measures could result in a heavy fine for unlawful processing, data breaches, or not reporting data breaches.

The UK government has vocally backed GDPR, and hopes to use it to improve cyber risk management in the wider economy. In the Cyber Security Regulation and Incentives Review, launched in late 2016, the government pointed to how the breach reporting requirements and fines that can be issued under GDPR present a significant call to action for industry.

Once-in-a-Generation Opportunity

From large enterprises to SMEs, many organisations are shifting their traditional business model away from physical assets in favour of a data-driven business model. Cloud, mobility and the advent of Internet of Things are driving this digital transformation, introducing new challenges that organisations must navigate to ensure citizens’ and employees’ data is protected.

While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity. Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management – bringing it to the attention of the C-Suite.

CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organisations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth.

Creating a Culture of Secure IT

With the fear of hefty fines and concepts such as ‘privacy by design’, CIOs and CISO are likely to find themselves with full-company backing to create a culture of secure IT within the organisation, with a focus on protecting personal data – perhaps for the first time in a while.

This will have a dramatic impact on a number of current security challenges many IT teams are facing, such as the massive growth in Shadow IT. Due to the ease of procurement, the McAfee Labs Report found that almost 40 percent of cloud services are now commissioned without the involvement of IT, and unfortunately, visibility of these Shadow IT services has dropped year on year.

Sixty-five percent of IT professionals think this phenomenon is interfering with their ability to keep the cloud safe and secure. This is not surprising given the amount of sensitive data now being stored in the public cloud and more than half (52 percent) of respondents reporting they have definitively tracked malware from a cloud SaaS application.

For the first time, GDPR gives CIOs and IT leaders the authority to clamp down on shadow IT in their company, with the support of rest of the board who fear the ramifications of GDPR.

Embrace the Change

The innumerable opportunities that digitalisation brings is introducing many new security and data management challenges. To mitigate these new threats, CIOs and CISOs must ensure that future processes are planned securely – especially as we embrace the increase in complexity, and migration to the cloud.

CIOs and IT directors must use the power of GDPR to get and keep board level attention and support in introducing transformational technology and processes that will protect personal data now and in the future.

The post Don’t fear GDPR – it’s the Key to Creating a Culture of Secure IT appeared first on McAfee Blogs.

GDPR: Data-Protection Soul-Searching, Not Just Compliance

The General Data Protection Regulation requires companies to review how they handle data of European Union residents. Thirty-one of its 88 pages are non-binding recitals, statements that help define some of the specific requirements in the articles, and a good number more pages are about the departments and organizations that will enforce the law.  There are specific requirements in the Regulation — reporting breaches, reviewing processing in advance, making sure vendor contracts have particular language. But GDPR makes a larger and more fundamental ask: That each company look carefully and studiously at its environment, evaluate the data it holds, and “implement … measures to ensure a level of security appropriate to the risk.” It’s a sort of data protection soul-searching designed to protect people and their data from harm. And this perspective challenges organizations to embrace the spirit of the law and be accountable for it, not just to tick a box.

“Appropriate” and “adequate” – tough words in a security context – are found repeatedly in the GDPR.  The regulation suggests that “(i)n assessing the appropriate level of security account shall be taken in particular of the risks that are presented by processing, in particular from accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.” That sounds like a basic risk assessment.  At McAfee we are aligning our processes, products and services to be compliant with GDPR and looking at ways of going beyond basic compliance to allow for maximum protection of our customers’ data.

But what should you consider in this high-stakes risk assessment, and how do you get to where you can say you have appropriate security? Remember: This isn’t legal advice – each company has to decide for itself what it needs to do to comply with GDPR. Consider these steps as ways to get started on the journey:

  1. Scope. Know what you have.  We can’t protect what we don’t know we have.  This is a good time for companies to figure out how and where they hold personal data – and not just of EU residents, and not just for its EU affiliates.
  2. Protect.  Know how you are protecting those assets.  Are you doing the basics?  Could you do more?  Are your peers doing more? Are you following your data classification policy in automated ways or just expecting employees to know it? Do you delete unnecessary data?
  3. Monitor and detect.  Do you have technologies in place (such as encryption, data-loss prevention or anti-virus software) to protect those assets from malicious actors, loss, unwanted leaks?  And do you know what to do if something goes wrong?
  4. Review.  Do you have a process to make sure that all new applications or cloud services are reviewed and that you know how you are using them?  Are you implementing data protection by design by thinking of privacy and security at the very beginning of any project?
  5. Then repeat.  The regulation requires “a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

Some of the specifics of what the regulation requires will take years to truly understand as regulators and courts issue rulings on what comes in front of them, and companies will have different paths to compliance with GDPR.  But at the core of the regulation is knowing what you do with the personal data of your employees and customers, and making sure you have stopped to consider the risks inherent to personal data in your business. Thinking of GDPR as an opportunity to review the robustness of your data protection program and to make reforms that are good security, good business, and the right thing to do turns GDPR from a many-headed monster into healthy data-centric reform. After all, the GDPR tells us that “(t)he processing of personal data should be designed to serve mankind.”

For more information on the upcoming GDPR, join us at our live webcast on November 15th.

The post GDPR: Data-Protection Soul-Searching, Not Just Compliance appeared first on McAfee Blogs.

Cyber Security Roundup for June 2017

Another large scale ransomware cyber attack caused chaos and dominated the media headlines around the world this month. The Petya ransomware, a copycat of WannaCry, caused major operational impact to organisations neglecting to apply Microsoft Windows critical security updates. There were reports of the malware significantly impacting British marketing firm WPP, a Jewson hardware store, Ukrainian national infrastructure associated firms, and even halting production at a Cadbury chocolate factory in Australia.

Aside from the Peyta ransomware outbreak, it was another busy month of significant cyber security attacks and data compromises across the UK. The UK Parliament's email system was hacked with around 90 email accounts compromised due to the usage of weak passwords by parliament staff, it is not certain how many of 90 were MPs or not, but I wouldn't surprised if there were more than a few using weak passwords. There were further cyber troubles for the UK government after its Digital Service website data.gov.uk data was compromised. Virgin media told 800,000 of its users to change their router passwords after it was discovered that hackers could access Virgin's Super Hub 2 routers. And there was yet more critical security patches released this month, as Microsoft and application vendors fight to stay ahead of cyber criminals and nation-state actors software exploits.

Over in the United States, a US Health Insurer forked out £90 million to cover compensation and legal costs after hackers stolen customer records in its care. We could well see these types of large payouts in the UK soon after the General Data Protection Regulation (GDPR) kicks in May 2018. The GDPR gives the Information Commissioners Office (ICO) new powers to fine up to 10 Million Euros or 2% the previous year global turnover of the company, for any cyber security breaches. Data subjects will also have the right to take companies to court to seek damages as well. The ICO will get double those penalty rates for privacy rights breaches, ouch! Under the GDPR companies are forced to fess up to all security incidents which compromises or places personal data at risk, both to the ICO and to each data subject impacted, so there will be no hiding place for security breaches in the UK after next May.

Finally, US Cert and Incapsula released an interesting advisory about 'Hidden Cobra', a North Korean Cyber Threat group. This nation-state group is seemingly ramping up their capabilities at the moment, and are behind the DeltaCharlie campaign and linked with the WannaCry ransomware outbreak last month, well worth a read.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

Simple GDPR Information Security Guidance: Don’t believe the Hype

PDF version of this blog post is available here - ITSE-GDPR-InfoSec-Guide-Jun17.pdf

There are plenty of Cyber Security Sales and Marketing teams jumping on the General Data Protection Regulation (GDPR) bandwagon at the moment, often peddling fear of massive fines and in far too many cases spouting nonsense and unnecessary guesswork about the GDPR's information security requirements.

You do not need to be a lawyer or a fancy pants security consultant to understand the GDPR's information security requirements, they are freely provided by the European Union. It is just a matter of taking the time to actually read and digest each of the GDPR's requirements and then interpreting how your organisation will comply, albeit some requirements result in full blown project plans. I recommend reading the bite-sized formatted and section headed version of the GDPR on www.privacy-regulaton.eu rather than the EU released GDPR paper

Everything in this blog post is not official legal advice but an interpretation and personal opinion on meeting the GDPR’s requirements. Further official and detailed GDPR Information Security guidance are expected to be released.

Brexit
The United Kingdom’s exit from the European Union will not occur before GDPR comes into UK law on 25th May 2018. Therefore all UK organisations storing or processing any personal data records will have to comply with the GDPR from May 2018. It is highly likely GDPR compliance will continue to be a UK personal data legal requirement post Brexit. The GDPR applies to any non-EU country processing EU Citizen personal data, it is unlikely that the UK will adopt a tiered data protection legal requirements system, where UK nationals have fewer privacy rights than EU nations.  

Only 3 of the 99 GDPR Requirements are directly Information (Data) Security Related
That's right, there are just three information (data) security requirements in the GDPR, Articles 33, 34, and 35, the other 96 Articles relate to data subject rights, data controller responsibilities, sending personal data outside the EU and general administration. There is a hidden Information Security requirement in GDPR Recital 63, but aside from that, there is not a lot for information security professionals to worry about unless you have been tasked to prepare an organisation to meet all the GDPR's requirements, in which case you need to be a data privacy qualified. 

Information Security Vs Data Privacy
Some companies like to lump data privacy within information security management, but to properly understand and manage modern data privacy rights in medium to large organisations, it requires individual(s) with the appropriate qualifications and background in privacy law. Data Privacy is a completely separate discipline, applying privacy rights intricacies within business processes can be completely alien to the average information security professional. We still live in an age where the information security function is incorrectly placed as a subset of IT in some organisations, but nether-the-less even though privacy and security are linked they should be regarded as separate business functions and as separate professions, a notion included as a requirement in the GDPR under Article 37.

Article 37 “Designation of a Data Protection Officer”
"the data protection officer shall be designated on the basis of professional qualities and, in particular, expert knowledge of data protection law and practices and the ability to fulfil the tasks referred to in Article 39."  
Article 37 & Article 38 requires the designation of a Data Protection Officer (DPO)

Article 39 “Tasks of a Data Protection Officer” outlines a number of privacy officer duties, including monitoring compliance with the GDPR.

GDPR's Information Security Requirements (Recitals & Articles)
GDPR has 173 Recitals and 99 Articles. Recitals set out the reasons and what is trying to be achieved by the regulation, while Articles are the regulatory requirements, the GDPR rules.

Article 32 Apply an Appropriate level of Information Security (Risk Assess)
This is best practice Information Security Management, nothing specific or new here, it all should be already being done. Take a risk assessed approach, 101 information security; confidentiality, integrity and availability of all personal data within the organisation. Don't forget the availability as unlike PCI DSS the GDPR security regards the availability of personal data as a requirement. Article 32 requires information security to be of an industry best practice standard, appropriate to the size and nature of the organisation, this means information security does not need to achieve a 'state of the art' level but what a level that is generally considered an adequate level of security for the nature and type of organisation. So if your organisation already has a strong security posture, to the standard of ISO27001:2013, you are in an excellent position to meet GDPR information security requirements.

Article 33 Notification of Breaches to the ICO
The ability report data breaches to the ICO within 72 hours, so part of incident management and response policy and planning, include a process to inform the company designated Data Protection Officer (DPO) about any detected personal data breaches, allowing the DPO to be informed and to report any data breaches to the ICO.

Article 34 Notification of Breach to Data Subjects
As per article 33, ensure company DPO notification is included as part of your incident management/response process, to allow your DPO to inform data subjects should their personal data be at risk due to a security incident.

Article 35 Data Protection Impact Assessment
“7. The assessment shall contain at least: (7d) the measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data and to demonstrate compliance with this Regulation taking into account the rights and legitimate interests of data subjects and other persons concerned.”
Article 35’s 11 requirements is a Data Privacy Officer responsibility in my view so it is not concluded as one of the 3.  However to meet some of Article 7d it cites a repeat of Article 32, a risk assessed approach to applying information security controls appropriate to protecting personal data.

Documentation and assessments evidence is required to demonstrate compliance, again such documentation and security assessments should already be in place if your organisation operates a best practice level information security management.

Article 30 – Records of Processing Activities
“1. Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility. That record shall contain all of the following information. g) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).”

“2. Each processor and, where applicable, the processor's representative shall maintain a record of all categories of processing activities carried out on behalf of a controller, containing d) where possible, a general description of the technical and organisational security measures referred to in Article 32(1).

Another Data Privacy Officer set of requirements, but Article 30 references the Information Security “Article 32”. In other words, make sure the record processing activities are in scope of the information security policy/programme, and the security controls are documented, which they already should be.

Data Subject Access Rights Portal
Recital 63 refers to organisations providing a Data Subject Access Rights Portal.
"Where possible, the controller should be able to provide remote access to a secure system which would provide the data subject with direct access to his or her personal data."
Providing a portal is “possible” for most organisations, for many organisations it could mean adding additional functionality to existing staff and customer facing websites/portals. 
Bear in mind even though Recital 63 reads like a GDPR requirement, it is the Articles are the legal requirement to meet not Recitals. Then there is Article 12 which states 
"Where the data subject makes the request by electronic form means, the information shall be provided by electronic means".

The provision or expansion of an internet-connected portal to handle GDPR's data privacy rights could fulfil this requirement. Obviously, the privacy portal needs to be secure. As such it will be an information security responsibility and GDPR requirement to secure it.

GDPR Privacy Data Subject Rights (via an Internet Portal)
The GDPR requires the following data subject privacy rights to fulfilled within a one month and without any charge, so given Recital 63 and Article 12 the best way to do achieve this, especially where there are thousands of personal data records in the care of the organisation, is using internet facing portal to provided each data subject with the ability to exercise their new GDPR privacy rights.
  • Article 13 - explain how personal data is processed
  • Article 15 - provide a copy of personal data (Data Subject Access Request)
  • Article 16 - correct any incorrect personal data
  • Article 17 - personal data erasure
  • Article 18 - restrict the processing of personal data
  • Article 20-  personal data portability, provide personal data to another data controller
  • Article 21 - object at any time to the processing of personal data
  • Article 22 - not be subject to not automatic data processing and profiling
Not complying with the above articles means a data subject can go after compensation through engaging with a solicitor and complaining to a court (Article 79 & Article 80). Or through a complaint to the ICO (Article 77) which has the infamous up to 20M Euro or 4% of global turnover fine potential.

Should go without saying, the security of any Internet facing portal hosting personal data on mass, needs to be highly robust and security tested via penetration testing at least annually and after any significant change.

The Information Security Breach GDPR Fines Truth
A breach of Information Security means an up to 10 Million Euro (not 20 Million Euro) or up to 2% of global turnover (not 4%)
Article 83 states "be subject to administrative fines up to 10,000,000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:  - (a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39 and 42 and 43" - Articles 32, 33, & 34 are the information security requirements, the higher level penalty rates are for privacy breaches.

The GDPR Right to Data Protection (not that clear-cut as you might think) 
Recital 1 is titled "Data Protection as a fundament right*
but Recital 4 states "The right to the protection of data is not an absolute rightand goes on to state "it must be considered in relation to its function in society and be balanced against other fundamental rights, in accordance with the principle of proportionality".  

So the GDPR is rights-based and respects all other EU 'rights', which must include the right of 'the freedom to conduct business' as stipulated in various EU Charters and Treaties, remember the EU is founded upon a free trading block of countries, not as a nation state.  I am not a lawyer so I am not making a conclusion, but pointing out what might be an area of interest to lawyers fighting GDPR enforcement penalties.

Cyber Security Roundup for May 2017

The WannaCry ransomware outbreak within the NHS dominated the national media headlines earlier this month. Impacting 45 NHS sites in England and Scotland, the massive cyber attack led to cancelled operations and diversions of emergency medical services. The WannaCry outbreak was not just limited to the NHS, as thousands of computers were shut down at companies in almost 100 countries. After an initial infection via a phishing email and file encryption, the ransomware has the added ability to rapidly self-replicate, infecting other networked Windows computers without Microsoft’s March 2017 critical update (MS17-010) installed, this drove the swift spread of the malware within large organisations and across the world.

Debenhams had 26,000 customer personal details stolen through its flowers service website, which was operated on Debenhams behalf by a third party company. The data breach has been reported to the ICO.

With a year to ago until General Data Protection Regulation (GDPR) goes into law, there were several news reports stating UK businesses need to do more to prepare and highlighting the new data breach fines which could run into Billions for FTSE 100 companies.

If you live in Manchester, your computer is 4 times more likely to be infected with malware than elsewhere in the world according to statstics by Enigma Software Group.

Over in the United States, Brooks Brothers disclosed a major payment card breach, after an individual installed malicious software which captured credit card information within payment systems at locations across the USA and Puerto Rico for 11 months, a remind of the importance of PCI DSS compliance where businesses store, process and/or transmits credit/debit card data (cardholder data). 

Hackers stole a copy of Disney's forthcoming Pirates of the Caribbean film, and tried to hold Disney ransom, Disney didn't pay.

Interesting blog post by MacKeeper Security, on how cyber criminals are linking various stolen credential datasets to leverage access to systems.

And finally, it was another busy month of security update releases by Microsoft and Adobe, the WannaCry impact on the NHS is a stark warning to ensure all newly issued critical security updates are quickly applied

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS