Lack of confidence in data security can cost you more than you think

csoonline(This article first appeared on CSO Online here.)

The majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

The European Union’s General Data Protection Regulation (GDPR) came into effect almost two months ago. Leading the way to a new era of data protection, the long-awaited GDPR has emphasized the importance of data security more than ever before. Besides tarnishing their reputation, businesses face the risk of encountering large fines if they don’t align with the regulation.

Although cybersecurity is top of mind for most organizations with the new law, they still feel uncertain about their data protection practices. Recent research from Gemalto, its fifth-annual Data Security Confidence Index, which surveyed 1,050 IT professionals and 10,500 consumers globally, revealed that businesses differ in their capability to study data that has been collected. Shockingly, two in three companies (65%) admit they don’t have the proper resources to analyze data and therefore are unable to do so.

This finding forces me to think – the majority of companies don’t understand the value of their data, because they aren’t taking the necessary steps to study the information they are gathering from customers. That’s why organizations are stunted in the process of applying appropriate security controls to protect the valuable information they possess. Unsecured data is a hacker’s dream. Attackers can offer it up to the dark web or use ransomware, causing financial loss and reputation damage. It can take years to uncover data manipulation, which can put everything from an organization’s business strategy to product development at risk. In today’s digital world, data informs everything, so its value cannot be underestimated. We’ve all seen our fair share of breaches this past year that illustrate how detrimental they can be to an organization.

Organizations have gaps in confidence levels

Almost half of IT professionals say perimeter security is effective at keeping unauthorized users out of their networks. However, two thirds of them believe unauthorized users can access their corporate networks and less than half are confident in the security of their data once cyberhackers are inside.

With that being said, more than half of companies don’t know where all of their data is stored. Moreover, more than two thirds admit they don’t carry out all the processes aligned with data protection guidelines such as GDPR.

This gap in people’s confidence in their organization’s data protection policies indicates the reason for continuous breaches: twenty-seven percent of organizations reported their perimeter security was breached last year. Of those that had suffered an attack, only 10% of the compromised data was protected by encryption, leaving the rest exposed. In order to secure their networks IT professionals, need to use encryption, which, paired with other solutions, will provide an essential security base for a robust system needed to guard sensitive information.

Crucial steps for strong security

When it comes to cybersecurity it’s a valid question to ask, “Who’s in charge?”It’s crucial for organizations to get their houses in order, starting with determining who will be responsible for overseeing security measures. Every executive board needs to have a Data Protection Officer, a chief individual who leads data security from the top down. Second, organizations must organize, and study collected data to properly protect it and make informed business decisions. Lastly, IT pros need to change their outlook on security as a whole. It’s no longer a case of if, but when a breach occurs. Therefore, organizations should implement a comprehensive approach to cybersecurity, using methods such as encryption, two-factor authentication, and key management in addition to perimeter protection.

These critical steps aren’t solely for the sake of companies, but also for consumers who have data records tied to these businesses. The vast majority of consumers say it’s imperative that organizations comply with data regulations due to their growing understanding of breaches and communications around GDPR. Actually, fifty-four percent of consumers are aware of what encryption is, which shows knowledge of how data should be protected.

Cost of poor data security

Over the years, security experts’ predictions about potential costs of a breach have been increasing. Cybersecurity Ventures estimates the costs related to cybercrime damages to reach $6 trillion by 2021. From upgrading IT infrastructure to paying legal fees and government fines – many costs are either tangible or intangible. We’ve now reached the tipping point on the implications of data breaches, that can negatively affect company’s market value and ruin the reputation of the corporate and management teams.

With pressure to ensure consumer data is protected and the risks and costs of breaches growing, organizations need to take immediate steps to transform their approach to data security. Companies need to have confidence in how they gather, analyze, and store their information. Only having this understanding and ensuring compliance, they will be able to adopt effective security measures.

This article first appeared on CSO Online here.

CSO Online – GDPR: Where we were…and where we’re going

It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach

csoonline(This article first appeared in CSO Online here.)

The plethora of data breaches within the past few years have set off alarms for organizations, especially their IT managers. We’ve seen that many attacks weren’t secured with the appropriate controls and protection, which left sensitive data vulnerable to hackers. As a result of these countless attacks, last month, the General Data Protection Regulation (GDPR) was finally enacted in the EU to ensure that if breaches occur, then consumer information would be guarded.

The law represents the most substantial modification to data protection in the Union since 1995. Replacing the previously adopted directive, the regulation has authority over all EU states to provide uniformed data protection. However, member states of the Union aren’t the only ones impacted by this regulation, any company doing business in the region must comply. Companies based in the United States are being held accountable along with other non-EU countries, and so, many companies have been making internal alterations to avoid the severe penalties for non-compliance.

Taking a look at the past

If there’s one thing we’ve learned from recent history, it’s that we have a growing data security crisis. According to the Breach Level Index (BLI), 2.6 billion records were stolen, lost or exposed globally in 2017. Since the BLI began tracking breaches five years ago, nearly 10 billion records have been compromised. Between 2016 and 2017 alone, we witnessed an 87.5 percent jump in the number of breached records. There is a chance that these numbers will increase, because there are still breaches that go unreported.

It’s difficult to turn a blind eye to the news as there is a story about a major security breach where consumer data is either accessed or stolen every week. The BLI revealed that 1,453 data incidents occurred in the United States last year. Even well-known companies that we all trust with our personal and financial information have been affected, including Facebook, Uber, and Equifax.

The most distressing thing is not the number of incidents but the scale of the attacks that affects thousands and sometimes millions of users. While the reporting requirements of GDPR make the problem more visible, it becomes apparent that conventional data security and breach prevention measures would not be able to provide adequate defense against pervasive cyberthreats.

GDPR is here

One of the most important obligations in the new law is to alert authorities and affected individuals when a data breach takes place. Organizations with careless security procedures will be exposed in time and might face financial penalties. The level of transparency that is mandatory as stated in the disclosure documents, opens the door for organizations to be publicly shamed after suffering a data breach. Service providers who manage consumer data, such as cloud providers, will be held responsible. Companies are also being forced to adopt certain security measures to mitigate threats and possible consequences after experiencing an attack.

What companies should be doing if they haven’t already

Before its implementation, GDPR was changing attitudes and brought data protection to the forefront of a business’ priority checklist. Now that the regulation is active, what steps do businesses need to keep in mind while ensuring they are compliant? We’ve included our three-step approach to data protection below:

1. Sensitive data must be encrypted

Encryption has been mentioned by the European Union Agency for Network and Information Security (ENISA) as a critical and effective base to reach legal benchmarks for security and control in rendering data unintelligible. In other words, companies should secure data at the application level, while it is in motion, and when it is stored. This approach shouldn’t be limited to financial data but should be used for all valuable data of involved parties.

2. Encryption keys are stored and managed

A common error that companies commit is storing the keys where the data dwells. In doing so, they leave private information at risk of being exposed. Organizations must remember that their data is only as secure and accessible as the keys used to encrypt the information. Crypto management platforms consider this risk and are able to create, rotate and delete keys. Using hardware security modules, extra trust anchors for encryption keys are provided.

3. Controlled access

Evaluating current risks in an organization can help align entry controls with specific data processing situations. An authentication strategy must be established to safeguard user identities and allow authorized users to access systems and other data. Efficient controls use systems like multi-factor authentication that require an added level of verification, a passcode sent to a cell phone for example.

Looking ahead

Today, being breached is not a question of “if” but “when.” Therefore, security professionals always need to think about conducting risk analysis to prevent, detect, and block data breaches. A necessary foundation to reach this level of security is provided by encryption solutions. When encryption is combined with other protection measures, these appliances form a robust basis for achieving compliance with GDPR.

Now that the regulation is effective, it’s time to move quickly (if you haven’t already). Companies need to start taking steps to change their outlook on security when protecting user data. It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach.

This article first appeared in CSO Online here.

GDPR Report – More than 2.5 billion records stolen or compromised in 2017

gdprreport-logogNew findings of the Breach Level Index were released today by Gemalto, revealing that 2.6 billion records were stolen, lost or exposed worldwide in 2017, an 88% increase from 2016. While data breach incidents decreased by 11%, 2017 was the first year publicly disclosed breaches surpassed more than two billion compromised data records since the Breach Level Index began tracking data breaches in 2013.

“The manipulation of data or data integrity attacks pose an arguably more unknown threat for organisations to combat than simple data theft, as it can allow hackers to alter anything from sales numbers to intellectual property. By nature, data integrity breaches are often difficult to identify and in many cases, where this type of attack has occurred, we have yet to see the real impact,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. In the event that the confidentiality, or privacy, of the data is breached, an organisation must have controls, such as encryption, key management and user access management, in place to ensure that integrity of the data isn’t tampered with and it can still be trusted. Regardless of any concerns around manipulation, these controls would protect the data in situ and render it useless the moment it’s stolen.”

To read the full article click here.

GDPR Report – GDPR Summit London: Should you be worried about a data breach?

gdprreport-logogReports of business data breaches have unfortunately become commonplace. This week, the corporate finance giant Deloitte has suffered a cyber-attack that compromised confidential data, including the private emails of some of its clients.

More than ever, businesses need to ensure their data is protected from outside threats. Jason Hart, CTO of Data Protection at Gemalto said about the news of the Deloitte breach:

“Today’s announcement that Deloitte was hacked is not a surprise. Breaches will – and ARE continuing to happen—to expect otherwise would be unrealistic. As an industry, we need to truly know our surroundings, meaning knowing exactly where data resides, who has access to it, how it is transferred, when it is encrypted/decrypted – really the entire supply change of digital users and the data. Of the 1.9 billion data records compromised worldwide in the first half of 2017, less than 1% used encryption to render the information useless.

“We need a data-centric view of threats means using better identity and access control techniques, multi-factor authentication and encryption and key management to secure sensitive data. This is, even more, pressing with new and updated government mandates like the 2015 Digital Privacy Act in Canada, the GDPR in Europe, as well as U.S state-based and APAC country-based breach disclosure laws.”

To read the full article click here. 

Oct. 4th 2017 – IPEXPO Europe – GDPR Blueprint; Tackling Confidentially, Integrity and Availability of Data

ipe17-logo-pngThe new EU regulation of the Privacy world (the GDPR) is rapidly approaching.  Jason Hart will reveal a back to basics approach in relation to GDPR. Specifically, we will identify a GDPR blueprint that tackles the privacy concerns around confidentiality, integrity and availability of sensitive data.

October 4th, 2017. Session time: 14:30-14:50

 

For more info. and to access to the seminar planner, click here.

CyberSecurity Insiders – 6 steps to prepare for post Brexit GDPR compliance

cyber-insider-logo[ This article was originally published here ]

With new data protection laws on the way, UK businesses have run out of excuses, writes Jason Hart, CTO, Gemalto

Ever since the vote to leave the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

6 steps to prepare for post Brexit GDPR compliance

Ever since the vote to leave Are you ready for GDPR? the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

eWEEK – Enterprises Overconfident About Perimeter Security, Gemalto Finds

logo_eweekThe 2017 Data Security Confidence Index Report reveals gaps between organizations’ perceptions of what keeps them secure and what actually works.

“One of the things that continues to show up every year, and I would have expected it to change, is the investment and perception of perimeter security versus the reality of its effectiveness,” Jason Hart, vice president and chief technology officer for data protection at Gemalto, told eWEEK. “As security professionals, I find it interesting we can know something doesn’t work but are willing to do it for the perceived security value.”

Hart added that sometimes a perceived sense of security is the motivation for unwarranted investments in perimeter security. He noted that Gemalto’s report found that only 8 percent of organizations encrypt data, which actually is a more effective security mechanism because it reduces the value of data if it’s stolen.

To read the full article click here.

SC Media – Research: businesses over confident about ability to fend off hackers

scmediaCombining the prioritisation of perimeter security and lack of knowledge in data security, according to Gemalto, is brewing an environment where businesses will soon lack the ability to fend off complex cyber-attacks.

“It is clear that there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, vice president and chief technology officer for Data Protection at Gemalto.

“By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data. Businesses need to be aware that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise, reality will inevitably bite those that fail to do so.”

To read the full article click here.

freshbusinessthinking.com – Businesses overly confident about keeping hackers at bay

fbt-new-logoDespite the increasing number of data breaches and nearly 1.4 billion data records being lost or stolen in 2016,  the vast majority of IT professionals still believe perimeter security is effective at keeping unauthorised users out of their networks.

“It is clear that there is a divide between organisations’ perceptions of the effectiveness of perimeter security and the reality,” said Jason Hart, Vice President and Chief Technology Officer for Data Protection at Gemalto. “By believing that their data is already secure, businesses are failing to prioritise the measures necessary to protect their data. Businesses need to be aware that hackers are after a company’s most valuable asset – data. It’s important to focus on protecting this resource, otherwise reality will inevitably bite those that fail to do so.”

Hart continues, “Investing in cybersecurity has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cybersecurity will face severe legal, financial and reputational consequences.”

To read the full article click here.