How to Build and Enable a Cyber Target Operating Model

How to Build and Enable a Cyber Target Operating Model

CyberTOMCybersecurity is complex and ever-changing. Organisations should be able to evaluate their capabilities and identify areas where improvement is needed.

In my recent webinar “Foundational Components to Enable a Cyber Target Operating Model,” – part two of our Cybersecurity Series – I explained the journey to a targeted operating cybersecurity model. To build a cybersecurity program is to understand your business context. Hart explains how organisations can use this information to map out their cyber risk profile and identify areas for improvement.

Organisations require an integrated approach to manage all aspects of their cyber risk holistically and efficiently. They need to be able to manage their information security program as part of their overall risk management strategy to address both internal and external cyber threats effectively.

Identifying priority areas to begin the cyber target operating model journey

You should first determine what data is most important to protect, where it resides, and who has access to it. Once you’ve pinned down these areas, you can identify each responsible business function to create a list of priorities. We suggest mapping out:

  • All the types of data within your organisation
  • All locations where the data resides, including cloud, database, virtual machine, desktops, and servers
  • All the people that have access to the data and its locations
  • The business function associated with each area

Once you have identified the most recurring business functions, you can list your priority areas. Only 12% of our webinar audience said they were confident in understanding their organisation’s type of data.

Foundations to identify risk, protection, detection, response, and recovery

To start operationalising cybersecurity within a targeted area, we first set the maturity of each foundation. A strong foundation will help ensure all systems are protected from attacks and emerging threats. People play a critical role in providing protection and cyber resilience. They should be aware of potential risks so they can take appropriate actions to protect themselves and their business function.

1. Culture

A set of values shared by everyone in an organisation determines how people think and approach cybersecurity. Your culture should emphasise, reinforce, and drive behaviour to create a resilient workforce.

Every security awareness program should, at minimum, communicate security policy requirements to staff. Tracking employee policy acknowledgements will ensure your workforce is aware of the policy and helps you meet compliance requirements.

A quick response can reduce damages from an attack. Security awareness training should teach your workforce how to self-report incidents, malicious files, or phishing emails. This metric will prove you have safeguards in place. Tailor security awareness training to employees’ roles and functions to measure the effectiveness of each department.

2. Measurement

Measuring the ability to identify, protect, detect, respond, and recover from cybersecurity risks and threats enables a robust operating model. The best approach requires an understanding of what your most significant risks are. Consider analysing the following:

  • Phishing rate: A reduction in the phishing rate over time provides increased awareness of security threats and the effectiveness of awareness training. Leverage a phishing simulation to document the open rates per business function to track phishing risks.
  • The number of security breaches: Track and record the number of new incidents and breaches every month. Measure a monthly percentage increase or decrease.
  • Mean time to detect (MTTD): Calculate how long it takes your team to become aware of indicators of compromise and other security threats. To calculate MTTD, take the sum of the hours spent detecting, acknowledging, and resolving an alert, and divide it by the number of incidents.
  • Patching cadence: Determine how long it takes to implement application security patches or mitigate high-risk CVE-listed vulnerabilities.
  • Mean time to recovery (MTTR): Take the sum of downtime for a given period and divide it by the number of incidents. For example, if you had 20 minutes of downtime caused by two different events over two days, your MTTR is 20 divided by two, equalling 10 minutes.

3. Accountability

A security goal generates the requirement for actions of an entity to be traced uniquely to support non-repudiation, deterrence, fault isolation, intrusion detection, prevention, after-action recovery, and legal action.

The quality of your incident response plan will determine how much time passes between assigning tasks to different business functions. Calculate the mean time between business functions aware of a cyber attack and their response. Additionally, calculate the mean time to resolve a cyber attack once they have become aware by measuring how much time passes between assigning tasks to different business functions.

Also, consider recording how internal stakeholders perform with awareness or other security program efforts to track the effectiveness of training.

4. Process

Processes are critical to implementing an effective strategy and help maintain and support operationalising cybersecurity.

To determine your increase in the number of risks, link the percent differences in the number of risks identified across the business monthly. Identify accepted risks by stakeholders and vendors monthly, and hold regular information security forums between business functions to review levels of progress. It’s also wise to document meeting notes and actions for compliance and internal reference.

5. Resources

Ownership of cybersecurity across the business creates knowledge to manage, maintain and operate cybersecurity.

When determining the effectiveness of resources, analyse what levels of training you give different levels of stakeholders. For example, administration training will differ from targeted executives.

Calculate the engagement levels of input and feedback from previous awareness training and record positive and negative feedback from all stakeholders. Ensure that different parts of the business have the required skill level and knowledge within the business function’s scope. Use a skills matrix aligned to security domains to uncover stakeholders’ hidden knowledge or skill gaps.

6. Automation

The automation of security tasks includes administrative duties, incident detection, response, and identification risk.

Consider implementing automation in vulnerability management processes internally and externally to the business. Additionally, detect intrusion attempts and malicious actions that try to breach your networks. And finally, automate patch management actions on all assets within scope by assessing the number of patches deployed per month based on the environment, i.e. cloud.

A journey that delivers outcomes

A cyber-targeted operating model is a unique approach that provides defensibility, detectability, and accountability. The model is based on the idea that you can’t protect what you don’t know and aims to provide a holistic view of your organisation’s security posture. By identifying the most critical business functions and defining a process for each foundation, you can develop your cyber maturity over time.

To get the maximum benefit from Cybersecurity Series: Hackers ‘re Gonna Hack, watch Part One: Operationalising Cybersecurity to benchmark your existing maturity against the six foundational components. Watch Part 2: Foundational Components to Enable a Cyber Target Operating Model on-demand, or pre-register for Part Three: Cybersecurity KPIs to Track and Share with Your Board to begin mapping against your priority areas. Attendees will receive a complete list of Cybersecurity KPIs that align with the maturity level of your organisation.

How to Ensure Your Digital Security During the Rugby World Cup

This post first appeared on the Thales eSecurity Blog here.

Now that it’s September, the excitement is beginning to build in earnest for the 2019 Rugby World Cup. Sports fans aren’t the only ones who are looking forward to this event. Unfortunately, digital criminals are also closely following the buzz surrounding this tournament.

It’s not like bad actors haven’t taken an interest in major sporting events before. At the 2018 Winter Olympic Games held in PyeongChang, for instance, cyber criminals leveraged a previously unknown family of malware called Olympic Destroyer to attack the Games’ servers just before the opening ceremony. This incident prevented many spectators from printing out their tickets, thereby robbing them of the chance to attend the ceremony. Just a couple of months after that, World Rugby itself announced that one of its training websites had suffered a security breach that exposed subscribers’ account information.

Japan, the host country of both the 2019 Rugby World Cup and the 2020 Summer Olympic Games, is well-aware of these previous incidents. That’s why it announced it would pursue two measures designed to strengthen its national digital security posture ahead of these sporting events. First, it said that it would invest in cultivating military assets in the digital space, as reported by the Organization for World Peace. Second, Japan announced that the government-backed National Institute of Information and Communications Technology would conduct a national scan of Internet of Things (IoT) devices. The country said that it would use the consent of Internet service providers to check routers, webcams and other devices for potential security vulnerabilities, per NDTV.

That being said, neither Japan nor World Rugby can keep users safe against every digital threat out there. In fact, World Rugby made a note of this in its privacy policy for the 2019 World Cup:

The security of the information you provide is very important to us and we try to provide secure transmission of your information. While we strive to protect your personal information, we cannot guarantee the security of any data transmission over the Internet…. We urge you to take precautions to protect your personal information when you are on the Internet.

Users can help protect their personal data by using a VPN and protecting each of their web accounts with a strong, unique password. Regarding the 2019 Rugby World Cup, they should also follow a few additional security best practices. These include:

  1. Stay away from fraudulent apps: It’s common for digital attackers to capitalize on sporting events like the Rugby World Cup by creating lookalike apps. These programs frequently abuse stolen branding to infect unsuspecting users with malware or steal their personal data. To protect themselves against this fraudulent software, users should make sure they download the official Rugby World app.
  2. Exercise caution around suspicious documents: Malicious actors commonly use suspicious documents to prey upon sports fans. During the 2018 World Cup, for instance, Trend Micro came across a document, detected as W2KM_POWLOAD.ZYFG-A, that claimed to predict the outcome of various game matches in the tournament. When opened, the document asked users to enable macros. Doing so displayed a fabricated game synopsis while macro code downloaded an infostealer capable of taking screenshots and keylogging. This attack highlights the importance of never enabling macros, especially when users come across suspicious documents.
  3. Look out for other types of fraud: Malefactors don’t attempt to undermine users’ digital security solely. There are other attackers who’ll use fake merchandise, illegitimate betting sites and ticket fraud to steal information and/or money from unsuspecting fans. These threats highlight how users should do their research and purchase tickets, buy merchandise and place bets on reputable websites only.

At the same time, organizations should take steps to protect their employees against scams that use the Rugby World Cup as a lure. They can do this by implementing security controls like encryption and multi-factor authentication (MFA) in order to prevent digital attackers from exposing their sensitive data and from gaining access to sensitive IT assets.

Thales is currently working with the French Rugby Federation to help improve player safety. For more information on this, read Satellite Navigation on the Rugby Field and watch this video on GeoNav IoT, A Secure GeoNav Solution

In addition, visit the Thales eSecurity website for more information on our enterprise security solutions .

How Brexit Impacts the Future of Europe’s Cybersecurity Posture

How Brexit Impacts the Future of Europe’s Cybersecurity Posture

This post first appeared om the Thales eSecurity Blog here.

The British parliament has been unable to agree the exit package from the European Union. With the possibility of a “no deal” departure looming, EU leaders have granted a six-month extension to Brexit day. But the uncertainty that still lingers with regards to Britain’s future, creates various opportunities which cyber criminals could try to exploit.

Given the situation, careful examination of Brexit’s direct and indirect implications must be made, if we are to better understand the potential ramifications of a “no deal” exit. Let’s begin by looking at relevant regulations.

A brief look at current and future legal frameworks

The EU recently adopted two key pieces of legislation designed to govern cybersecurity and privacy issues. The first piece of legislation, the General Data Protection Regulation (GDPR)1, regulates data protection and privacy for all individuals within the European Union (EU) and the European Economic Area (EEA). The second regulation, the EU Network and Information Security Directive (NIS)2, provides legal measures to boost the overall level of cybersecurity in the EU.

For its part, the United Kingdom incorporated GDPR into its Data Protection Act 20183 and the NIS Directive into its NIS Regulations 20184, a political choice showing that the UK strategically desires to be aligned and, to a certain extent, compliant with the new EU regulations.

Governing the transfer of data

On February 6, the UK government published “Using personal data after Brexit”9. The guideline reveals that post-Brexit UK businesses will still be able to send personal data from the UK to the EU and that the UK will continue to allow the free flow of personal data from the UK to the EU (and the EEA area).

Data originating from the EU that comes into the UK will be a different story. It is illegal for an EU Member State business or organisation to export data to a non-EEA entity without specific legal safeguards in place. Since post-Brexit UK could, depending on the method of exit, be considered a “third country,” UK businesses will be subject to these safeguards.

Current & Post-Brexit Threat Landscape

In the UK, the number of data breaches reported to the Data Protection Commission11 rose by almost 70 percent last year, totaling 4,740 breaches during 2018. At the same time, UK organisations such as universities, businesses, online stores and social media (like Facebook) have been subject to breaches that affected millions of people.

Incident Handling

Today all European businesses, organisations and citizens can utilise a data breach reporting mechanism to notify only the Lead Supervisory Authority (LSA) in their country, to carry out investigations and to inform/coordinate with LSAs in other EU Member States in case of a cross-border cybersecurity incident.

In a post-Brexit future, UK-based businesses and organizations will need to legally notify not only the UK Lead Supervisory Authority, the Information Commissioner’s Office (ICO), but also each relevant Member State’s LSA.

Effects on the Workforce

What concerns me most is the cybersecurity skills shortage14. By limiting the right of free movement and enforcing stricter working visa requirements, Brexit could have a significant impact on the capability of Britain to fight against cyber criminals and nation state threats.

Additionally, UK based universities will potentially lose access to huge amounts of EU research funding because of Brexit.

What we can do to prepare?

On the cybersecurity front, UK companies will have to deal with a disappearing network perimeter, a rapidly expanding attack surface, the widening cybersecurity skills gap and the growing sophistication of cyber-attacks.

These issues are extremely difficult to be dealt with. In response, companies should focus on securing all of sensitive data by encrypting all data at rest and in transit, securely storing and managing all encryption keys and controlling user access and authentication. Doing so will help them staff safe in an increasingly uncertain world. With the rise in threats and the increasing value of data to cyber criminals, it’s important for businesses to know how they can adopt a Secure the Breach approach to protecting their most sensitive data and intellectual property.

GDPR One Year Anniversary: A Risk-Based approach to GDPR is key for achieving compliance

This post also appears on the Gemalto Enterprise Security blog here.

Data protection has become a global hot topic since the General Data Protection Regulation (GDPR) took effect on May 25th last year. On the 22th of May 2019 the European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to May 2019 and it is clear that a lot of work still needs to be done. Let’s very briefly recall what GDPR is and some of its key concepts, before discussing about steps and security controls that will bring your organization one step closer to compliance.

1. What is the General Data Protection Regulation?

Millions of people daily entrust their personal data and information to various entities, and with information sharing occurring virtually everywhere, at retail shops, healthcare centers, gyms, financial institutions or websites, typically these people don’t know where their data goes or what other processing is done on it and by who. GDPR is designed to bring an up-to-date approach to privacy and security into Europe, with its aim being to provide EU citizens with a stronger control on the personal information they share with other entities, and to enforce to all member-states of the European Union a uniform legal framework.

To quickly summarize, GDPR mandates that Data Controllers (all the entities that control or process personal data) must have organizational processes in place and implement the proper technical measures in order to protect EU citizens’ personal data. This concept may seem like self-evident and easy to implement, but in the real-world trying to ensure compliance with GDPR has left many organizations struggling.

2. Who does the GDPR applies to?

The GDPR applies to businesses that collect and use personal information from citizens of the EU, regardless of where the business itself is located. This approach to privacy gives the GDPR a global reach and if a business offers goods or services to EU citizens or collects and analyzes their data through data collection, it needs to be compliant with the GDPR. The penalties for failing to comply to the GDPR are very severe, with fines of up to four percent of an organization’s yearly turnover or €20 million, whichever is greater, and also other penalties could apply to a range of privacy infringements.

3. What does the GDPR require?

The GDPR’s four main areas of focus are: Privacy rights, Data security, Data control and Governance.

As such, a few of the key considerations for achieving compliance with the regulation include the following:

3.1 Privacy by Design

At the core of GDPR is “Privacy by Design”, a concept created by Dr. Ann Cavoukian, the former Information and Privacy Commissioner for the Province of Ontario, Canada in the 1990s, and has been since a best practice guide for businesses for decades.

Privacy by Design refers to best practices, policies, procedures and data handling processes that are designed with privacy and data security in mind. Every aspect of a business, from the design of its Security and Privacy Policies, to the way it collects, uses and stores data from its employees and customers, must be shaped with in-depth privacy and security best practices from the get go.

3.2 GDPR’s Legal Bases for Data Processing

GDPR lists six possible legal bases for collecting consumer personal data, but for the vast majority of businesses the only possible legal bases that will apply are bases (i), (ii), and (iii) from the list below:

(i) Consent
(ii) To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
(iii) Fulfillment of a contract
(iv) Legal obligation
(v) Protection of someone’s vital interest
(vi) Public interest of vested authority

In the case of legitimate interests, a business must be able to prove to EU Data Protection Authorities (DPA’s) that the collection of personal information is essential for fulfilling a specific service to its customers, and the business can only keep the personal data for as long as it takes to fulfill that service.

3.3 Breach Notifications

The GDPR mandates that a business must inform very quickly (within 72 hours) and thoroughly EU Data Protection Authorities (DPA’s) of any security data breach involving European citizens.

4. What you can do as a CISO – A Risk-Based approach to GDPR is key

Although GDPR is a very complex regulation, at its core it is a legal framework designed to govern data protection. This means that GDPR’s main focus is the safeguarding of the personal information a business collects, creates, uses and shares, whether the PII data it’s collected from its employees, customers or third-party partners. Because the information is collected from different sources, a business must take a risk-based approach to data protection to best assess and mitigate risks under GDPR.

4.1 Data Mapping Analysis

The first step a business must take is to invest enough time in understanding the nature and the types of personal data and the information it needs in order to fulfill its services by doing a Data Mapping and Information Flow analysis. The UK’s Information Commissioner’s Office provides for free a great template with a working example to help you achieve this task and a few key questions you’ll need to answer are:

Why do you use personal data?
Who do you hold information about?
What information do you hold about them?
How the data is used?
Who has access to the data?
Is the data shared with a third party?
Where is the data stored and for how long?

Only after discovering all of the data your organization possesses will you be able to determine whether you use it and store it in ways that do not create privacy and security risks for your employees, customers, and third-party partners. Once you have identified all of the data and determined how you use it, here are a few other steps you can take to best implement a risk-based approach to data protection across all your assets:

4.2 Conduct Data Protection/Privacy Impact Assessments

GDPR mandates that businesses must conduct DPIAs in the case of high-risk processing activities and many organizations in the EU already conduct Privacy impact Assessments (PIAs) as part of legal or regulatory obligations. A Data Protection Impact Assessment (DPIA), is a defined process for assessing whether the way your business collects, uses, stores and discloses the personal data of individuals creates any privacy risks. DPIAs specifically help us to identify privacy risks and upcoming security problems and they are great tools in helping us identify solutions and recommend appropriate security controls when necessary.

Also, by implementing a well-defined process to determine when DPIAs need to be conducted, businesses will also be able to prove accountability to Data Protection Authorities (DPA’s), thus getting one step closer to achieving full GDPR compliance.

4.3 Ensure Privacy and Security by Design and by Default

The GDPR requires privacy and security not only “by design” as we explained earlier, but also “by default.” This means that industry best practices will now be mandated activities in the daily operations of your business and will need to be demonstrable to Data Protection Authorities (DPA’s) if requested. That’s why organizations must take steps toward rethinking their security and privacy strategy and establishing privacy as a foundational principle in all of their operations.

4.4 Prove Accountability to Regulators

Finally, GDPR requires that organizations maintain detailed documentation of all their compliance efforts. To comply to this guideline, you must be prepared to show to Data Protection Authorities (DPA’s) evidence of your documented security policies and also demonstrate that your policies are being monitored and enforced regularly. Your goal is to be able to demonstrate that you are collecting, using, sharing, maintaining and disposing personal information in responsible, ethical and lawful ways.

5. Security controls that you may already implementing that also apply to GDPR

Now, let’s explore some key security controls that need to be in place for GDPR compliance, and if you are already implementing them into your organization you get the added bonus of “free” compliance:

5.1 Identity and Access Management (IDAM)

Having proper Identity and Access Management (IDAM) controls in place will help control and limit access to personal data only to authorized employees. The two key security principles are applicable to IDAM, the principles of least privilege and separation of duties, both ensuring that employees have access only to personal data or assets needed for their job function.

IDAM help us with GDPR compliance by ensuring that, only those who need access to personal information data in order to perform their job, have access. In this setup, security awareness and privacy training should be provided to all employees to warrant that the intended purpose for collection of personal data is maintained.

5.2 Data Loss Prevention (DLP)

Data Loss Prevention (DLP) are technical controls that help us prevent the loss of personal data. These controls are critical in preventing a breach that may do irreversible damage to the business and according to GDPR, organizations, whether they have the role of the Data Controller or the Data Processor of personal data, are held liable for the loss of any personal data they collect. Integrating DLP controls to your security strategy adds another layer of protection to the business, by controlling and restricting the transmission of personal data outside the corporate network.

5.3 Encryption & Pseudonymization

Encryption and pseudonymization are both techniques that we can use to prevent unauthorized access to personal data. Encryption is the process of converting information or data into a code and pseudonymization replaces or removes information in a data set that identifies an individual. Especially pseudonymization is something GDPR recommend but doesn’t require, however, if a security breach occurs, investigators will consider it a big plus if the organization responsible for the breach has implemented these types of technical controls and technologies as an added layer of security.

5.4 Incident Response Plan (IRP):

This is self-explanatory, all businesses must have an Incident Response Plan (IRP) outside of legal and compliance needs. A well thought and tested IRP should have well defined stages such as preparation, identification, containment, eradication, recovery and lessons learned. In the case an incident occurs that involves personal data, GDPR has some requirements from your organization, most notably Breach notification, and in the case of high-risk breaches even informing the affected data subjects for the incident, and both scenarios should be well covered by your IRP.

5.5 Third-Party Risk Management

GDPR compliance is just as important for third-party relationships as it is internally for an organization. Under GDPR Data Processors are bound by their Data Controller’s policies, and as long as your organization processes, stores, or transmits the personal data of EU citizens with a third party it could be liable in a case of a breach. If your organization trusts the processing of personal data to a data processor or sub-processor, and a breach occurs, GDPR also mandates that data processors to have an active role in the protection of personal data. Regardless of the policies enforced by the data controller, the data processor of personal data must be compliant with GDPR and can be liable for any incidents associated with the loss or unauthorized disclosure to personal data. Sub-processors are also required to be compliant with the GDPR, based on each contractual relationship established between the Data Processor and the sub-processor.

5.6 Information Security Policy Management

A strong Information Security policy is the glue that holds together all the previously discussed security controls and compliance requirements, and is the document that both describes the organization-wide security and privacy strategy and at the same time it can be a great accountability tool when it comes to DPA’s. To be effective, a security policy must receive company-wide acceptance in order to effectively manage and update the needed security controls in an always changing cyber risk world. If it is well managed and followed accordingly, policy management is the foundation for achieving compliance towards GDPR or any other future privacy regulation like e-Privacy.

6. Achieving Compliance

By enforcing frameworks such as the GDPR, more control is handed back to the people/consumers and this extra control greatly helps in raising the level of trust people feel towards government institutions and businesses, which in turn can boost revenues and profits. GDPR requirements are more than a checklist and if your organization process the personal data of EU data subjects, then you must take the time to explore the security controls you have in place to support GDPR requirements and ensure that personal data is accounted for, protected, and processed appropriately.

At the end of the day, GDPR compliance is simple, organizations must be transparent to their customers about their legal bases for collecting their data, and they must offer them control as to whether or not they want to share their data with others. Then, organizations must follow through and ensure that they only use the data they collect for the purposes they initially outlined, always within the boundaries of consent provided by their customers, and make sure that they respect all their rights granted to them under the regulation.

One Year After GDPR: Significant rise on Data Breach reporting from European Businesses


It’s been one year since the European Union (EU) enforced the General Data Protection Regulation (GDPR)¹, a legislation designed to protect the personal data of EU citizens and lay specific rules and guidelines on how their data is collected, stored, processed and deleted by various entities. GDPR requires that organizations must disclose to national Data Protection Agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time showed that companies would not be ready for the 25th of May 2018 which led a lot of privacy professionals to assume the worst when they tried to hypothesize about what could happen when the new European legislation would come into effect.

Rise in the number of data breaches

The European Data Protection Board (EDPB)², the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, and this currently makes collecting and analyzing data on GDPR compliance somewhat challenging. A number of European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches, clearly demonstrating the impact GDPR has had on raising awareness with the general public as well as organizations regarding their rights and obligations under EU data protection law.

So far, the most reliable data regarding the number of data breaches currently available seems to be from some of the DPAs as well as the overview reports³ published by the EU’s Commission on the implementation of the GDPR. From the data we can deduct that EU DPAs received more than 95,000 complaints from EU citizens since May 2018 and from these complaints nearly 65,000 were data breach notifications.

The law firm DLA Piper analyzed data breach reports⁴ that have been filed by 23 of the 28 EU member states since GDPR came into full force and at the end of January 2019 also the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications⁵.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.” DLA Piper says in its report and that the Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita,” the report says.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.

With the EU elections approaching in a few weeks it will be very thought-provoking to analyze how imposed safeguards from EU DPAs and GDPR on the use of political data during elections will affect political parties and how this will influence the collection of personal data related to political opinions and communicating political views to target audiences during the election period.

Anyhow we must be prudent with current data because we are still in a transitional year and with most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or even more), a lot of cases that currently are under investigation are incidents that happened under older Data Protection laws.

GDPR Penalties

Germany is the leading country currently in the number of fines with German organizations receiving 64 of the GDPR fines that have been imposed so far. This includes the two largest fines to date, an organization that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper reports, “But, not all of the fines imposed relate to personal data breaches.”

The largest fine to date is €50 million against Google by France’s Data Protection Authority, but the fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.

Looking into the future

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

As GDPR reaches its first birthday in a few days, it is clear that the regulation is still young and both regulators and companies are still figuring out its impact and importance. Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance.

Transparency is a necessity that will help the EU further increase awareness of GDPR and let’s not forget that the rest of the world, especially countries that are very close partners with the EU like the United States, are closely observing in order to better understand the effects and the strengths and weaknesses of the regulation.

References

1. General Data Protection Regulation (GDPR)
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

2. European Data Protection Board (EDPB)
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en

3. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.
http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

4. DLA Piper GDPR Data Breach Survey
https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

5. GDPR in numbers Infographic
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

 

This post first appeared on the Gemalto blog here. 

The Future of Cybersecurity – A 2019 Outlook

The Future of Cybersecurity – A 2019 Outlook

 

This post also appears on the Gemalto Enterprise security blog here.

From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.

Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160% increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4% of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.

In fact, the role of GDPR was to give more power back to the end user about who ultimately has their data, but it was also ensuring companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection. This means protecting the data at its core through encryption, key management and controlling access. In our latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. The use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused. Another reason to implement this is it is actually part of the regulation and will help businesses avoid fines as well. With such a large percentage still unprotected, businesses are clearly not learning their lessons.

So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.

2019 Predictions

1. Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

2. Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users’ behaviours, and organisations systems. Adapting to its surroundings, the malware will unleash a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

3. Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across, there is an assumption that they’re automatically protected as they transition workloads to the cloud. The channel has a role to play in educating companies that this isn’t necessarily the case and they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.

A Boardroom Issue That Needs to Yield Results

With 2018 fast disappearing, the next year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations like GDPR. With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are just as vital, if not more, to focus on. So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. For an issue like cybersecurity, the company attitude towards it needs to be led from the top down, so everyone buys into it. If that happens, could next year see no breaches take place? Extremely unlikely. But maybe it could be the year the industry starts to turn the tide against the hacking community.

What should CISOs be prioritising in 2019?

What should CISOs be prioritising in 2019?

There is no doubt that 2018 has been a memorable year for cybersecurity professionals and the industry as a whole. From overseeing the implementation of the General Data Protection Regulation (GDPR), to the record-breaking number of data breaches, CISOs have had increasing pressures on their shoulders. And, as technologies like Artificial Intelligence (AI) gain more prominence and emerging technologies such as quantum computing are pursued even further, 2019 looks like it could be another hard year for the industry.

With all this in mind, what might the next 12 months bring the security industry?

Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users behaviours, and organisations systems. Adapting to its surroundings, the malware will unleashing a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role– the Cloud Migration Security Specialist – to help the CISO securely manage the transition. Whether the role is internal or external, a vital part of supporting the CISO is to ensure that as workloads transition to the cloud they are secure from any potential hackers.

Security Boulevard – Gemalto Launches the New Data Security Directions Council

security-boulevardOur industry is undergoing a period of rapid evolution at the moment on many different levels, so at times like this it becomes vital that we pool our knowledge and insight to help inform the strategic decisions that each organization will have to make. To play our part in that, Gemalto has created the Data Security Directions Council (DSDC).

The mission of the DSDC is to bring together information security leaders from across the globe and from different industry sectors so that they can share their strategic insights on future issues and challenges associated with data protection. In fact, the first Data Security Directions Council report has just been released. In Information Security 2025: Insights into the future of data security, data threats, regulations and technology members of the DSDC shared their thoughts on what different aspects of information security might look like in the year 2025. Their predictions covered a large variety of security-related topics and offered a diverse set of opinions and insight.

gemalto-data-security-directions-council-300x188For example, Rick Robinson, Offering Manager for Encryption and Key Management for the Data Security Group at IBM Security, forecasted in the report that organizations will in time become more comfortable with encryption. He also explained how he anticipates that attackers and law enforcement will continue their cat-and-mouse game around the theft of account credentials.

Meanwhile, Western Union’s information security director Roman Gruber emphasized that he believes that basic security practices will still be as relevant in the future:

Root concepts still need to be applied even if the end-points change. You still have to protect the data and OS. Root principles and attacks will change but the principles remain the same.

The council members also provided some real insight into other aspects likely to impact the shape of Information security in this timeframe. They tackled topics like the cloud will have changed the security paradigm, and how the regulatory landscape and law enforcement efforts will need to evolve. These experts also weighed in on how IoT and mobile employees will shape information security practices going forward and what data breach prevention might look like in the coming years.

For me, it was interesting to see how current “hot” topics such as Blockchain and Quantum Computing weighed in on their thinking. I think the resulting commentary may surprise you.

I, for one, am really looking forward to future reports, insight, debates and conversations with the council and its members. It’s all too easy for us all to get bogged down in the weeds of our day-to-day work life and the DSDC offers us a rare opportunity to step back for a moment and consider the bigger picture. These reports are set to become “must read” documents for any security leader.

Interested in Becoming a Council Member?

Council members are drawn from individuals, organizations and disciplines leading the way in Information security across the globe. Members provide insight on topical information security developments based upon their own experience and understanding, with the sole aim of advancement of security practice. Outside of input to the reports, the council also provides opportunities for members to represent the council’s work publically and offering them an opportunity to address broader issues than potentially possible in their current roles.

Those interested in learning more about the Data Security Directions Council should reach out to Anina Steele, Senior Public Relations Manager at Gemalto, by emailing Anina.steele@gemalto.com or calling +44 1276 608 055.

4 Important trends in cloud security

Significant security challenges confront organizations as they migrate their IT needs and processing resources to the cloud. They must first select a cloud service provider that can hopefully ensure security of the cloud and thereby fulfill their half of the Shared Responsibility Model. Next, they must implement appropriate security controls such as encryptionaccess management and multi-factor authentication in their effort to secure corporate and customer data.

This process is becoming more and more complicated as time goes on. On the one hand, IT personnel no longer have the control over data in the cloud and IT spending they once had, which is shaping the types of security process in which organizations are investing. On the other hand, external forces like new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) will likely affect cloud storage practices, yet it’s unclear how organizations’ efforts to comply with the regulation could change cloud governance.

These are some of the realities in Gemalto’s 2018 Global Cloud Data Security Study.

cloud security infographic

For the report, Gemalto commissioned the Ponemon Institute to survey 3,621 IT and information security practitioners in the United States, the United Kingdom, Australia, Germany, France, Japan, India, and Brazil about their organizations’ use of the cloud and the security challenges they are facing as a result. The survey yielded several key trends. Here are four that are particularly relevant for organizations and their cloud data security strategies:

  1. Organizations Are Not Fulfilling Their Commitment to Cloud Data Security

For Gemalto’s 2018 study, Ponemon Institute found that 67% of respondents say their organizations are committed to protecting confidential and sensitive information in the cloud. That pledge notwithstanding, fifty-three percent of respondents do not agree their companies have a proactive approach to compliance. Even more than that (57%) do not believe their organizations are careful enough when sharing sensitive information with third parties.

As a result, many respondents are concerned about the security of the data their employers store in the cloud. Organizations primarily store customer information (59%), email (49%), consumer data (47%) employee records (38%), and payment information (39%) in the cloud. Approximately half of participants in Gemalto’s study worrying most about payment information and customer information at 54% and 49%, respectively. Eighty-eight percent of respondents are also concerned the European Union’s GDPR will play some role in demanding more from organizations and their commitment to cloud data security.

  1. The IT Department Is Losing Control of Cloud Security Practices and Budget

Gemalto’s report reveals that IT is losing control of both its budget and corporate data stored in the cloud. Indeed, the average percent of IT spending controlled by the IT department was fifty-three percent in 2016. That proportion declined to under half (40%) of spending in 2017.

At the same time, functions outside of information technology are deploying an average of fifty-eight percent of cloud services. This figure represents a significant increase over 2016. So too does the fact that the average percent of corporate data stored in cloud environments and not managed by IT has grown from 44 percent to 53 percent.

  1. Challenges and a Lack of Focused Practices Abound in Cloud Security

Survey respondents report the difficulty in protecting confidential information when using cloud services has decreased in several key areas. 54% of IT and infosec professionals say it’s more difficult to defend cloud data in Gemalto’s 2018 study. That figure is down from sixty percent the previous year. At the same time, the difficulties in restricting end-user access decreased from 53% of respondents in 2016 to 51% of participants in 2017.

Even so, challenges still abound in cloud security. Seventy-one percent of survey respondents say it’s difficult to apply conventional information security principles in a cloud environment, with close to that same percentage of participants (62%) saying their organization’s use of cloud resources increases compliance risk. Meanwhile, sixty-seven percent of IT professionals cite their companies’ inability to directly inspect cloud providers for security compliance as a source of difficulty, though 61% of respondents say their organizations now evaluate the security capabilities of a cloud provider prior to engaging their services and deploying their technology.

  1. Encryption and Access Management Solutions Are Growing in Use and Importance

Seventy-seven percent of those who participated in Gemalto’s 2018 study think the ability to encrypt or tokenize sensitive or confidential data stored in the cloud is important, with more than nine in ten (91%) saying it will become more important in the next two years. At this time, 47 percent of respondents say they use encryption or similar tools to secure data at rest in the cloud; 58% report that encryption is used for data sent and received by the cloud provider. Encryption or tokenization of data within cloud applications has also increased by eight percentage points (from 28% to 36%) over the last two years.

In addition, strong user access controls and access management to data stored in the cloud has increased in importance according to the study. The ability to control strong authentication prior to accessing data and applications in the cloud has increased from 73 percent of respondents to 81 percent of respondents over the past few studies. In addition, 53 percent of respondents say their organization uses multi-factor authentication to secure access to data in the cloud environment. Just under that percentage of respondents (47 percent) say their organizations use multi-factor authentication for employees’ access to the cloud. When asked the percent of cloud applications that have user-enabled access controls, the average is only 19 percent.

The Tip of the Iceberg

The findings presented above are just a snapshot of Gemalto and Ponemon Institute’s study on the ever-evolving cloud data security landscape. The report also investigates what organizations look for when choosing a cloud service provider (CSP) and what IT professionals consider to be the most important identity and access management features for the cloud. It also delves into organizations’ engagement with the cloud differentiated by respondents’ country of origin.

For insight into these and many other issues, download Gemalto’s Cloud Governance and Security Research.

 

This blog post also appears on the Gemalto Security blog here.

Four Data Security Trends that Defined 2017

With 2018 upon us, it’s important we take stock of the data security trends and threats that defined 2017. Several notable trends emerged over the course of the year, after all, and these will no doubt continue to shape the data security landscape into 2018 and beyond.

Here are four such remarkable data security trends that helped mould the past year:

1. International Malware Outbreaks

One of the most notable data security trends of 2017 were three strains of malware made headlines for attack campaigns that swept across national boundaries. On 12 May, WannaCry ransomware got things going with an outbreak that claimed the United Kingdom’s National Health Service (NHS), Spanish telecommunications giant Telefonica, and at least 200,000 other organizations worldwide as victims. NotPetya followed less than two months later when the Petya impersonator/wiper malware struck a Ukrainian power supplier, France’s Saint-Gobain, and close to 17,000 other targets primarily in North America and Europe. Both attacks leveraged EternalBlue, an exploit which abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, for distribution.

It wasn’t until October 2017 that Bad Rabbit, a strain of Diskcoder, reared its head. This malware used drive-by attacks as its primarily means of infecting users. As a result, it infected only a few hundred computers mainly located in Russia, Ukraine, Germany, Turkey, South Korea, the United States, and a few other countries.

2. Mega-Breaches (and Curious Responses)

In light of the hacking attack disclosures involving LinkedInDropbox, Yahoo (which only got worse), and others, history will no doubt remember 2016 as the “Year of the Mega Breach.” 2017 didn’t produce as many mega-breaches as 2016, but it nevertheless yielded some notable data security incidents…with some equally extraordinary responses. You can find a database of data breaches going back to 2013 in Gemalto’s Breach Level Index.

For instance, Equifax acknowledged in the beginning of September that hackers had breached its systems and thereby compromised the personal information of 143 million American citizens. Consumers’ personal data was simply left unencrypted. Things went awry on the day of disclosure when the credit bureau directed concerned users to visit a resource to verify if they were victims of the breach. That resource was located at a separate site riddled with bugs. Additionally, a slow disclosure time and subsequent gaffes on Twitter led Brian Krebs to call the response a “dumpster fire.”

Two months later, the world learned of the data breach at Uber that compromised 57 million driver and rider accounts in 2016. The ride-sharing company ultimately met the hackers’ ransom of $100,000 to ensure the attackers deleted their copy of the stolen data. It then went further by insisting the hackers sign a NDA, camouflaging the ransom payment as a bug bounty program payout, and remaining silent about the breach for more than a year.

3. CIA Hacking Tools

In the spring of 2017, WikiLeaks published a series of documents pertaining to the Central Intelligence Agency’s hacking operations. Detailedin those leaked sources are various tools used by CIA agents to infiltrate their targets, including malware for smart TVsand iOS exploits. The documents even include borrowed code from public malware samples.

Symantec subsequently analyzed those hacking tools in April and linked them to 40 attacks in 16 countries conducted by a group called Longhorn. It’s unclear how many additional attacks those tools have since facilitated.

4. Attacks against Cryptocurrency Exchanges

One Bitcoin was worth just $979 on 1 January 2017. Since then, its value has multiplied more than 13 times, with its rate peaking at $19,843. Investors no doubt celebrated that price explosion. But they weren’t the only ones tracking the digital money’s increase. Malefactors also saw the rise of Bitcoin; they took it upon themselves to try to hack various exchanges for the cryptocurrency. Indeed, at least eight marketplaces have suffered data breaches as of 23 December, with Parity Technologies losing $32 million in Ethereum and hackers stealing $70 million in Bitcoinfrom NiceHash. One can expect this data security trend to continue into 2018.

What Made 2017 Stand Out for You?

Which of these data security trends and threats concerns you most? Also, what other data security trend grabbed your attention in 2017? If so, let me know in the comments!

 

This post also appeared on the Gemalto Security blog here.