CSO Online – GDPR: Where we were…and where we’re going

It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach

csoonline(This article first appeared in CSO Online here.)

The plethora of data breaches within the past few years have set off alarms for organizations, especially their IT managers. We’ve seen that many attacks weren’t secured with the appropriate controls and protection, which left sensitive data vulnerable to hackers. As a result of these countless attacks, last month, the General Data Protection Regulation (GDPR) was finally enacted in the EU to ensure that if breaches occur, then consumer information would be guarded.

The law represents the most substantial modification to data protection in the Union since 1995. Replacing the previously adopted directive, the regulation has authority over all EU states to provide uniformed data protection. However, member states of the Union aren’t the only ones impacted by this regulation, any company doing business in the region must comply. Companies based in the United States are being held accountable along with other non-EU countries, and so, many companies have been making internal alterations to avoid the severe penalties for non-compliance.

Taking a look at the past

If there’s one thing we’ve learned from recent history, it’s that we have a growing data security crisis. According to the Breach Level Index (BLI), 2.6 billion records were stolen, lost or exposed globally in 2017. Since the BLI began tracking breaches five years ago, nearly 10 billion records have been compromised. Between 2016 and 2017 alone, we witnessed an 87.5 percent jump in the number of breached records. There is a chance that these numbers will increase, because there are still breaches that go unreported.

It’s difficult to turn a blind eye to the news as there is a story about a major security breach where consumer data is either accessed or stolen every week. The BLI revealed that 1,453 data incidents occurred in the United States last year. Even well-known companies that we all trust with our personal and financial information have been affected, including Facebook, Uber, and Equifax.

The most distressing thing is not the number of incidents but the scale of the attacks that affects thousands and sometimes millions of users. While the reporting requirements of GDPR make the problem more visible, it becomes apparent that conventional data security and breach prevention measures would not be able to provide adequate defense against pervasive cyberthreats.

GDPR is here

One of the most important obligations in the new law is to alert authorities and affected individuals when a data breach takes place. Organizations with careless security procedures will be exposed in time and might face financial penalties. The level of transparency that is mandatory as stated in the disclosure documents, opens the door for organizations to be publicly shamed after suffering a data breach. Service providers who manage consumer data, such as cloud providers, will be held responsible. Companies are also being forced to adopt certain security measures to mitigate threats and possible consequences after experiencing an attack.

What companies should be doing if they haven’t already

Before its implementation, GDPR was changing attitudes and brought data protection to the forefront of a business’ priority checklist. Now that the regulation is active, what steps do businesses need to keep in mind while ensuring they are compliant? We’ve included our three-step approach to data protection below:

1. Sensitive data must be encrypted

Encryption has been mentioned by the European Union Agency for Network and Information Security (ENISA) as a critical and effective base to reach legal benchmarks for security and control in rendering data unintelligible. In other words, companies should secure data at the application level, while it is in motion, and when it is stored. This approach shouldn’t be limited to financial data but should be used for all valuable data of involved parties.

2. Encryption keys are stored and managed

A common error that companies commit is storing the keys where the data dwells. In doing so, they leave private information at risk of being exposed. Organizations must remember that their data is only as secure and accessible as the keys used to encrypt the information. Crypto management platforms consider this risk and are able to create, rotate and delete keys. Using hardware security modules, extra trust anchors for encryption keys are provided.

3. Controlled access

Evaluating current risks in an organization can help align entry controls with specific data processing situations. An authentication strategy must be established to safeguard user identities and allow authorized users to access systems and other data. Efficient controls use systems like multi-factor authentication that require an added level of verification, a passcode sent to a cell phone for example.

Looking ahead

Today, being breached is not a question of “if” but “when.” Therefore, security professionals always need to think about conducting risk analysis to prevent, detect, and block data breaches. A necessary foundation to reach this level of security is provided by encryption solutions. When encryption is combined with other protection measures, these appliances form a robust basis for achieving compliance with GDPR.

Now that the regulation is effective, it’s time to move quickly (if you haven’t already). Companies need to start taking steps to change their outlook on security when protecting user data. It’s clear that conventional methods to data security aren’t working anymore, so it’s time to step away from breach prevention and focus on a “secure breach” approach.

This article first appeared in CSO Online here.

Leave a Reply