Category Archives: GDPR

A week in security (May 14 – May 20)

Last week, we looked at the deluge of incoming policies caused by GDPR, tackled Adobe Reader zero days, and ran through some iPhone security tips. We also caught some helpline scammers in the act, explored advergaming, got our Senate Bill game face on, and deep dived into Drupal vulnerabilities.

Other news

Stay safe, everyone!

The post A week in security (May 14 – May 20) appeared first on Malwarebytes Labs.

Are you ready for the GDPR deadline?

The General Data Protection Regulation (GDPR) compliance deadline looms four days away, but only 29 percent of companies will be ready, according to a new global survey by ISACA. Not only are most unprepared for the deadline, but only around half of the companies surveyed (52 percent) expect to be compliant by end-of-year 2018, and 31 percent do not know when they will be fully compliant. Top GDPR challenges According to the research, the top … More

The post Are you ready for the GDPR deadline? appeared first on Help Net Security.

Kaspersky Lab official blog: GDPR is coming

In less than a week, the European Union’s General Data Protection Regulation (GDPR) will come into effect. Therefore, businesses operating in Europe — or just processing or collecting European citizens’ personal data — need to comply with this directive starting May 25.

There is no universal advice on what you should do to comply — it depends on your business and your processes. However, it is clear that from now on, data protection will have to be a major priority as cybersecurity’s significance grows. We have prepared a small infographic as a reminder of what GDPR is and what businesses can do to boost personal data security.

Our next-generation technologies and solutions can help your organization achieve its cybersecurity goals as part of its overall GDPR-compliance strategy.



Kaspersky Lab official blog

Facebook, GDPR and the Right to Privacy: Three’s a Crowd?

Back in 2016 the European Union voted to pass the mother of all security laws, aimed at further extending the rights of its citizens to control how their data is used. The General Data Protection Regulation (GDPR) guards users against having their information shared without their explicit consent, and gives them the right to revoke that consent at any point.

Read: Does the GDPR Apply to You?

GDPR violations can see companies fined up to $20 million or 4% of their annual turnover, and even US-based companies are sweating bullets as they scramble for compliance; well, some of them anyway.

Hot off the congress roast, Mark Zuckerberg is of the mind that the world’s largest procrastination tool shouldn’t be extending the iron-curtain-level privacy rules the EU is pushing out on May 25 to its users outside the EU.  This, despite 50 million Facebook users’ profiles falling victim to the Cambridge Analytica data breach not so long ago.

Instead, Zuckerberg told Reuters that the largest social media platform in the world is committed ‘in spirit’ to extending GDPR-like privacy standards to the rest of its 2.2 billion-odd users worldwide.

The Cambridge Analytica mess has placed Facebook firmly in the gaze of EU lawmakers and that’s a sticky place to be when information is your business – even if you claim that you’re just a social media tool –. A report by the Guardian and the Danish Broadcasting Corporation earlier this week claimed that Facebook enabled advertisers to target users based on ‘interests related to political beliefs, sexuality and religion’; even without the GDPR, this is classified as sensitive information under EU data laws.

According to TechCruch, the social media giant can expect a swathe of legal challenges based on its current attitudes around privacy.

Following the last data breach, Facebook added extra layers of privacy protection across the board, leading Zuckerberg to believe that there are enough checks and balances to keep users safe without applying GDPR measures outside of the EU.

For the rest of us, however, the GDPR deadline isn’t just a suggestion. Thankfully, we’ve been doing our homework for some time now, so if you’re not quite ready or not sure if you are we’re here to get you across the finish line.

Read more: 72 Hours: Understanding the GDPR Data Breach Reporting Timeline

Five Final Checks To Ensure GDPR Compliance

It is just one week until the EU update to General Data Protection Regulation (GDPR) compliance deadline of 25 May. The build-up to this date has already seen vendors offering

The post Five Final Checks To Ensure GDPR Compliance appeared first on The Cyber Security Place.

Most firms struggle to comply with GDPR deadline

With GDPR coming into effect in just over a week from today, 85 percent of firms in Europe and the United States will not be ready on time. Additionally, one in four will not be fully compliant by the end of this year. Capgemini’s Digital Transformation Institute surveyed 1,000 executives and 6,000 consumers across eight markets to explore attitudes to, readiness for, and the opportunities of GDPR. A race against the GDPR clock With the … More

The post Most firms struggle to comply with GDPR deadline appeared first on Help Net Security.

Most businesses believe stronger data protection policies will lead to fewer breaches

In light of new data privacy legislations, a new Webroot report looks at how businesses in the U.S., U.K., and Australia are adjusting to new data security measures in order to meet compliance requirements. Specifically, the report measures organisations’ readiness to comply with the General Data Protection Regulation (GDPR), and Australia’s Notifiable Data Breaches (NDB). The results reveal that 95 percent of IT decision makers (ITDMs) surveyed agree that there will be fewer data breaches … More

The post Most businesses believe stronger data protection policies will lead to fewer breaches appeared first on Help Net Security.

GDPR will help businesses boost security

The upcoming regulation presents an opportunity for businesses to improve data privacy and security.Over half (60%) of organisations are embracing the General Data Protection Regulation (GDPR) as an opportunity to improve

The post GDPR will help businesses boost security appeared first on The Cyber Security Place.

72 Hours: Understanding the GDPR Data Breach Reporting Timeline

We’re down to the wire with respect to the General Data Protection Regulation (GDPR) compliance deadline of May 25, 2018.

Organizations that fail to comply could face fines of up to €20M (roughly $22M) or 4 percent of their annual global turnover from the prior year and we’ll soon see just how EU regulators will enforce the GDPR regulations.

One of the more notable provisions of the GDPR is Article 33 or the mandatory 72-hour breach reporting requirement. Article 33 dictates that, in the event of a personal data breach, data controllers notify the appropriate supervisory authority “without undue delay and, where, feasible, not later than 72 hours after having become aware of it.” We recently launched a new infographic that summarizes the various requirements and response mechanisms related to this rule, and we’ll aim to now help you break down the requirements under the rule, and how to effectively prepare.

72 Hour Countdown

Simply put: Under GDPR requirements, organizations have just 72 hours to gather all related information and report data breaches to the relevant regulator. This is a significant undertaking for any organization and involves the development and provisioning of a comprehensive containment plan. Here’s a simple example:

 

The steps are pretty clear: Carry out an investigation, quickly inform regulators and individuals of a breach, and be specific with respect to what data was impacted and how the issue will be addressed moving forward… all within 72 hours. It’s worth noting that if — for whatever reason — a notification is not made within the 72-hour window, the GDPR requests that the controller provide reasonable justification for the delay; potentially adding additional disruption to regular business operations and exasperating administrative hassle.

GDPR Article 33 also specifies what type of information the notification must include. At a minimum, the data protection authority will expect to see:

Clearly, the information expectations are high, and the timeline is quite short- thereby posing a significant challenge to the organization as it scrambles to meet the requirements while trying to simultaneously address the issues associated with the breach and maintain ongoing operations.

Further, for security teams, in particular, the challenge of identifying data breaches becomes even more pressing, given that many data breaches are not discovered for weeks, months and sometimes years. Even then, once breaches are discovered, understanding the impact and reporting in accordance with the Article parameters – i.e., who’s been affected, what data was breached, how it happened, and how to remediate the situation – within 72 hours may be a daunting task.

So, what can organizations do to navigate the GDPR’s data breach notification requirements and minimize their impact? Put differently, how can they reduce the risk and fallout associated with a data breach and the subsequent 72-hour reporting notification requirements:

Identify Suspicious Data Access

To ultimately detect and report on a data breach you need to be able to answer the question of whether or not your data has actually been accessed, and if the access is truly suspicious in nature. Therefore, it is important to have a handle on the appropriate approvals, intent, and actions of every user within your organization to ensure internal and approved/intentional users, and unintentional insider threat risks are accounted for. You need to fully understand what users are doing with enterprise data, so you don’t miss the vital context associated with a breach incident.

Detecting suspicious data access can be challenging, as organizations have to give employees access to data to perform their job. The key lies in implementing appropriate policy, process, training, and technologies to help determine what authorized, day-to-day data access looks like, and detect anything that might be abusive.

Prioritize and Categorize True Incidents

Today’s security teams are typically inundated with information and alerts related to activity and incidents associated with data access and use within an organization. With privacy requirements and industry regulations such as GDPR tightening the reigns and requiring transparency and detailed reporting on data breaches; the ability to effectively (and efficiently) sift through volumes of daily alerts to determine which qualify as a ‘true’ incident becomes critical. Furthermore, in many cases, security professionals do not have the context needed to identify and prioritize critical incidents as they’re not database experts and don’t have deep knowledge of what is and isn’t okay.

This is where database monitoring technology, machine learning, data access processes and analytics come into play. Understanding access requirements and processes and leveraging purpose-built technologies to enable the implementation and monitoring thereof help to easily distill billions of data access events into a small number of ‘real’, actionable, high-value events. They improve the fidelity of alerts and allow you to focus on incidents that matter, reducing the time it takes to investigate potential breaches and increasing the effectiveness of security teams. Trying to accomplish this without the aid of technology comes with an increased cost, resource time, and risk.

Monitor & Log Access and Activity

Monitoring is a key piece of the puzzle in terms of adhering to the 72-hour rule; that is, the monitoring and detecting of incidents, and the effective and efficient reporting of those that are material and true under the requirements of GDPR. In order to determine whether data access and activity is good or bad, companies need to continuously monitor data access and capture/record/log those events — which will also serve organizations well with respect to their reporting and proof of best efforts in the event of a data breach and GDPR compliance violations.

The question is: how can you determine if something is good or bad if you don’t even know about it? The key is database monitoring as it provides a critical foundation that gives you the necessary visibility and confidence that your data is secure, and your compliance is in check. It’s not a simple exercise, however, as you need to monitor all users, including applications that access data and privileged users, and all databases… ALL THE TIME.

Sure, this can be a daunting task, but one that can be augmented greatly with effective data security tools like database monitoring and activity reporting technologies. The ability to accurately monitor, detect, and prioritize access and activity is the key to accelerate breach detection without causing business disruption. In the meantime, the solution can automatically collect all the breach details and allow you to provide a detailed report internally and to the regulator under the provisions of the 72-hour requirement.

Provide the Forensic Report

Additionally, GDPR requires that data controllers document not only the facts relating to the breach but also its effects and all related impact information and remedial action taken; and then report all of this activity in writing. As previously outlined, Article 33 requires the reporting of specific information related to the breach, including (among other things):

  1. The nature of the breach
  2. The likely impact and consequences of the breach
  3. The measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects

The information needed to support this requirement comes in the form of a forensic report, conducted either internally, or by third-party expert support. The forensic report is what the investigators provide and helps organizations understand how the attack happened, what vulnerabilities were exploited, what data was compromised, etc. By continuously and effectively monitoring and logging all data access, organizations can better understand the specifics of what was compromised, by whom, and how in a much quicker fashion; thereby shortening investigation time and compliance with the 72-hour requirement.

Technologies to Support Compliance

Supporting GDPR compliance overall, and the requirements under Article 33 requires a variety of process and procedure enhancements, along with a robust and multi-layered data security strategy- one that leverages robust, proven, and GDPR-supportive technologies.

Imperva offers a host of data security solutions that can help with these challenges and support your efforts in better monitoring your data and suspicious activities, helping shorten both identification and investigation times. This is now made even easier with our out of the box GDPR monitoring compliance capabilities and a robust reporting set that provides details on who accessed what data and when. Effectively implementing these tools will get you on the right track as you prepare for the 72-hour GDPR breach notification requirements.

Contact us to learn more about Imperva’s GDPR compliance capabilities and explore our data security solutions in detail.

More on the GDPR:

GDPR causes a flood of new policies

The European Union claims that the General Data Protection Regulation (GDPR), which comes to term on May 25, is the most important change in data privacy regulation in 20 years. Many companies have spent months preparing for the changes, working on policy and compliance, and introducing changes to their products in order to meet new standards.

We have received quite a few alerts and emails about those policy changes from a wide variety of companies. Combing through the alerts allowed us to see some interesting methods to solve—or evade—the problems that come with making businesses compliant. Let’s take a look at how different companies are coping with GDPR changes, and what you’ll need to pay attention to in those emails.

Total evasion

For some companies whose business interests are too slim in Europe, giving up seemed like the best option. File this alert from Unroll.Me, an app to unsubscribe from unwanted mailing lists, under “why bother.”

Unroll.Me says goosbye

because our service was not designed to comply with all GDPR requirements, Unroll.Me will not be available to EU residents…. And we must delete any EU user accounts by May 24.

Obviously, there is a reason for such drastic measures, and I would call it a good guess if someone were to suggest that this might be related to Unroll.Me having been found selling email data to Uber.

Unroll.me may not be the only company walking away from its European customers in the face of GDPR. Some services have popped up seeming to help companies stay compliant by blocking EU visitors to websites. The GDPR shield shown below was promoted for a period as a possible solution, but the site seems to be down now. Or I could not reach it because I’m in the EU, and the block works too well.

 

GDPR shield

Keep EU visitors off your site by using a GDPR Shield

Chain responsibility for advertisers

Some sites and platforms have advertising partners with whom they share user data. GDPR states that So, you would hope that they take special care in selecting partners who will handle that shared data. Instagram and other Facebook companies have decided on a different approach, shifting that portion of the responsibilities to their advertisers:

Facebook for bussinesses

Businesses who advertise with Instagram and the Facebook companies can continue to use our platforms and solutions in the same way they do today. Each company is responsible for ensuring their own compliance with the GDPR, just as they are responsible for compliance with the laws that apply to them today.

Helping B2B customers

Google Cloud, on the other hand, offers to help their customers.

Google Cloud

You can count on the fact that Google is committed to GDPR compliance across Google Cloud services. We are also committed to helping our customers with their GDPR compliance journey…

What deserves your attention

Under the GDPR rules, companies need explicit and informed consent from their customers to collect and use their data, so you can expect, and probably have already have seen, a lot of policy changes (Terms of Service). As much as you might be tempted to automatically delete the influx of emails from online providers, it’s important to pay attention to those new privacy policy regulations—especially if it appears that the company may be cutting corners in meeting GDPR standards.

When sifting through these emails, I’ve come across some that I would not count as informed consent. A banner that looks and behaves like a cookie warning does not qualify, and neither does providing a less-than comprehensive picture by spreading out information across several different web pages. I’m hoping that these platforms will provide more detailed and specific information before the magic GDPR drop date arrives.

LinkedIn

To juxtapose these flimsy attempts at GDPR compliance, Google has done an excellent job informing its users of changes. Its Privacy Policy has been updated to make the content easier to understand in light of the GDPR demand that users be able to make informed decisions. It has updated the language and navigation of the document, and introduced videos and illustrations in order to make things clear.

Some companies that are active worldwide do make a distinction between EU and non-EU customers, but offer the same functionality that is automatically applied to EU-based IP addresses as an option to users outside of the EU.

Disqus

When a user is in Privacy Mode, we will not collect or process any personal data, as defined by GDPR. In cases where we do not have a lawful basis for processing personal data we will apply Privacy Mode to requests from IP addresses associated with an EU country.

Other, smaller, companies made an effort to send out more personalized notifications letting me know I needed to approve their new policy in order to stay in touch:

Conclusiv

While the ongoing influx might be a nuisance in your inbox, this is a great opportunity to review the privacy policies and maybe say goodbye to some of the companies that have your email address. (Although the professional spammers will probably just keep on going as if nothing has changed.)

 

Where will GDPR lead us?

Looking at the examples we have seen so far, we can divide the big players from the small players and see that some small players from outside the EU are giving up that part of the market—at least for the time being. The big players and European companies are mostly applying the same policies for EU and non-EU customers, although there will always be some exceptions.

Some have predicted there will be two separate Internets as a result of GDPR. I don’t think that will happen. But we will soon get a better idea of how things will play out once the implementation is done and the first shots across the bow have been fired.

In the meantime, it is worth your time to review the changed policies carefully and pay close attention to privacy policies when you sign up for something new.

And in case you were wondering about ours, feel free to review the Malwarebytes Privacy Policy.

The post GDPR causes a flood of new policies appeared first on Malwarebytes Labs.

GDPR compliance: Identifying an organization’s unique profile

After a two-year transition period, the General Data Protection Regulation (GDPR) becomes enforceable beginning 25 May 2018. Presumably, many large companies have been working on a compliance program for months now. As the deadline approaches, many organizations are finding that ensuring compliance is a more complex endeavor than they had initially expected. GDPR replaces the 1995 Data Protection Directive (Directive 95/46/EC), and the new regulation imposes a substantial increase in requirements, reflecting major technological changes … More

The post GDPR compliance: Identifying an organization’s unique profile appeared first on Help Net Security.

Using ISO 27001 to guide your GDPR breach response plan

Among the many changes GDPR will usher in, one of the biggest for many organisations will be mandatory breach reporting. From May 25, all organisations holding personal data about European Union residents must disclose a breach if it is “likely to result in risk to personal data”.

What’s more, organisations must report such breaches within 72 hours of discovering one. Reacting in such a short timeframe calls for a robust response plan. Unfortunately, experience to date suggests such plans tend to be conspicuously absent. The ISO 27001 Information Security Standard can help.

ISO 27001 can enable organisations to map an incident response plan that covers not just IT, but also people and processes. A good plan will cover the following steps:

  • Detect
  • Contain
  • Eradicate
  • Remediate
  • Recover
  • Review
  • Communicate.

Who implements the plan?

Incident response often falls solely – and unfairly – on the shoulders of the IT team. “It can’t just be the IT person’s job. It has to involve the whole business: this is a business risk and a business issue,” said Brian Honan. He added that GDPR applies to physical information, not just data on IT systems. Brian was speaking as part of a panel discussion on GDPR at the ISO 27001 Ireland event last week.

He recommended that a security response team should include representatives from information security, operations, HR, legal, PR, and facilities management. HR should be involved because if it’s an internal breach, the organisation may need to discipline a member of staff. Recovering from a breach often creates a fraught, high-pressure environment. HR can also play a role by helping to coach employees and manage their time. “Breaches don’t just happen between the hours of 9 and 5,” Brian said.

Involving a legal team is also important because organisations will probably need to deal with the appropriate data protection authority. “Speak the right language to the right people. You don’t want to open a can of worms by saying wrong thing to the regulator,” Brian said.

Sending the right message

Too often, organisations fall back on stock answers like “a sophisticated breach” when there’s little evidence to support the claim. Having PR expertise on the incident response team helps to ensure the organisation’s public statements are consistent, timely and truthful.

Brian also recommended including a representative from facilities management on the team. That’s particularly useful if a breach involved a break-in where CCTV cameras and physical security could prove vital.

“The key thing is, engage early with the business, find out what is important to them. Find out what you need to have in place. Establish relationships. Know who you need to contact in the regulator’s office or the supervisory office, find out what way you will contact them. And other relevant bodies you may need to contact. And think about what external expertise you may need. It’s important that you have those contact details already,” Brian said.

Ensuring transparency

To make sure the response process is repeatable, Brian recommended documenting all policies and procedures. “Transparency is important… It’s very easy to get caught in heat of moment in a breach, but then afterwards, can you recall what happened?”

Data breach notification also brings suppliers under its umbrella since many organisations now outsource their data hosting to third parties. “If your data is in a data centre or with a hosting provider, do you have an agreement in place so that they will let you know if they have had a breach? That’s a new thing to worry about. You may have to report a breach because one of your suppliers has had a breach,” Brian said.

Alerting mechanisms are vital because they can provide the information a response team needs to react appropriately to a breach. The 72-hour reporting window means that you don’t need detailed forensic analysis to start with. That can happen at a later stage. Teams should identify tools or software they will need both to detect possible breaches and to manage the response process. Brian suggested using examples like last year’s Equifax breach as the scenario for a desktop exercise to practice breach response. “If your vulnerability scanner didn’t work, how would you act? Use it as a learning mechanism,” he said.

People power

Staff training can also strengthen an organisation’s ability to spot potential breaches as well as responding to them. Brian referred to the Verizon Data Breach Investigations Report which found that many breaches come to light not via tools but through people noticing something strange. “The number one detection tool we have is our staff,” he said.

The last reason for implementing a breach response plan is simply reputation management. “It’s not that you’ve had a security breach that will damage your brand, it’s how well you respond,” Brian concluded.

The post Using ISO 27001 to guide your GDPR breach response plan appeared first on BH Consulting.

This Week in Security News: Exposure and Susceptibility

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, a new report revealed that the Equifax breach had a larger impact than previously thought. In addition, The Senate Intelligence Committee released an interim report declaring that the Department of Homeland Security had an “inadequate” response to the Russian hack of the 2016 election.

Read on to learn more.

The Role of Sales & Channel in GDPR Compliance

Sales people and channel partners are integral parts of our business, and we have considered them key parts of our journey to GDPR compliance.

Equifax Breach Exposed Millions of Driver’s Licenses, Phone Numbers, Emails

A new investigation revealed that millions of driver’s license numbers, phone numbers and email addresses in connection with names, dates of birth and Social Security numbers were exposed.

Get Ready for the GDPR: Fix Susceptible Email Systems

Email is a particularly weak link for companies because of its role as a communication tool, and the fact that it is still the number one threat vector for cybercriminal exploits.

Senate Intelligence Committee Releases Interim Report on Election Security

The Senate Intelligence Committee determined that the Department of Homeland Security mounted an “inadequate” response to the Russian government-affiliated campaign in 2016.

1.13M Records Exposed by 110 Healthcare Data Breaches in Q1 2018

According to the Protenus Breach Barometer, around 1.13 million patient records were compromised in 110 healthcare data breaches in the first quarter of 2018.

Canada to Impose Own Data Breach Notification Regulations

These regulations enshrine mandatory data breach notification in Canadian law in the form of an amendment to the Personal Information Protection and Electronic Documents Act (PIPEDA) of 2000.

Twitter Fixes Bug, Advises Users to Reset Passwords

After advising users to change their account passwords on May 3, Twitter recently revealed that it fixed the bug that stored passwords unmasked in an internal log and that there’s no indication of a breach.  

Exposed Video Streams: How Hackers Abuse Surveillance Cameras

Hackers are gaining access to cameras and recording videos, selling camera access to other parties, or even using cameras to snoop around shops and scoop credit card information from customers. 

What do you think of Canada’s new data breach notification regulations? Share your thoughts in the comments below or follow me on Twitter to continue the conversation; @JonLClay.

The post This Week in Security News: Exposure and Susceptibility appeared first on .

Survey Finds Most Financial Firms Unprepared for Looming GDPR Deadline

With only a few weeks until the European Union’s General Data Protection Regulation (GDPR) goes into effect, many businesses are finding themselves at risk of missing the deadline and facing hefty fines. According to a recent study conducted by Cordium and AmberGate, more than 50 percent of investment firms globally are unlikely to be ready […]… Read More

The post Survey Finds Most Financial Firms Unprepared for Looming GDPR Deadline appeared first on The State of Security.

Data breach disclosure is still taking too long, report reveals as GDPR looms

Data breach disclosure is still taking too long, report reveals as GDPR looms

The accepted wisdom in the field of cybersecurity is that things are getting worse, and that more businesses are losing control of more data than ever before.

What a bunch of pessimists we are… The truth, however, might be rather different.

Read more in my article on the Bitdefender Business Insights blog.

The Role of Sales & Channel in GDPR Compliance

As a part of our journey to General Data Protection Regulation (GDPR) compliance, we have looked across our business to ensure that all the different departments, employees and products are aligned with our compliance goals and have a solid understanding of the GDPR. Sales people and channel partners are integral parts of our business, and we have considered them key parts of our journey to GDPR compliance.

As a global organization, we receive daily questions from our partners and customers about the GDPR, and we do our best to help them understand what it means for them. We have worked hard to train our sales organization and partners to be able to advise customers on how Trend Micro can be a part of their compliance journey. As a provider of state-of-the-art security, we provide solutions to address multiple security use cases, but the GDPR is more than just technology, so it’s also important that our consulting partners understand how Trend Micro solutions can help them to advise customers on their complete plan for compliance.

One critical point that we make to both our sales and channel organizations is that there is no ‘silver bullet’ for becoming GDPR compliant – organizations should look at the GDPR as a journey. Each journey will be slightly different, and it definitely will not end on May 25th, as security and regulations are continually changing, which means organizations will need to do a regular gap-analysis to stay compliant.

Watch the final video in our GDPR series to hear more from Pierre Siaut, solutions architect, on how we help our sales people and partners achieve GDPR compliance, and what we can expect from these constantly evolving regulations. 

Video Schedule

3/14 – Overview and Finance/Executive Sponsor: Learn what the GDPR is all about, and understand how executive sponsorship will help your organization and employees become prepared.

3/21 – GDPR Program Manager: See who is mapping our Journey to GDPR compliance, and find out what type of person is needed to coordinate all of the functions involved.

3/28 – Legal: The GDPR is fundamentally a legal obligation. Understand how large the role of legal is in scope, both internally and externally, and how it is involved across all aspects of the organization.

4/4 – IT Security: Hear what our IT director has to say about how the GDPR is affecting our organization, from taking a global perspective to the way we manage data privacy, to changing the way we communicate.

4/11 – Sales & Marketing: Our COO, Kevin Simzer, explains how we’re on the same journey to becoming GDPR compliant as our customers are, and what the benefits are in this process.

4/18 – HR: See how the GDPR affects our employees, and what we’ll do to ensure they have a good understanding of the regulation.

4/25 – Marketing Operations: Learn how our Marketing Operations team ensures that our customer data is protected across all external platforms.

5/2 – Products and Services: Hear from Bill McGee, SVP Cloud Security, on how we’re always evolving to deliver state-of-the-art capabilities in our products, and how we help our customers deliver their portion of the shared security responsibility of cloud environments.

5/9 – Sales and Channel Enablement: See how important it is that our existing partners understand GDPR, and how we help them find the tools needed to achieve GDPR compliance.

The post The Role of Sales & Channel in GDPR Compliance appeared first on .

This Week in Security News: Zippy’s and Flynn

Welcome to our weekly roundup, where we share what you need to know about the cybersecurity news and events that happened over the past few days. This week, Hawaii-based restaurant Zippy’s suffered a POS data breach. In addition, Uber executive John Flynn argued that user expectations on data protection are rising, but consumers still aren’t implementing the right precautions for their own data safety.

Read on to learn more.

State-of-the-Art Security: The Role of Technology in the Journey to GDPR Compliance

As we’ve discussed over the last 7 weeks in our video case study series, the GDPR impacts many different areas of our company, including our employees, customers, and partners.

PROTECTING YOUR PRIVACY – Part 1: The Privacy Risks of Social Networks and Online Browsing

Most Americans today spend many of their waking hours online. In fact, we’re up to spending an average of five hours per day just on our mobiles.

What HIPAA and Other Compliance Teaches Us About the Reality of GDPR

The date for General Data Protection Regulation (GDPR) compliance is three months away, yet many organizations, especially those outside Europe, remain unprepared

PROTECTING YOUR PRIVACY – Part 2: How to Maximize Your Privacy on Social Media and in Your Browser

You can manually configure your Privacy Settings on sites including Facebook, Twitter, LinkedIn, and more. However, no two sites are the same, and some are easier than others to navigate. 

Securing the Connected Industrial World with Trend Micro

At Trend Micro we’ve made it our business over the past 30 years to anticipate where technology is taking the world. That’s why our message has evolved over that time from Peace of Mind Computing to Your Internet Firewall and most recently Securing Your Journey to the Cloud.

FacexWorm Targets Cryptocurrency Trading Platforms, Abuses Facebook Messenger for Propagation

Trend Micro’s Cyber Safety Solutions team identified a malicious Chrome extension we named FacexWorm, which uses a miscellany of techniques to target cryptocurrency trading platforms accessed on an affected browser and propagates via Facebook Messenger.  

How cryptocurrency is shaping today’s threat environment

Cryptocurrency has exploded as a popular way to support digital transactions. Since its creation, users have discovered an array of different ways to leverage cryptocurrency, including within mining strategies and digital wallets. 

Cryptocurrency-Mining Malware Targeting IoT, Being Offered in the Underground

Cryptocurrencies have been generating much buzz of late. While some governments are at work to regulate transactions involving them, there are others that want to stop mining activities related to them altogether.  

Legitimate Application AnyDesk Bundled with New Ransomware Variant

Trend Micro recently discovered a new ransomware (Detected as RANSOM_BLACKHEART.THDBCAH), which drops and executes the legitimate tool known as AnyDesk alongside its malicious payload.  

Zippy’s Restaurants Suffers POS Data Breach

Zippy’s Restaurants’ point-of-sale system was compromised for four months, exposing customer data.

ASEAN Cybersecurity in the Spotlight Under Singapore’s Chairmanship

At ASEAN Summit 2018 in Singapore, the strong focus on cybersecurity reflected regional and international attention to growing cyber threats in Southeast Asia.

Almost Half of UK Businesses Suffered Cyberattack or Security Breach Last Year, Figures Show

The 2018 Cyber Security Breaches Survey found 19 percent of charities and 43 percent of businesses in the UK had reported cyber security breaches or attacks in the last year.

Commentary: States Are Getting Tough on Data Security—but That Might Be a Problem

The Facebook-Cambridge Analytica scandal shines a light on the need for more regulation protecting data; more than 240 bills were introduced in 42 states last year covering a range of security issues.

Uber Security Head Says Users Need to Care More About Data After Breach

At the 2018 Collision Tech Conference, John Flynn relayed that user expectations on data protection are rising, but customers still aren’t taking the right actions to protect their personal information. 

Alexa Can Listen Indefinitely, Potentially Exploited to Transcribe Information to Cybercriminals

Researchers discovered a new internet of things (IoT) design flaw in a popular smart home system: They found that Amazon’s Alexa service can be programmed to eavesdropon its users and transcribe all the information heard.  

Securing the Internet of Things Through Effective Regulation

According to a survey done by Gartner, almost 20 percent of organizations have observed at least one IoT-based attack in the last three years.

As cities get high-tech, hackers become more dangerous

Remember when a major U.S. city’s computer infrastructure was hacked, and held ransom, by a group of cyber criminals?

Do you agree with John Flynn’s speech on user expectations for data protection? Share your thoughts in the comments below or follow me on Twitter to continue the conversation; @JonLClay.

The post This Week in Security News: Zippy’s and Flynn appeared first on .

What HIPAA and Other Compliance Teaches Us About the Reality of GDPR

with contributing author, William J. Malik, CISA | VP, Infrastructure Strategies

The date for General Data Protection Regulation (GDPR) compliance is just weeks away, yet many organizations, especially those outside Europe, remain unprepared. It turns out that the experiences from other privacy compliance regulations are less helpful than assumed, but the best lessons learned may be from non-privacy regulations.

GDPR Lessons from Other Privacy Compliance Aren’t Very Helpful

Because compliance is tied to regulations and laws, they are often regional. In Canada, the Personal Information and Documents Protection Act (PIPEDA) became law in 2000. PIPEDA is mostly about privacy, specifically obtaining consent from and letting people know why their information is being collected. As with too many laws and regulations for privacy, to date there have been no penalties for PIPEDA non-compliance other than reputational. Governments are eager to pass regulations for compliance but often balk at implementing penalties. This ‘false sense of non-compliance’ will be a surprise to organizations that choose to run afoul of GDPR expecting it to be similar to privacy regulations in many jurisdictions. GDPR however has penalties in its first iteration. Rather than looking to other privacy regulations, financial compliance is a better example to use for convincing your organization to get serious about GDPR. The penalties in GDPR are real.

GDPR Lessons from PCI-DSS

PCI-DSS is a better comparison to GDPR: Regional compliance having a global impact and with penalties. When PCI was first introduced, many organizations assumed it wouldn’t apply to them as they were not a credit card processor. The next phase was compliance-surprise, when organizations discovered credit card holder information was present in new apps or added to existing apps that were previously not in scope for PCI. One noteworthy case saw a $13.3M fine levied.  The GDPR lesson is that even if you are not subject to compliance on day 1, monitor changes to your business to check if you do later become subject to GDPR.

GDPR Lessons from HIPAA

US companies are generally not ready for GDPR compliance. By examining the history of compliance with HIPAA, we can forecast how GDPR compliance will roll out. HIPAA is focused on privacy, so it has some lessons. Initially, HIPAA enforcement was light. GDPR applies to any organization processing personally identifiable information belonging to EU citizens. In the US, this requirement had been defined under the European Data Privacy Directive. Those basic definitions remain in place. What has changed are:

  1. The Safe Harbor has been supplanted by the EU-US Privacy Shield, which requires US companies to self-certify with the Federal Trade Commission (see https://www.privacyshield.gov/Program-Overview for details).
  2. Reporting requirements are much more stringent. An organization has 72 hours after discovery to report a breach.
  3. Organizations must show that they are using best-in-class or state-of-the-art technology to protect personally identifiable information.
  4. Fines are greater. There’s two tiers of fines, the first is up to a maximum of 10M Euros or 2 percent of global revenue (whichever is highest), and the second up to 20M Euros or 4 percent of global revenue (whichever is highest).
  5. Organizations must name a Data Protection Officer (DPO), who has a broad remit to investigate and report on data breaches. This individual cannot be dismissed or sanctioned by their organization for doing that job.
  6. Individuals have the right to request their information be corrected or erased, by application to the DPO.

But penalties for HIPAA non-compliance have grown steadily over the past 10 years:

 

Note that under the terms of the Privacy Shield, individuals and government agencies (specifically the FTC) can bring actions against organizations in US courts. The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.

GDPR Lessons from Increasing Compliance Maturity

Not all compliance is created equally. For other privacy regulations it is common that there is no penalty for non-compliance, even willful breaches, whereas in some geographies privacy breaches can bring significant discomfort. So there is a gradient of maturity that compliance falls into, not by category of compliance (e.g. financial, privacy) but for the specific regulation or standard. This isn’t to argue that every compliance regime needs penalties, formality and significant oversight – but there are noteworthy differences in the ‘seriousness’ or impact of compliance with each system. We foresee that organizations will mature in their compliance following this proposed maturity model:

Maturity Level Characteristics Likely Examples (and fodder for arguments)
0 Minimal utility in compliance, can be used as excuse for doing less than due diligence standards OWASP Top 10
1 Guidance and checklists NIST Standards, ISO 27001
2 Regulations and formal laws without penalties – “name and shame” PIPEDA (current version)
3 Impact of non-compliance, fines, significant PCI-DSS, HIPAA, GDPR
4 Embedded into business. Compliance because it makes life better. FIPS 140-2

 

We will move rapidly through stages 0 and 1 to stage 2. We already have organizations that report on breaches, investigations in progress, and fines for HIPAA. The Privacy Shield site tracks registered organizations, and will provide a platform for reporting on breaches and fines, as well.

The Bottom Line

Although GDPR deadlines are approaching rapidly, this is not wholly unfamiliar territory. Use the practices already in place for your non-privacy compliance. Yes, GDPR is a more mature model of privacy compliance than most North American organizations are used to, but the compliance already in place for other regulations and laws can be a roadmap in getting compliant quickly.

The mechanisms for levying fines are already in place. Organizations that fail to prepare for GDPR will face the financial consequences of non-compliance, that is, Stage 3, in short order. Unlike HIPAA, GDPR is familiar to many multinationals. Organizations have faced penalties under the current Data Protection Directive for over a decade. The learning curve will be much shorter this time. Do not expect a multi-year gap before US-based organizations face substantial financial consequences. We expect to see fines levied within the next 18 to 24 months.

The post What HIPAA and Other Compliance Teaches Us About the Reality of GDPR appeared first on .

Permission slip: what consent means and where it really applies to GDPR

As data protection and privacy professionals, we use terms from data protection legislation daily and they roll off the tongue as if we were born knowing what the words mean. The problem is, GDPR contains words that have both a legal meaning and a different semantic meaning.

Talking with consumers and clients, I realise that we must temper our language carefully. As practitioners, we understand the legal meaning and frequently we don’t account for clients only understanding the semantic meaning.

You say consent, I say ‘consent’

The domain of GDPR where I have felt this disparity most strongly is with the legal instrument referred to in the GDPR as ‘consent ’. Beyond GDPR’s ‘consent as legal basis for processing data’, many other forms of consent exist in our society . I recently gave a talk to a group of executives on GDPR and when I discussed ‘consent’ as a legal basis for processing, one individual in the audience noted how horrified he was that Ireland was reducing the age of consent from 16 to 13. Realising his confusion, I quickly reaffirmed that the ‘consent’ I was referring to was as a legal instrument for certain types of processing such as e-marketing – and no other kind.

Recent media coverage of the Ulster Rugby   players trial made me realise how clear we must be with clients and others when expressing ourselves about ‘consent’.  So, if you aren’t doing so already, I encourage you to explain to your clients not just the differences between consent and the other legal instruments in the GDPR, but the actual meaning of consent under GDPR.

Consent and permission ≠ the same

The second issue I have encountered is that I so frequently encounter people who do not understand ‘consent‘ in GDPR terms and who confuse it in that context with ‘consent’ in its literal sense.

It is an understandable confusion, as consent in its literal sense means ‘permission for something to happen or agreement to do something’. In GDPR, consent can only be provided and revoked from processing that is undertaken using consent as the legal basis for processing. I have found that organisations (and data subjects) often discuss how they will facilitate ‘revoking consent’ from processing of information that is processed under a  legal basis other than consent.

Lawful bases for processing data

Elizabeth Denham, the UK Information Commissioner, summarised this issue succinctly when she noted that headlines about consent often lack context or understanding about all the different lawful bases that organisations will have for processing personal information under the GDPR. For processing to be lawful under the GDPR, at least one lawful basis is required.

Consider the following  examples: a government body processing property tax information; banks sharing data for fraud protection purposes; or insurance companies processing claims information. All these examples require a different lawful basis for processing personal information that isn’t ‘consent’. Each legal instrument has its own set of requirements. If the legal basis for processing is, for example, legitimate interest, the GDPR outlines a completely different set of requirements. In such cases, you do not need consent. This also means that the rules for ‘consent’, such as positive affirmative opt-ins, and freedom to change preferences etc. are only mandatory for consent-based processing.

With less than a month to go until GDPR , some organisations may still be grappling with the issue of ‘consent’ and the related implications for data processing under a misunderstanding of the meaning and where it applies. For our part, privacy professionals can help by being completely clear in how we communicate – while watching for signs that our intended audience understands what we mean. The regulation will be with us for a long time to come after 25 May. It is always worthwhile to ensure privacy policies apply ‘consent’ only where it’s legally necessary to do so.

The post Permission slip: what consent means and where it really applies to GDPR appeared first on BH Consulting.

State-of-the-art Security: The role of technology in the journey to GDPR compliance

As we’ve discussed over the last 7 weeks in our video case study series, the General Data Protection Regulation (GDPR) impacts many different areas of our company, including our employees, customers, and partners.

The GDPR also mandates the use of state-of-the-art security, which, as a leader in security solutions, means that our products are being used to help with compliance—not just inside Trend Micro, but also in our customer’s environments.

As a global organization, we recognize the importance of data privacy, and see the GDPR as an opportunity to improve our approach to protecting customer data. And given a large percentage of our revenue comes from Europe where GDPR originates, it has been very important that we understand how our products can play key roles in any compliance journey.

As a security company, our products become an extension of our customers’ environment, which means that the design and capabilities need to not only address data protection and privacy, but also enable organizations to clearly leverage the product as a part of compliance. For example, for a cloud workload that needs to be protected, there needs to be a clear path to not only protecting it, but also to be notified if something is happening to it, and have reporting available to use as a part of the compliance process. This applies across all environments, which is why we have focused a lot of time and energy in the development of our state-of-the-art security products, leveraging what we refer to as our XGen™ security strategy.

XGen™ security embodies the spirit of GDPR, as it delivers a cross-generational blend of threat defense techniques to protect customer data. Just as the definition of state-of-the-art will change, so too will the requirements for security and we will respond. Recognizing the need for automation and efficiency, our solutions have also been optimized for key environments like AWS, Microsoft, VMware, and others, helping to make the process of data protection and compliance easier. And as a security leader focused on staying ahead of threats, our product strategy focuses on connecting our products together, so if a breach does happen and the 72 hour rule needs to be adhered to, investigation and response can happen quickly.

Strategically, regulations like the GDPR are also driving product innovation. For example, with applications being the center of data processing and storage in so many situations, security is evolving to be closer to the data. We believe that as a part of a cross-generational blend of capabilities, this delivery strategy will become more and more common in the future.

Watch the video to hear more from Bill McGee, SVP Hybrid Cloud Security, on how we’re delivering state-of-the-art capabilities in our products, and how the GDPR is impacting our development strategies going forward.

Video Schedule

3/14 – Overview and Finance/Executive Sponsor: Learn what the GDPR is all about, and understand how executive sponsorship will help your organization and employees become prepared.

3/21 – GDPR Program Manager: See who is mapping our Journey to GDPR compliance, and find out what type of person is needed to coordinate all of the functions involved.

3/28 – Legal: The GDPR is fundamentally a legal obligation. Understand how large the role of legal is in scope, both internally and externally, and how it is involved across all aspects of the organization.

4/4 – IT Security: Hear what our IT director has to say about how the GDPR is affecting our organization, from taking a global perspective to the way we manage data privacy, to changing the way we communicate.

4/11 – Sales & Marketing: Our COO, Kevin Simzer, explains how we’re on the same journey to becoming GDPR compliant as our customers are, and what the benefits are in this process.

4/18 – HR: See how the GDPR affects our employees, and what we’ll do to ensure they have a good understanding of the regulation.

4/25 – Marketing Operations: Learn how our Marketing Operations team ensures that our customer data is protected across all external platforms.

5/2 – Products and Services: Hear from Bill McGee, SVP Cloud Security, on how we’re always evolving to deliver state-of-the-art capabilities in our products, and how we help our customers deliver their portion of the shared security responsibility of cloud environments.

5/9 – Sales and Channel Enablement: See how important it is that our existing partners understand GDPR, and how we help them find the tools needed to achieve GDPR compliance.

The post State-of-the-art Security: The role of technology in the journey to GDPR compliance appeared first on .

Configuring Imperva SecureSphere for GDPR Compliance: Part One

Time is running out. 23 days until GDPR enforcement

The GDPR effective date is less than a month away and, given the significant risk and potential costs associated with a failure to comply, organizational readiness efforts continue to mount. GDPR non-compliance penalties can be severe (up to 79 times higher than existing guidelines), and GDPR applies to any organization of any size that collects or processes personal data originating in the EU. The new rules and fines go into effect on May 25, 2018.

Imperva data protection solutions can help organizations address key GDPR data security requirements, as highlighted in our GDPR: New Data Protection Rules in the EU whitepaper; and our recent blog highlighting key actions to take to help finalize your GDPR compliance program. Of note is the reference to understanding where your data is, and effectively discovering and classifying this information within the context of the GDPR requirements. To that end, this blog — the first in a three-part series — will focus on how Imperva can support compliance with this initial step, and with greater ease as a result of our enhanced solution functionality.

Understand where your data is and what data is sensitive

Understanding where your data is and classifying it is the critical first step in GDPR compliance and is specifically referenced in Article 35: Data Protection and Impact Assessment. In essence, this article aims at assessing the purpose, scope, and risk associated with processing personal data. A key process involved in achieving compliance here involves deriving an inventory of personal data across the organization; and understanding access rights to data, and the risk associated with that access. This really is the first step in effective data security and GDPR compliance.

Imperva SecureSphere finds both known and unknown databases by automatically scanning enterprise networks. Many existing SecureSphere customers have already initiated this key process by leveraging built-in discovery policies, and/or easily creating custom data discovery policies to scan any part of their network. SecureSphere also enables automated, scheduled scans, as they are critical to ensuring continuous discovery to include new data in security and protection efforts.

Four Steps to Article 35 Compliance Readiness with Imperva SecureSphere

The good news for organizations still struggling to complete this initial step is that Imperva’s SecureSphere solution now offers even greater support aimed at discovery and classification in relation to GDPR Article 35. The recent release of SecureSphere v12.4 has made the activation of this process easier, thereby reducing resource time, costs, and complexity in providing a solid step towards the process of overall GDPR compliance with additional out-of-the-box functionality and configuration capabilities.

Let’s now dig into the process of configuring Imperva SecureSphere and supporting compliance achievement with Article 35 (and the overall data security articles within GDPR). As outlined in the v12.4 configuration guide[1], you need to perform the following actions with SecureSphere:

  1. Verify that your SecureSphere Application Delivery Controller (ADC) content is up to date:

Some of the actions required and outlined in the guide are based on profiles, data types and audits that are bundled with the ADC content. Which means it’s imperative to have this step completed. Here’s how to do this within SecureSphere

  1. In the Admin workspace, click ADC.
  2. Under Manual ADC Update, click Download.
  3. Save the MPRV file that will be downloaded.
  4. Browse to the downloaded file using the Browse
  5. Click Upload. SecureSphere will be updated with the downloaded content.
  1. Discover your databases: 

SecureSphere enables you to discover all the databases in your estate and add them to your site tree so that you can then apply scans and policies and other SecureSphere functionality to them, in order to protect the data they hold. Here’s how you go about doing that:

  1. In the Main workspace, select Discovery & Classification > Scans Management.
  2. Under the Scope Selection drop-down list on the top left, select Scans.
  3. Click on the New From the drop-down list, select Service Discovery. The Create Scan dialog box opens.
  4. Give the scan a Name, select a Site, and click Create.
  5. Under the Services tab, you can select which services you want the scan to look for. If you choose ‘allow me to manually review discovered services before updating’, remember to update the site tree manually.
  6. Under IP Configuration, enter the IP groups in which the databases might be located.
  7. Under Service Types, check the database service types you want to discover.
  8. Under the Scheduling tab, select a regular schedule for running this scan for database discovery.
  9. Click Save.
  1. Configure your database connections:

 Once you have discovered the database servers and added them to the site tree, you must configure the database connections in order for security and audit policies to work. Here’s how to complete this task:

  1. In the Main workspace, select Setup > Sites.
  2. Select the newly added server group.
  3. Under the Servers tab, verify that the new server has been added.
  4. In the site tree, select the database service.
  5. Under the Definitions tab, expand Direct Access Information.
  6. Under Database Connections, click the New button. A new row appears.
  7. Enter the data needed to create a new database connection: Alias, IP, User Name, Password, Verify Password, SID, and Port.
  8. Repeat steps 6 and 7 above for each new database connection you wish to add to this service.
  9. Click save 
  1. Classify the locations of personal and sensitive data:

You’re now ready to scan your databases in order to obtain a report of which tables in which databases contain personal data, which is where the new GDPR functionality within SecureSphere comes into play to make this step even easier. SecureSphere v12.4 has an out-of-the-box profile for GDPR, called the Data Classification Profile for GDPR. This profile includes the out-of-the-box data types that are pertinent to personal data. If you added new data types, make sure to include them in the GDPR Profile. Let’s look at this new functionality in a little more detail, and how you can now easily configure and classify data in support of GDPR. To do so, just configure and run a scan using the new functionality as summarized below:

 A. To configure the GDPR classification scan profile:

  1. In the Main workspace, select Discovery & Classification > Scans Management.
  2. Under the Scope Selection drop-down, select Scan Profiles
  3. Select Data Classification Profile for GDPR.
  4. In the Data Types tab:
  5. You can enable or disable any data type by selecting or de-selecting the appropriate checkbox.
  6. You can select any data type, and then enable or disable any of its rules by selecting or de-selecting the appropriate checkbox.
  7. In the Settings tab, you can configure data classification options for the profile.
  8. Click Save

You can now easily run the GDPR classification scan in order to find the locations of the personal data in your environment. The steps to do so are quite consistent with traditional scans within SecureSphere, and outlined in Part B below:

B. To configure and run a classification scan:

  1. In the Main workspace, select Discovery & Classification > Scans Management. The Scans Management window appears.
  2. In the Scans pane, select the scan you want to run, or create a new scan using the New button. If you create a new scan, from the drop-down list, select DB Data Classification scan and base the new scan on the Data Classification for GDPR profile. The scan’s options are displayed in the Details pane
  3. Under the Settings tab, click the Scan Profile drop-down list and verify that the scan is based on the Data Classification for GDPR profile.
  4. Click the Apply to tab. Select the databases you wish to scan.
  5. Click the Scheduling tab. Select your scheduling choices. You should schedule regular scans since tables may be added frequently.
  6. Click Save.

So, you’ve classified your data. Now what?

Once databases are identified and classification has been completed, you’re in a much better position to understand what personal data lives in which databases and who has access. SecureSphere offers a robust set of options to review the results within the UI, or via data export to assist with the review process. The output of this process now helps determine which systems are in scope for GDPR, allowing you to accelerate compliance with several articles within GDPR, including Article 35, which was the focus here. Further, with the help of Imperva data security solutions, support for the other can also be achieved. We’ll get into those use cases and solutions in the next blog in this series.

Contact us to learn more about Imperva’s GDPR compliance capabilities and explore our data security solutions in detail.

A week in security (April 23 – April 29)

Last week, we dug into behavioral biometrics, explored a new crossrider variant, and embraced the power of “no.” We also launched another CrackMe challenge, took a deep dive into smart toys, and finished up with a look at digital privacy in the age of IoT.

Other news

Stay safe, everyone!

The post A week in security (April 23 – April 29) appeared first on Malwarebytes Labs.

Critical Actions to Finalize Your GDPR Compliance Program

Starting May 25, 2018, enforcement begins for the new EU General Data Protection Regulation (GDPR) and its heightened principles and requirements regarding data privacy, data processing, and data security. The newly revised regulation applies to organizations doing business in the European Union or processing personal data originating in the EU – including data originating from both residents or visitors. A quick overview of the Regulation—actually a series of primers—can be found here.

Earlier this year, I participated in a webinar to discuss the rapidly approaching GDPR enforcement date, and how organizations around the world can finalize their compliance programs. As Senior Privacy Counsel at Imperva, I know how important it is to be up-to-date with the new EU regulations and prepare for it.

During the webinar, I was joined by Barbara Cosgrove, the chief privacy officer at Workday, Naheed Bleecker, senior privacy consultant at Trust Arc and Sue Habas, VP of strategic technologies at ASC Technologies. Dr. Branden Williams, director and SVP of cyber security at MUFG Union Bank, hosted the affair. We discussed in some depth the critical actions that needed to be implemented by data privacy, security, and compliance programs before the May 2018 deadline.

Generally, four calls to action emerged. They are:

1) Embed Privacy by Design

2) Know where your data is

3) Establish data inventory & classification

4) Implement “appropriate” Security Controls

Embed Privacy by Design

As Barbara Cosgrove noted, “What we’re really looking at is embedding appropriate privacy protection measures throughout the entire development process, whether it’s a product, a process, a service or anything that uses personal data.”

Under GDPR, it’s now critical to make sure that you’ve updated your product design processes and change management policies to include data privacy input from the very beginning of the project. “Carry out any privacy impact assessments that could possibly identify any risks,” she added. “Make sure that you’ve really ascertained how you process personal data and if that’s going to result in a high risk to a data subject.”

Know Where Your Data Is

Keeping tabs on personal data as it moves through the entire data life cycle at your organization is simply good data governance practice, according to Naheed Bleecker. “It’s critical to understand all the controls surrounding data,” he said. “Where is the data? Who has access to it? Where is it going? Who’s touching it? What specific data elements are being collected? Are you getting the kind of consent that you need? What are your storage and retention standards? These are all questions you need to ask yourself.”

Another key component regarding data governance is understanding how third parties interact with the information. Not only does GDPR provide a great opportunity to educate and train stakeholders, it can help build a solid engagement with clients and partners.

Establish Data Inventory & Classification

“More than anything,” said Sue Habas, “you’ll want to automate your business and data inventory. In addition, you’ll want the data inventory meta-data and classification centralized so that everybody has access to it.”

Along with everything else, said Habas, you’ll need to classify the information, and allow for it to be threaded to all your [internal] end users, both on the business and technical side. “The business process,” she said, “is really essential for capturing that privacy data, and for remediating and managing those issues.”

Working together with the product and business teams is critical to helping you understand and govern data, added Habas. You need to show in a transparent manner that your data state is being handled in a responsible manner regardless of technology, usage or jurisdiction. “It’s all about being able to see across data silos,” she said.

Implement “Appropriate” Security Controls

Data inventory and tracking assets consent are the foundation of every comprehensive privacy program. But that’s probably not even the first thing that’s needed. First and foremost, you need to put appropriate security controls around the personal data of your employees, customers, and end-users that you collect, process, and store.

GDPR not only expressly endorses pseudonymization and encryption as appropriate measures to protect the security of processing, it also ratchets upward the fines for failing to meet the “appropriate” security measures required—specifically, to the tune of the greater of 10 MM Euros or 2% of total annual worldwide turnover.

But what exactly does “appropriate” mean, and where should data privacy, risk, or compliance programs start? One good place to start is to look at asset management across different repositories of data, across different databases, and across different functional departments. For example, does everybody in your company have a need-to-know clearance? Maybe that’s not reasonable or wise.

You also need to implement encryption both in transit and across local storage, and create and maintain incident and data breach response programs. I strongly advise everyone to map out and document all data flows and processing within your organizations. When a data breach happens, you’ll need to know what’s going on during the first 24 and 72 hours. That response time is going to be incredibly important under GDPR.

A Best Practices Approach

GDPR represents a monumental shift in how global organizations will need to treat and safeguard personal data. Aligning your organization, and the privacy function within your organization, to GDPR in a best practices fashion is by no means an easy task. But it is the goal you should strive for. Professionals leading data privacy or security programs will have largely completed minimum GDPR compliance preparation by May 25, 2018, or perhaps shortly thereafter. Yet, after a well-deserved vacation, I encourage you to rethink and revisit your data privacy programs. Concentrate on elevating these four foundational calls to action up to a best practices standard, and your organization will be more than ready for today’s rising tide of global privacy standards—both those required by regulations like GDPR as well as by the competitive business features demanded by a rising societal awareness of data privacy.

GDPR Planning and the Cloud

Data protection is on a lot of people’s minds this week. The Facebook testimony in Congress has focused attention on data privacy. Against this backdrop, IT security professionals are focused on two on-going developments: the roll-out next month of new European regulations on data (the General Data Protection Regulation, or GDPR) as well as the continued migrations of data to the public cloud.

GDPR is mostly about giving people back their right over their data by empowering them. Among other rights and duties, it concerns the safe handling of data, the “right to be forgotten” (among other data subject rights) and breach reporting. But apparently it will not slow migration to the cloud.

According to a McAfee report being released today, Navigating a Cloudy Sky, nearly half of companies responding plan to increase or keep stable their investment in the public, private or hybrid cloud, and the GDPR does not appear to be a showstopper for them. Fewer than 10 percent of companies anticipate decreasing their cloud investment because of the GDPR.

Getting Help for GDPR Compliance

What is the practical impact of all this? Say your CISO is in the early stages of setting up a GDPR compliance program. In any enterprise it’s important to understand the areas of risk. The first step in managing risk is taking a deep look at where the risk areas exist.

McAfee will feature a GDPR Demo1 at the RSA conference in San Francisco this week that will help IT pros understand where to start. The demo walks conference attendees through five different GDPR compliance scenarios, at different levels of a fictional company and for different GDPR Articles, so that they can start to get a feel for GDPR procedure and see the tools which will help identify risk areas and demonstrate the capabilities for each.

Remember, with GDPR end-users are now empowered to request data that they are the subject of, and can request it be wiped away. With the latest data loss prevention software, compliance teams will be able to service these requests by exporting reports for given users, and the ability to wipe data on those users. But a lot of companies need to learn the specific procedures on compliance with GDPR rules.

GDPR could be looked at as another regulation to be complied with – but savvy companies can also look at it as a competitive advantage. Customers are increasingly asking for privacy and control. Will your business be there waiting for them?

The cloud, GDPR and customer calls for privacy are three developments that are not going away – the best stance is preparation.

1 McAfee will be in the North Hall, booth #N3801 (the “Data Protection and GDPR” booth) and also in the South Hall at the McAfee Skyhigh booth, # S1301.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post GDPR Planning and the Cloud appeared first on McAfee Blogs.

Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection

When the European Union’s (EU) General Data Protection Regulation (DPR) comes into full force May 25, European citizens will receive greater privacy protection and regulators will have a strengthened authority to take action against businesses that breach the new laws. Fines of up to 4% of annual global revenue or €20 million, whichever is greater, can be levied against any organization that processes personal data of EU residents, regardless of where they are based. Stories with doomsday predictions and generous helpings of fear can be found in many publications.

McAfee recently published an executive summary of our report, Beyond GDPR: Data Residency Insights from Around the World, that focuses on responses from the 200 professionals surveyed in the financial services sector. While there remains work to be done, it’s not all doom and gloom for the financial services industry. More than one quarter (27%) of financial services firms surveyed are already set up to comply with the GDPR requirement for controllers to report a breach to the appropriate authorities within 72 hours of becoming aware of a breach, when compared to just 20 percent of other industries. This is most likely the result of greater preparation, as the financial sector has a higher proportion of firms (28%) that have been working on compliance for three to four years, compared to the global average of just two years.

We believe that the looming threat of GDPR fines is an opportunity to communicate the seriousness of these regulations to your board and executives, and to position the firm as one that cares about personal privacy. And that could help boost the bottom line according to survey respondents – some 80% of financial services respondents believe that organizations that properly apply data protection laws will attract new customers.

Knowing what data is stored where is one of the most important steps of this data protection activity, but here are a few more that we recommend.

Step 1. Know Your Data.

Not only where it is, but what it is, why you are collecting it, and what levels of security and encryption are used to protect it. If you are collecting personal data that is not essential to your service offering, you may want to reconsider what you collect to better manage your risk of exposure, and comply with data-minimization principles.

Step 2. Enforce Encryption.

Effective encryption protects data by making it useless to hackers in the event of a data breach. Use proven encryption technologies, such as Triple Data Encryption Standard (DES), RSA, or Advanced Encryption Standards (AES) to ensure the safe storage of both your employees’ data and customers’ data.

Step 3. Pseudonymize personally identifiable information (PII).

Modifying data prior to processing so that it cannot be tracked back to a specific individual provides another layer of data protection. Pseudonymizing your data allows you to take advantage of Big Data and do larger scale data analysis, and is viewed as an appropriate technical and organizational measure under article 32 of the GDPR.

Step 4. Get Executive Management Involved.

The necessary changes to your data storage, monitoring, management, and security systems can require more human and financial resources than are currently budgeted. The potential of significant fines is an excellent opportunity to get the required support from the highest levels of your organization.

Step 5. Appoint a Project Owner.

Staying compliant with various data protection laws is not something that can be done by an IT staffer in their spare time. Consider appointing a data protection officer or equivalent, to take ownership of both implementation and ongoing management of this project. A data protection officer may be required in any event, depending on the nature of the processing carried out.

Step 6. Review Data Security with Cloud Vendors.

With cloud computing and storage touching most business processes in some fashion, consider conducting an audit of all your vendors’ systems, procedures, and contracts, and the data that they are handling and storing on your behalf. After all, each organization will be held responsible for meeting the GDPR requirements.

Step 7. Foster a Security-Aware Culture.

Human errors are often responsible for data and security breaches. It doesn’t matter that your business follows the strictest security protocol —one error made by one uninformed person could lead to irreparable damages. Consider making sure that all your employees and contractors receive proper and regular training on data security and the handling of customer information.

Step 8. Have a Response Plan.

No system is 100% bulletproof. You need an incident response plan in place to make sure that you can recover as quickly as possible in the event of a data breach. Under GDPR law, you are required as a controller to alert the appropriate authorities within 72 hours of becoming aware of a data breach, and you also need to notify any individuals whose personal data has been compromised.

Step 9.  Go with a Privacy by Design Approach.

The GDPR places a requirement on organizations to take into account data privacy during design stages of all projects.  Companies will want to consider data-protection technologies such as data loss prevention (DLP) and cloud data protection (CASB) from the very beginning of the development. Implement data-protection policies that would help prevent both accidental and malicious data theft by insiders and cybercriminals – doesn’t matter where it resides.

While no one can guarantee that you will not suffer a data loss, following these steps will help you understand where you stand, identify any gaps, and improve your organization’s responsiveness. Loss of customer confidence was the most common concern of financial services organisations (64%), and rapid containment and response is one of the best ways to protect your firm’s valuable reputation. So keep calm, and prepare for GDPR.

Read the full report, Beyond GDPR: Data Residency Insights from Around the World, and learn more about the top data-protection concerns and strategies of more than 800 senior business professionals from eight countries and a range of industries.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post Financial Services and GDPR: What 200 Professionals Told Us About Their Data Protection appeared first on McAfee Blogs.

The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day

At one point in my career, I was responsible for launching massive websites.  We’d talk about when and how we flip the switch to launch the new website.  At least once during every project someone would ask me who got to flip the switch, as though we would have a dignitary (or them?) do it.  But depending on the year, the flipping on of a website was handled through technology and not very dramatic and not with the fanfare the non-technologists hoped for. (Dimming lights? Fireworks?  It was New York and it was publishing, so there was often beer and wine and maybe T-shirts after, but everyone went home and slept.)

And now we have May 25th coming around the corner. The other day, I got a picture in a text from a colleague of a can of sardines.  It took me a minute to realize the expiration was May 25.  So, other than the sardines, what happens?  Are we done?

First the bad news:  We won’t ever be done.  GDPR requires constant diligence for its principles, recurring reviews of the processes we’ve built; ongoing use of Data Processing Impact Assessments; vigilance on how we process, store, transfer, use personal data; communications with our customers; new contractual language and new things to negotiate; ongoing discussions around security and what is appropriate.  And of course, the biggest question: What will the data regulators do?  Will there be an immediate fine? (My bet is no.)

But now the good news: If you’ve been doing this right and have managed to focus on the concepts of Great Data Protection Rocks and a culture of security, the following things may have happened:

  • You have a much better idea of what data you have, where it is stored, who can get to it, and how it gets used. Hopefully you have deleted some data and have additional automated processes to delete data when it ceases to be needed.
  • You have processes in place to replace things that were being done on the fly. Maybe there’s some documentation and someone officially designated to help with the processes.
  • You know who your vendors are, and more about your high-risk and cloud vendors.
  • You have determined what needs securing and made sure you are securing it “appropriately.”
  • You’ve got a team of people who understand data protection and GDPR – maybe some new friends and some new project partners. A few of them may not have bought in completely (the people who were “voluntold” to help), but just wait.  Something often  seems to happen in the doubter’s personal life that makes them get it – and big time.  Real examples:  Mortgage application reveals massive identity theft that needs to be fixed or they lose the house; soccer coach sends kid’s medical condition info to the whole team’s parents; intern (not at McAfee!) sends spreadsheet of fraternity members’ contact info, but it also contained everyone’s grade-point average.

Perhaps most importantly, your company now has momentum around doing the right thing regarding data protection.  And May 25th will come – too soon, not soon enough, or both! – and the lights won’t dim but there might be T-shirts.

It would be easy to forget GDPR’s lessons. In the United States, Monday, May 28th, is Memorial Day, and we pull out summer clothes, take off to mark the start of summer, and remember our heroes.  But on that Monday and Tuesday and every day after, Great Data Protection will still Rock, and we will still need to look at data, how it’s used, and how our culture can protect it. Just maybe throw out the sardines if they don’t get eaten beforehand (or leave them on the doubter’s desk as a joke).

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and The Hare Part II: May 25th is a Friday, or Great Data Protection Rocks even after Memorial Day appeared first on McAfee Blogs.

The Tortoise and the Hare of GDPR, Part I: Don’t Panic

In preparation for May 25, data-driven companies (and really, that’s most of us) have started doing business differently, bracing for the enforcement date of the General Data Protection Regulation (GDPR). And all companies with customers and employees who are residents of the European Union should be handling personal data carefully after that: Violations can result in fines of up to 4% of annual global revenues or €20 million (whichever is greater).

When we reached the milestone of 100 days until May 25, one of our McAfee legal interns put up a countdown clock on an internal website. Lots of words have been spent on hair-on-fire, panic mode fretting about the fines – and anyone who tells you that they know exactly what to do to avoid getting fined is selling you a false promise.

As we get to this homestretch, I think it’s important to pause a minute and make sure we are looking at the forests as well as the trees.  GPDR doesn’t tell us to encrypt this but not that, but it does tell us we need a cultural change around data protection. An attitude of Great Data Protection Rocks (GDPR – get it?) works together with McAfee’s concept of a culture of security  to introduce better and constantly improving practices.

But the 100 days are flying by, and things aren’t perfect – what to do? First, take a deep breath, you can’t get anything done if you’ve fainted.  Second, remind yourself of the strategic principles and the core intent of the GDPR: honoring the fundamental rights of the data subject to have control over their information and to have it properly cared for when it is outside their control.  And third, read McAfee Principle Engineer Mo Cashman’s great four-part blog series that lists questions to ask your organization, including:

  • Is there a current data-loss prevention project in place or planned for this year? Data-loss prevention too often gets thought of as a security project, but the best implementations have security folks partnering with privacy and legal team members as well as business stakeholders.
  • Does your cloud service provider have a privacy policy? Do you know who your cloud providers are, even?  The cloud-hosting providers like AWS and Azure are obviously to be considered, and don’t forget Box and Google Drive and other file storage, but you also need to consider the human resources applications, the recruiting vendors, and the other companies that help support your businesses from the cloud.
  • What key security and business processes should be reviewed for applicability and current state of capability? Mo reminds us to stop and define “key.”  This is the sort of soul-searching that every company needs to do for itself, and make hard decisions (that you should check back on) as to what is most important.

There are a lot of things I like about Mo’s series, including the calm tone, but what I like most is that it basically says if you aren’t sure what to do, start somewhere, and here are some ideas that will help you with the larger picture.  Some folks with lots of resources (and yes, the Data Protection authorities) might be horrified that some places haven’t started on GDPR compliance, but this is a journey and we all have different starting points.  I bump into a lot of people who are still finding their way in the GDPR fog when I get outside McAfee.

And even for those of us who have been working on GDPR readiness for a long time (and it feels like a really, long time to me right now – I’m much more of a hare), we must think about the long haul.  Changing culture takes time, and it’s a big shift to a culture of security and data protection for many organizations.  We need champions, new language, new processes, new policies, and procedures.  If we keep breathing and keep thinking about the big picture, and keep working together on the hard questions, we’ll get there.

You can find much more free GDPR educational material on our website.

The information provided on this GDPR page is our informed interpretation of the EU General Data Protection Regulation, and is for information purposes only and it does not constitute legal advice or advice on how to achieve operational privacy and security. It is not incorporated into any contract and does not commit promise or create any legal obligation to deliver any code, result, material, or functionality. Furthermore, the information provided herein is subject to change without notice, and is provided “AS IS” without guarantee or warranty as to the accuracy or applicability of the information to any specific situation or circumstance. If you require legal advice on the requirements of the General Data Protection Regulation, or any other law, or advice on the extent to which McAfee technologies can assist you to achieve compliance with the Regulation or any other law, you are advised to consult a suitably qualified legal professional. If you require advice on the nature of the technical and organizational measures that are required to deliver operational privacy and security in your organization, you should consult a suitably qualified privacy professional. No liability is accepted to any party for any harms or losses suffered in reliance on the contents of this publication.

The post The Tortoise and the Hare of GDPR, Part I: Don’t Panic appeared first on McAfee Blogs.

Microsoft expands cloud services in Europe and into Middle East to meet growing customer demand

I’m thrilled to share that we plan to deliver the Microsoft Cloud from our first datacenter locations in Switzerland and the United Arab Emirates, and we’ll expand the cloud options for customers in Germany. I’m also excited to reveal that the Microsoft Cloud in France is officially open with the general availability of Microsoft Azure and Microsoft Office 365 today, and Dynamics 365 will follow in early 2019.

By delivering the comprehensive, intelligent Microsoft Cloud – comprising Azure, Office 365 and Dynamics 365 – from datacenters in a given geography, we offer scalable, available and resilient cloud services for companies and organizations while meeting data residency, security and compliance needs. Microsoft has deep expertise protecting data and empowering customers around the globe to meet extensive security and privacy requirements, including offering the broadest set of compliance certifications and attestations in the industry.

We’re deepening our investment in the Middle East with these first cloud regions, which will be in Abu Dhabi and Dubai in the United Arab Emirates. We have long-standing expertise and deep local relationships in the Middle East. We strive to combine that knowledge with our cloud services to help public and private institutions scale to meet the tremendous economic growth and technological innovation in the country and across the region.

In Europe, we’re continuing to expand our substantial cloud footprint in response to customer demand and to address the needs of some of the world’s leading industries and organizations. Our engagement with financial institutions and regulators in Switzerland over the past several years has led to a deeper understanding of the market and the opportunity for locally delivered, trusted enterprise cloud services to meet their unique requirements. We intend to be the first global cloud operator to introduce cloud regions in Switzerland, which will be in the cantons of Geneva and Zurich. We are also expanding the cloud service options available with the addition of new cloud regions in Germany. This new cloud offering will complement the options currently available for customers today. The two new regions will provide enterprise-grade reliability, performance and business continuity combined with data residency within Germany and connectivity to Microsoft’s global public cloud network.

In France, the Microsoft Cloud is now open to thousands of customers, partners and ISVs with today’s general availability of both Azure and Office 365. With this milestone, Microsoft is empowering organizations like Naval Energies — a global player in renewable marine energies; Astrimmo — a leading provider of housing services in France; and Ercom — a French company specializing in cybersecurity, with greater scalability, agility and the opportunity to develop new cloud-based solutions. Also starting March 14, existing Office 365 customers from France and French territories will be able to opt-in to be moved to the local cloud regions in France.

Microsoft has a long history of collaborating with customers to navigate evolving business needs and has developed strategies to help customers prepare for the new European Union General Data Protection Regulation (GDPR). We’re invested to make the Microsoft Cloud GDPR compliant when the regulation becomes effective on May 25, 2018, delivering innovation that accelerates GDPR compliance, and building a community of experts to help customers along their full GDPR journey.

Over the last three years, we’ve more than doubled the number of Azure regions available. As of today, Azure has more regions than any other cloud provider. We’ve announced a goal to be in 50 regions across the globe, including plans for 12 new regions.

Office 365 and Dynamics 365 also continue to expand the data residency options for customers with 17 geographies announced. The two products are the only productivity and business application platforms that can offer in-geo data residency across such a broad set of locations. Each datacenter geography, or geo, delivers a consistent experience, backed by robust policies, controls and systems to help keep data safe and help comply with local and regional regulations.

You can learn more about our transformative cloud solutions at Microsoft Azure, Office 365, and Dynamics 365, or follow these links to learn more about today’s announcements in France, Germany, Switzerland and the United Arab Emirates.

 

The post Microsoft expands cloud services in Europe and into Middle East to meet growing customer demand appeared first on The Official Microsoft Blog.

How prepared is your business for the GDPR?

The GDPR is the biggest privacy shakeup since the dawn of the internet and it is just weeks before it comes into force on 25th May. GDPR comes with potentially head-spinning financial penalties for businesses found not complying, so it really is essential for any business which touches EU citizen's personal data, to thoroughly do their privacy rights homework and properly prepare.

Sage have produced a nice GDPR infographic which breaks down the basics of the GDPR with tips on complying, which is shared below.

I am currently writing a comprehensive GDPR Application Developer's Guidance series for IBM developerWorks, which will be released in the coming weeks.


The GDPR: A guide for international business - A Sage Infographic

Cyber Security Roundup for February 2018

February saw over 5,000 websites infected by cryptocurrency mining malware after a popular accessibility plugin called ‘BrowseAloud’ was compromised by hackers. This led to several UK Government and Councils websites going offline, including the Information Commissioner's Office, the Student Loans Company, and Manchester City, Camden and Croydon Council website. Symantec Researchers also announced that 'Crytojacking' attacks had increased 1,200% in the UK. Cryptojacking once involved the installation of cryptocurrency mining malware on users computers, but now it is more frequently used in-browser, by hacking a website and execute a malicious mining JavaScript as the user visits the compromised website, as with the case with the 'BrowseAloud' incident.

More than 25% of UK Councils are said to have suffered a breach in the last five years according to the privacy group Big Brother Watch, who said UK Councils are unprepared for Cyber Attacks.

There was a  fascinating report released about Artificial Intelligence (AI) Threat, written by 26 leading AI experts, the report forecasts the various malicious usages for AI, including with cybercrime, and manipulation of social media and national news media agendas.

GDPR preparation or panic, depending on your position, is gaining momentum with less than 100 days before the privacy regulation comes into force in late May. Here are some of the latest GDPR articles of note.

Digital Guardian released an interactive article where you can attempt to guess the value of various types of stolen data to cybercriminals -.Digital Guardian: Do you know your data's worth?

Bestvpns released a comprehensive infographic covering the 77 Facts About Cyber Crime we should all know about in 2018.

February was yet another frantic month for security updates, which saw Microsoft release over 50 patches, and there were new critical security updates by Adobe, Apple, Cisco, Dell, and Drupal.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS

GDPR Preparation: Recent Articles of Note

Company preparations for GDPR compliance are (or should be!) in full swing with the 25th May enforcement date fast looming on the horizon. With that in mind, I found the following set of recent GDPR articles a decent and interesting read. The list was compiled by Brian Pennington of Coalfire, he has kindly allowed me to repost.

If you are after further GDPR swatting up, you could always read the actual regulation EU General Data Protection Regulation (EU-GDPR), and don't forget to read all the Recitilies.

If you have any offer GDPR related articles or blogs of note, please post in the comments.

The GDPR Basics: What Consumers Need to Know

What companies do with consumer data has always been a hot topic – and becomes hotter after every security breach, when consumers learn more about what can go wrong with their data and worry about the implications of their personal information in the wrong peoples’ hands. In the United States, most states and several cities now have laws about data breaches and many have laws regarding some form of consumer data protection. Europe has had a data protection law covering its residents for more than twenty years.

But the past twenty years have seen lots of changes in technology and in the way data can help consumers, so the European Union has refreshed the former law – the Data Protection Directive – with a more robust law, the General Data Protection Regulation (GDPR). But what exactly does GDPR entail for consumers? Let’s take a look. 

What is GDPR?

The General Data Protection Regulation (GDPR) updates EU law to consider the internet, e-commerce, online advertising, and the increase in data driven marketing.  Many of the provisions of the prior law are restated in the GDPR, but now companies face tougher fines for non-compliance.  The new Regulation also requires companies to report breaches to their regulators and often to consumers, and allows people to ask what companies they work for and they do business with do with their data. Replacing the Data Protection Directive, GDPR is more of an evolution of existing rules rather than a revolution, but it brings in important changes and reduces the number of country-specific laws that will be allowed. These changes have been introduced due to the changing nature of the world we live, the volume and prevalence of data, and the value of personal data in an increasingly connected world.

Who Does It Affect?

With enforcement of the Regulation starting on May 25th, 2018, it’s important to know what this legislation specifically impacts. The scope of “personal data” is broad, ranging from online identifiers such as IP addresses to social identities in addition to the usual names and contact information (both personal and work in the EU), but basically GDPR will cover anything that can be traced back to you as a specific individual, aiming to better enforce the protection of personal data as a basic human right. It protects the data of EU residents– in fact, it is irrelevant where a company collecting data is based in the world as long as they have EU customers. GDPR places a requirement on companies to “implement appropriate technical and organizational” measures to ensure the security of the personal data.

The Regulation requires companies to look at how they collect and store consumer data, keep records of certain kinds of consent, and be transparent about how they use personal data.  The Regulation allows EU residents to ask companies questions about how their data was obtained, to opt out of marketing, and – in some cases – to ask that their data be deleted.

How to Prepare for It

With GDPR enforcement fast approaching, the most important thing both companies and European Union consumers can do is be educated and prepared. Companies have to review their practices and make sure they are complying with the Regulation. Consumers need to know their rights and how GDPR will enable them to ask questions about what happens to their personal data. They’ll likely see more “consent” requests attached to any data collection – and notices about data breaches.   But like any new law, the true meaning of the GDPR regarding consumer data may take years of court cases to truly unravel.

Stay on top of the latest consumer and security news by following me and @McAfee_Home on Twitter, and ‘Like’ us on Facebook.

The post The GDPR Basics: What Consumers Need to Know appeared first on McAfee Blogs.

Cyber Security Roundup for January 2018

2018 started with a big security alert bang after Google Security Researchers disclosed serious security vulnerabilities in just about every computer processor in use on the planet. Named 'Meltdown' and 'Spectre’, when exploited by a hacker or malware, these vulnerabilities disclose confidential data. As a result, a whole raft of critical security updates was hastily released for computer and smartphone operating systems, web browsers, and processor drivers. While processor manufacturers have been rather lethargic in reacting and producing patches for the problem, software vendors such as Microsoft, Google and Apple have reacted quickly, releasing security updates to protect their customers from the vulnerable processors, kudos to them.

The UK Information Commission's Office (ICO) heavily criticised the Carphone Warehouse for security inadequacies and fined the company £400K following their 2015 data breach, when the personal data, including bank details, of millions of Carphone Warehouse customers, was stolen by hackers, in what the company at the time described as a "sophisticated cyber attack", where have we heard that excuse before? Certainly the ICO wasn't buying that after it investigated, reporting a large number Carphone Warehouse's security failures, which included the use of software that was six years out of day,  lack of “rigorous controls” over who had login details to systems; no antivirus protection running on the servers holding data, the same root password being used on every individual server, which was known to “some 30-40 members of staff”; and the needless storage of full credit card details. The Carphone Warephone should thank their lucky stars the breach didn't occur after the General Data Protection Regulation comes into force, as with such a damning list of security failures, the company may well have been fined considerably more by ICO, when it is granted vastly greater financial sanctions and powers when the GDPR kicks in May.

The National Cyber Security Centre warned the UK national infrastructure faces serious nation-state attacks, stating it is a matter of a "when" not an "if". There also claims that the cyberattacks against the Ukraine in recent years was down to Russia testing and tuning it's nation-state cyberattacking capabilities. 

At the Davos summit, the Maersk chairman revealed his company spent a massive £200m to £240m on recovering from the recent NotPeyta ransomware outbreak, after the malware 'totally destroyed' the Maersk network. That's a huge price to pay for not regularly patching your systems.

It's no surprise that cybercriminals continue to target cryptocurrencies given the high financial rewards on offer. The most notable attack was a £290k cyber-heist from BlackWallet, where the hackers redirected 700k BlackWallet users to a fake replica BlackWallet website after compromising BlackWallet's DNS server. The replica website ran a script that transferred user cryptocurrency into the hacker's wallet, the hacker then moved currency into a different wallet platform.

In the United States, 
the Federal Trade Commission (FTC) fined toy firm VTech US$ 650,000 (£482,000) for violating a US children's privacy laws. The FTC alleged the toy company violated (COPPA) Children's Online Privacy Protection Rule by collecting personal information from hundreds of thousands of children without providing direct notice.

It was reported that a POS malware infection at Forever21 and lapses in encryption was responsible for the theft of debit and credit card details from Forever21 stores late last year. Payment card data continues to be a high valued target for cyber crooks with sophisticated attack capabilities, who are willing to invest considerable resources to achieve their aims.

Several interesting cybersecurity reports were released in January,  the Online Trust Alliance Cyber Incident & Breach Trends Report: 2017 concluded that cyber incidents have doubled in 2017 and 93% were preventable. Carbon Black's 2017 Threat Report stated non-malware-based cyber-attacks were behind the majority of cyber-incidents reported in 2017, despite the proliferation of malware available to both the professional and amateur hackers. Carbon Black also reported that ransomware attacks are inflicting significantly higher costs and the number of attacks skyrocketed during the course of the year, no surprise there.  

Malwarebytes 2017 State of Malware Report said ransomware attacks on consumers and businesses slowed down towards the end of 2017 and were being replaced by spyware campaigns, which rose by over 800% year-on-year. Spyware campaigns not only allow hackers to steal precious enterprise and user data but also allows them to identify ideal attack points to launch powerful malware attacks. The Cisco 2018 Privacy Maturity Benchmark Study claimed 74% of privacy-immature organisations were hit by losses of more than £350,000, and companies that are privacy-mature have fewer data breaches and smaller losses from cyber-attacks.

NEWS

AWARENESS, EDUCATION AND THREAT INTELLIGENCE

REPORTS

Cyber Security Roundup for November 2017

One of the most notable data breaches disclosed this month was by Uber, given the company attempted to cover up the breach by paying off hackers. Over a year ago the transport tech firm was said to have paid £75,000 to two hackers to delete 57 million Uber account records which they had stolen. Uber revealed around 2.7 million of the stolen records were British riders and drivers. As a UK Uber rider, this could mean me, I haven't received any notification of the data breach from Uber as yet. The stolen information included names, email addresses, and phone numbers. Uber can expect enforcement action from regulators on both sides of the pond, the UK Information Commissioner's Office (ICO) said it had "huge concerns" about the breach and was investigating.

Jewson, Cash Converters, and Imgur all reported losing data due to hacks this month, while Equifax has reported suffering significant negative financial losses following their high profile hack of personal customer data. Equifax reported their net income had dropped by £20 million due to the hack, and their breach bill was coming in at a whopping £67 million.

November was a very busy month for security patches releases, with Microsoft, Apple, Adobe, Oracle, Cisco and Intel releasing a raft of patches to fix critical vulnerabilities. Apple even had to quickly release an emergency patch at end of November to fix a root access flaw reported in macOS High Sierra version 10.13.1. So just keep patching everything IT to ensure you and your business stays ahead of enterprising cybercriminals, the Equifax breach is a prime example of what can go wrong if system patching is neglected.

November also saw Open Web Application Security Project (OWASP) finally released an updated version to its Top Ten application vulnerabilities list, which is a ‘must know’ secure coding best practice for all software developers and security testers, especially considering that Akamai reported web application attacks had increased by 69% in the third quarter of 2017. Look out for an updated OWASP Top Ten IBM DeveloperWorks Guidance from me in December to reflect the updated list.

NEWS
AWARENESS, EDUCATION AND THREAT INTELLIGENCE
REPORTS