GDPR One Year Anniversary: A Risk-Based approach to GDPR is key for achieving compliance

This post also appears on the Gemalto Enterprise Security blog here.

Data protection has become a global hot topic since the General Data Protection Regulation (GDPR) took effect on May 25th last year. On the 22th of May 2019 the European Commission has published an infographic on compliance with and enforcement of the GDPR since from May 2018 to May 2019 and it is clear that a lot of work still needs to be done. Let’s very briefly recall what GDPR is and some of its key concepts, before discussing about steps and security controls that will bring your organization one step closer to compliance.

1. What is the General Data Protection Regulation?

Millions of people daily entrust their personal data and information to various entities, and with information sharing occurring virtually everywhere, at retail shops, healthcare centers, gyms, financial institutions or websites, typically these people don’t know where their data goes or what other processing is done on it and by who. GDPR is designed to bring an up-to-date approach to privacy and security into Europe, with its aim being to provide EU citizens with a stronger control on the personal information they share with other entities, and to enforce to all member-states of the European Union a uniform legal framework.

To quickly summarize, GDPR mandates that Data Controllers (all the entities that control or process personal data) must have organizational processes in place and implement the proper technical measures in order to protect EU citizens’ personal data. This concept may seem like self-evident and easy to implement, but in the real-world trying to ensure compliance with GDPR has left many organizations struggling.

2. Who does the GDPR applies to?

The GDPR applies to businesses that collect and use personal information from citizens of the EU, regardless of where the business itself is located. This approach to privacy gives the GDPR a global reach and if a business offers goods or services to EU citizens or collects and analyzes their data through data collection, it needs to be compliant with the GDPR. The penalties for failing to comply to the GDPR are very severe, with fines of up to four percent of an organization’s yearly turnover or €20 million, whichever is greater, and also other penalties could apply to a range of privacy infringements.

3. What does the GDPR require?

The GDPR’s four main areas of focus are: Privacy rights, Data security, Data control and Governance.

As such, a few of the key considerations for achieving compliance with the regulation include the following:

3.1 Privacy by Design

At the core of GDPR is “Privacy by Design”, a concept created by Dr. Ann Cavoukian, the former Information and Privacy Commissioner for the Province of Ontario, Canada in the 1990s, and has been since a best practice guide for businesses for decades.

Privacy by Design refers to best practices, policies, procedures and data handling processes that are designed with privacy and data security in mind. Every aspect of a business, from the design of its Security and Privacy Policies, to the way it collects, uses and stores data from its employees and customers, must be shaped with in-depth privacy and security best practices from the get go.

3.2 GDPR’s Legal Bases for Data Processing

GDPR lists six possible legal bases for collecting consumer personal data, but for the vast majority of businesses the only possible legal bases that will apply are bases (i), (ii), and (iii) from the list below:

(i) Consent
(ii) To fulfill the legitimate interests of someone without intruding upon individual rights and freedoms
(iii) Fulfillment of a contract
(iv) Legal obligation
(v) Protection of someone’s vital interest
(vi) Public interest of vested authority

In the case of legitimate interests, a business must be able to prove to EU Data Protection Authorities (DPA’s) that the collection of personal information is essential for fulfilling a specific service to its customers, and the business can only keep the personal data for as long as it takes to fulfill that service.

3.3 Breach Notifications

The GDPR mandates that a business must inform very quickly (within 72 hours) and thoroughly EU Data Protection Authorities (DPA’s) of any security data breach involving European citizens.

4. What you can do as a CISO – A Risk-Based approach to GDPR is key

Although GDPR is a very complex regulation, at its core it is a legal framework designed to govern data protection. This means that GDPR’s main focus is the safeguarding of the personal information a business collects, creates, uses and shares, whether the PII data it’s collected from its employees, customers or third-party partners. Because the information is collected from different sources, a business must take a risk-based approach to data protection to best assess and mitigate risks under GDPR.

4.1 Data Mapping Analysis

The first step a business must take is to invest enough time in understanding the nature and the types of personal data and the information it needs in order to fulfill its services by doing a Data Mapping and Information Flow analysis. The UK’s Information Commissioner’s Office provides for free a great template with a working example to help you achieve this task and a few key questions you’ll need to answer are:

Why do you use personal data?
Who do you hold information about?
What information do you hold about them?
How the data is used?
Who has access to the data?
Is the data shared with a third party?
Where is the data stored and for how long?

Only after discovering all of the data your organization possesses will you be able to determine whether you use it and store it in ways that do not create privacy and security risks for your employees, customers, and third-party partners. Once you have identified all of the data and determined how you use it, here are a few other steps you can take to best implement a risk-based approach to data protection across all your assets:

4.2 Conduct Data Protection/Privacy Impact Assessments

GDPR mandates that businesses must conduct DPIAs in the case of high-risk processing activities and many organizations in the EU already conduct Privacy impact Assessments (PIAs) as part of legal or regulatory obligations. A Data Protection Impact Assessment (DPIA), is a defined process for assessing whether the way your business collects, uses, stores and discloses the personal data of individuals creates any privacy risks. DPIAs specifically help us to identify privacy risks and upcoming security problems and they are great tools in helping us identify solutions and recommend appropriate security controls when necessary.

Also, by implementing a well-defined process to determine when DPIAs need to be conducted, businesses will also be able to prove accountability to Data Protection Authorities (DPA’s), thus getting one step closer to achieving full GDPR compliance.

4.3 Ensure Privacy and Security by Design and by Default

The GDPR requires privacy and security not only “by design” as we explained earlier, but also “by default.” This means that industry best practices will now be mandated activities in the daily operations of your business and will need to be demonstrable to Data Protection Authorities (DPA’s) if requested. That’s why organizations must take steps toward rethinking their security and privacy strategy and establishing privacy as a foundational principle in all of their operations.

4.4 Prove Accountability to Regulators

Finally, GDPR requires that organizations maintain detailed documentation of all their compliance efforts. To comply to this guideline, you must be prepared to show to Data Protection Authorities (DPA’s) evidence of your documented security policies and also demonstrate that your policies are being monitored and enforced regularly. Your goal is to be able to demonstrate that you are collecting, using, sharing, maintaining and disposing personal information in responsible, ethical and lawful ways.

5. Security controls that you may already implementing that also apply to GDPR

Now, let’s explore some key security controls that need to be in place for GDPR compliance, and if you are already implementing them into your organization you get the added bonus of “free” compliance:

5.1 Identity and Access Management (IDAM)

Having proper Identity and Access Management (IDAM) controls in place will help control and limit access to personal data only to authorized employees. The two key security principles are applicable to IDAM, the principles of least privilege and separation of duties, both ensuring that employees have access only to personal data or assets needed for their job function.

IDAM help us with GDPR compliance by ensuring that, only those who need access to personal information data in order to perform their job, have access. In this setup, security awareness and privacy training should be provided to all employees to warrant that the intended purpose for collection of personal data is maintained.

5.2 Data Loss Prevention (DLP)

Data Loss Prevention (DLP) are technical controls that help us prevent the loss of personal data. These controls are critical in preventing a breach that may do irreversible damage to the business and according to GDPR, organizations, whether they have the role of the Data Controller or the Data Processor of personal data, are held liable for the loss of any personal data they collect. Integrating DLP controls to your security strategy adds another layer of protection to the business, by controlling and restricting the transmission of personal data outside the corporate network.

5.3 Encryption & Pseudonymization

Encryption and pseudonymization are both techniques that we can use to prevent unauthorized access to personal data. Encryption is the process of converting information or data into a code and pseudonymization replaces or removes information in a data set that identifies an individual. Especially pseudonymization is something GDPR recommend but doesn’t require, however, if a security breach occurs, investigators will consider it a big plus if the organization responsible for the breach has implemented these types of technical controls and technologies as an added layer of security.

5.4 Incident Response Plan (IRP):

This is self-explanatory, all businesses must have an Incident Response Plan (IRP) outside of legal and compliance needs. A well thought and tested IRP should have well defined stages such as preparation, identification, containment, eradication, recovery and lessons learned. In the case an incident occurs that involves personal data, GDPR has some requirements from your organization, most notably Breach notification, and in the case of high-risk breaches even informing the affected data subjects for the incident, and both scenarios should be well covered by your IRP.

5.5 Third-Party Risk Management

GDPR compliance is just as important for third-party relationships as it is internally for an organization. Under GDPR Data Processors are bound by their Data Controller’s policies, and as long as your organization processes, stores, or transmits the personal data of EU citizens with a third party it could be liable in a case of a breach. If your organization trusts the processing of personal data to a data processor or sub-processor, and a breach occurs, GDPR also mandates that data processors to have an active role in the protection of personal data. Regardless of the policies enforced by the data controller, the data processor of personal data must be compliant with GDPR and can be liable for any incidents associated with the loss or unauthorized disclosure to personal data. Sub-processors are also required to be compliant with the GDPR, based on each contractual relationship established between the Data Processor and the sub-processor.

5.6 Information Security Policy Management

A strong Information Security policy is the glue that holds together all the previously discussed security controls and compliance requirements, and is the document that both describes the organization-wide security and privacy strategy and at the same time it can be a great accountability tool when it comes to DPA’s. To be effective, a security policy must receive company-wide acceptance in order to effectively manage and update the needed security controls in an always changing cyber risk world. If it is well managed and followed accordingly, policy management is the foundation for achieving compliance towards GDPR or any other future privacy regulation like e-Privacy.

6. Achieving Compliance

By enforcing frameworks such as the GDPR, more control is handed back to the people/consumers and this extra control greatly helps in raising the level of trust people feel towards government institutions and businesses, which in turn can boost revenues and profits. GDPR requirements are more than a checklist and if your organization process the personal data of EU data subjects, then you must take the time to explore the security controls you have in place to support GDPR requirements and ensure that personal data is accounted for, protected, and processed appropriately.

At the end of the day, GDPR compliance is simple, organizations must be transparent to their customers about their legal bases for collecting their data, and they must offer them control as to whether or not they want to share their data with others. Then, organizations must follow through and ensure that they only use the data they collect for the purposes they initially outlined, always within the boundaries of consent provided by their customers, and make sure that they respect all their rights granted to them under the regulation.

One Year After GDPR: Significant rise on Data Breach reporting from European Businesses


It’s been one year since the European Union (EU) enforced the General Data Protection Regulation (GDPR)¹, a legislation designed to protect the personal data of EU citizens and lay specific rules and guidelines on how their data is collected, stored, processed and deleted by various entities. GDPR requires that organizations must disclose to national Data Protection Agencies (DPAs) any breaches of security leading to “the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed to local data protection authorities not later than 72 hours after having become aware of it”.

Penalties for organizations failing to comply with the new notification requirements of the regulation include fines of up to €10 million, or up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. A lot of studies at the time showed that companies would not be ready for the 25th of May 2018 which led a lot of privacy professionals to assume the worst when they tried to hypothesize about what could happen when the new European legislation would come into effect.

Rise in the number of data breaches

The European Data Protection Board (EDPB)², the EU body in charge of the application of GDPR still hasn’t developed any official standards to clarify how independent EU DPAs will publicly report specific statistics/numbers about GDPR, and this currently makes collecting and analyzing data on GDPR compliance somewhat challenging. A number of European DPAs have voluntarily confirmed in recent months that the new regulation has led to a significant rise in reported data breaches, clearly demonstrating the impact GDPR has had on raising awareness with the general public as well as organizations regarding their rights and obligations under EU data protection law.

So far, the most reliable data regarding the number of data breaches currently available seems to be from some of the DPAs as well as the overview reports³ published by the EU’s Commission on the implementation of the GDPR. From the data we can deduct that EU DPAs received more than 95,000 complaints from EU citizens since May 2018 and from these complaints nearly 65,000 were data breach notifications.

The law firm DLA Piper analyzed data breach reports⁴ that have been filed by 23 of the 28 EU member states since GDPR came into full force and at the end of January 2019 also the European Commission reported that EU data protection regulators had collectively received 41,502 data breach notifications⁵.

“The Netherlands, Germany and the United Kingdom came top of the table with the largest number of data breaches notified to supervisory authorities with approximately 15,400, 12,600 and 10,600 breaches notified respectively.” DLA Piper says in its report and that the Netherlands recorded the most data breach reports per capita, followed by Ireland and Denmark. “The United Kingdom, Germany and France rank tenth, eleventh and twenty-first respectively, while Greece, Italy and Romania have reported the fewest breaches per capita,” the report says.

Under GDPR, non-EU organizations that have headquarters established in Europe can take advantage of the “one-stop shop” mechanism and with numerous U.S. high-profile technology leaders like Facebook, Microsoft, Twitter and Google choosing to have their European headquarters in Ireland, it will be very interesting to study the yearly data breaches report from Ireland’s DPA when it comes out.

With the EU elections approaching in a few weeks it will be very thought-provoking to analyze how imposed safeguards from EU DPAs and GDPR on the use of political data during elections will affect political parties and how this will influence the collection of personal data related to political opinions and communicating political views to target audiences during the election period.

Anyhow we must be prudent with current data because we are still in a transitional year and with most EU DPAs having a median time for investigating a data breach from 12 to 15 months (or even more), a lot of cases that currently are under investigation are incidents that happened under older Data Protection laws.

GDPR Penalties

Germany is the leading country currently in the number of fines with German organizations receiving 64 of the GDPR fines that have been imposed so far. This includes the two largest fines to date, an organization that published health data on the internet (€80,000) and the second a chat platform (€20,000 for failing to hash stored passwords). “So far 91 reported fines have been imposed under the new GDPR regime,” DLA Piper reports, “But, not all of the fines imposed relate to personal data breaches.”

The largest fine to date is €50 million against Google by France’s Data Protection Authority, but the fine did not relate to a data breach, but to the processing of personal data from Google without authorization from its users. The remaining fines from countries like Austria and Cyprus were comparatively low in value.

Looking into the future

The objective of GDPR was to bring uniformity to data protection laws across EU member states and control how organizations should store personal data and how they must respond in the event of a data breach, emphasizing the importance of creating trust that allows the digital economy to grow inside the European community.

As GDPR reaches its first birthday in a few days, it is clear that the regulation is still young and both regulators and companies are still figuring out its impact and importance. Data Protection Authorities across the EU will soon be publishing annual reports, which should give us a wider and better picture of the level of compliance.

Transparency is a necessity that will help the EU further increase awareness of GDPR and let’s not forget that the rest of the world, especially countries that are very close partners with the EU like the United States, are closely observing in order to better understand the effects and the strengths and weaknesses of the regulation.

References

1. General Data Protection Regulation (GDPR)
https://ec.europa.eu/info/law/law-topic/data-protection/data-protection-eu_en

2. European Data Protection Board (EDPB)
https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/enforcement-and-sanctions/enforcement/what-european-data-protection-board-edpb_en

3. First overview on the implementation of the GDPR and the roles and means of the national supervisory authorities.
http://www.europarl.europa.eu/meetdocs/2014_2019/plmrep/COMMITTEES/LIBE/DV/2019/02-25/9_EDPB_report_EN.pdf

4. DLA Piper GDPR Data Breach Survey
https://www.dlapiper.com/~/media/files/insights/publications/2019/02/dla-piper-gdpr-data-breach-survey-february-2019.pdf

5. GDPR in numbers Infographic
https://ec.europa.eu/commission/sites/beta-political/files/190125_gdpr_infographics_v4.pdf

 

This post first appeared on the Gemalto blog here. 

The Future of Cybersecurity – A 2019 Outlook

The Future of Cybersecurity – A 2019 Outlook

 

This post also appears on the Gemalto Enterprise security blog here.

From the record-breaking number of data breaches to the implementation of the General Data Protection Regulation (GDPR), 2018 will certainly go down as a memorable year for the cybersecurity industry. And there have been plenty of learnings for both the industry and organisations, too.

Despite having two years to prepare for its inception, some companies were still not ready when GDPR hit and have faced the consequences this year. According to the law firm EMW, the Information Commissioner’s Office received over 6,000 complaints in around six weeks between 25th May and 3rd July – a 160% increase over the same period in 2017. When GDPR came into force, there were questions raised about its true power to hold companies to account – with the regulation saying fines could be implemented up to £16.5 million or 4% of worldwide turnover. The latter half of this year has shown those concerns were unfounded, with big companies, including Uber as recently as this week, being fined for losing customer data. What 2018 has shown, is the authorities have the power and they’re prepared to use it.

In fact, the role of GDPR was to give more power back to the end user about who ultimately has their data, but it was also ensuring companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection. This means protecting the data at its core through encryption, key management and controlling access. In our latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. The use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused. Another reason to implement this is it is actually part of the regulation and will help businesses avoid fines as well. With such a large percentage still unprotected, businesses are clearly not learning their lessons.

So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.

2019 Predictions

1. Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

2. Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users’ behaviours, and organisations systems. Adapting to its surroundings, the malware will unleash a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

3. Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across, there is an assumption that they’re automatically protected as they transition workloads to the cloud. The channel has a role to play in educating companies that this isn’t necessarily the case and they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.

A Boardroom Issue That Needs to Yield Results

With 2018 fast disappearing, the next year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations like GDPR. With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are just as vital, if not more, to focus on. So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. For an issue like cybersecurity, the company attitude towards it needs to be led from the top down, so everyone buys into it. If that happens, could next year see no breaches take place? Extremely unlikely. But maybe it could be the year the industry starts to turn the tide against the hacking community.

What should CISOs be prioritising in 2019?

What should CISOs be prioritising in 2019?

There is no doubt that 2018 has been a memorable year for cybersecurity professionals and the industry as a whole. From overseeing the implementation of the General Data Protection Regulation (GDPR), to the record-breaking number of data breaches, CISOs have had increasing pressures on their shoulders. And, as technologies like Artificial Intelligence (AI) gain more prominence and emerging technologies such as quantum computing are pursued even further, 2019 looks like it could be another hard year for the industry.

With all this in mind, what might the next 12 months bring the security industry?

Quantum Computing Puts Pressure on Crypto-Agility

Next year will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. But one notable example here is encryption, the static algorithms of which could be broken by the increased power. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.

Hackers will launch the most sophisticated cyber-attack ever using AI in 2019

Up until now, the use of AI has been limited, but as the computing power grows, so too do the capabilities of AI itself. In turn this means that next year will see the first AI-orchestrated attack take down a FTSE100 company. Creating a new breed of AI powered malware, hackers will infect an organisations system using the malware and sit undetected gathering information about users behaviours, and organisations systems. Adapting to its surroundings, the malware will unleashing a series of bespoke attacks targeted to take down a company from the inside out. The sophistication of this attack will be like none seen before, and organisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.

Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019

As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role– the Cloud Migration Security Specialist – to help the CISO securely manage the transition. Whether the role is internal or external, a vital part of supporting the CISO is to ensure that as workloads transition to the cloud they are secure from any potential hackers.

Security Boulevard – Gemalto Launches the New Data Security Directions Council

security-boulevardOur industry is undergoing a period of rapid evolution at the moment on many different levels, so at times like this it becomes vital that we pool our knowledge and insight to help inform the strategic decisions that each organization will have to make. To play our part in that, Gemalto has created the Data Security Directions Council (DSDC).

The mission of the DSDC is to bring together information security leaders from across the globe and from different industry sectors so that they can share their strategic insights on future issues and challenges associated with data protection. In fact, the first Data Security Directions Council report has just been released. In Information Security 2025: Insights into the future of data security, data threats, regulations and technology members of the DSDC shared their thoughts on what different aspects of information security might look like in the year 2025. Their predictions covered a large variety of security-related topics and offered a diverse set of opinions and insight.

gemalto-data-security-directions-council-300x188For example, Rick Robinson, Offering Manager for Encryption and Key Management for the Data Security Group at IBM Security, forecasted in the report that organizations will in time become more comfortable with encryption. He also explained how he anticipates that attackers and law enforcement will continue their cat-and-mouse game around the theft of account credentials.

Meanwhile, Western Union’s information security director Roman Gruber emphasized that he believes that basic security practices will still be as relevant in the future:

Root concepts still need to be applied even if the end-points change. You still have to protect the data and OS. Root principles and attacks will change but the principles remain the same.

The council members also provided some real insight into other aspects likely to impact the shape of Information security in this timeframe. They tackled topics like the cloud will have changed the security paradigm, and how the regulatory landscape and law enforcement efforts will need to evolve. These experts also weighed in on how IoT and mobile employees will shape information security practices going forward and what data breach prevention might look like in the coming years.

For me, it was interesting to see how current “hot” topics such as Blockchain and Quantum Computing weighed in on their thinking. I think the resulting commentary may surprise you.

I, for one, am really looking forward to future reports, insight, debates and conversations with the council and its members. It’s all too easy for us all to get bogged down in the weeds of our day-to-day work life and the DSDC offers us a rare opportunity to step back for a moment and consider the bigger picture. These reports are set to become “must read” documents for any security leader.

Interested in Becoming a Council Member?

Council members are drawn from individuals, organizations and disciplines leading the way in Information security across the globe. Members provide insight on topical information security developments based upon their own experience and understanding, with the sole aim of advancement of security practice. Outside of input to the reports, the council also provides opportunities for members to represent the council’s work publically and offering them an opportunity to address broader issues than potentially possible in their current roles.

Those interested in learning more about the Data Security Directions Council should reach out to Anina Steele, Senior Public Relations Manager at Gemalto, by emailing Anina.steele@gemalto.com or calling +44 1276 608 055.

4 Important trends in cloud security

Significant security challenges confront organizations as they migrate their IT needs and processing resources to the cloud. They must first select a cloud service provider that can hopefully ensure security of the cloud and thereby fulfill their half of the Shared Responsibility Model. Next, they must implement appropriate security controls such as encryptionaccess management and multi-factor authentication in their effort to secure corporate and customer data.

This process is becoming more and more complicated as time goes on. On the one hand, IT personnel no longer have the control over data in the cloud and IT spending they once had, which is shaping the types of security process in which organizations are investing. On the other hand, external forces like new data protection regulations such as the European Union’s General Data Protection Regulation (GDPR) will likely affect cloud storage practices, yet it’s unclear how organizations’ efforts to comply with the regulation could change cloud governance.

These are some of the realities in Gemalto’s 2018 Global Cloud Data Security Study.

cloud security infographic

For the report, Gemalto commissioned the Ponemon Institute to survey 3,621 IT and information security practitioners in the United States, the United Kingdom, Australia, Germany, France, Japan, India, and Brazil about their organizations’ use of the cloud and the security challenges they are facing as a result. The survey yielded several key trends. Here are four that are particularly relevant for organizations and their cloud data security strategies:

  1. Organizations Are Not Fulfilling Their Commitment to Cloud Data Security

For Gemalto’s 2018 study, Ponemon Institute found that 67% of respondents say their organizations are committed to protecting confidential and sensitive information in the cloud. That pledge notwithstanding, fifty-three percent of respondents do not agree their companies have a proactive approach to compliance. Even more than that (57%) do not believe their organizations are careful enough when sharing sensitive information with third parties.

As a result, many respondents are concerned about the security of the data their employers store in the cloud. Organizations primarily store customer information (59%), email (49%), consumer data (47%) employee records (38%), and payment information (39%) in the cloud. Approximately half of participants in Gemalto’s study worrying most about payment information and customer information at 54% and 49%, respectively. Eighty-eight percent of respondents are also concerned the European Union’s GDPR will play some role in demanding more from organizations and their commitment to cloud data security.

  1. The IT Department Is Losing Control of Cloud Security Practices and Budget

Gemalto’s report reveals that IT is losing control of both its budget and corporate data stored in the cloud. Indeed, the average percent of IT spending controlled by the IT department was fifty-three percent in 2016. That proportion declined to under half (40%) of spending in 2017.

At the same time, functions outside of information technology are deploying an average of fifty-eight percent of cloud services. This figure represents a significant increase over 2016. So too does the fact that the average percent of corporate data stored in cloud environments and not managed by IT has grown from 44 percent to 53 percent.

  1. Challenges and a Lack of Focused Practices Abound in Cloud Security

Survey respondents report the difficulty in protecting confidential information when using cloud services has decreased in several key areas. 54% of IT and infosec professionals say it’s more difficult to defend cloud data in Gemalto’s 2018 study. That figure is down from sixty percent the previous year. At the same time, the difficulties in restricting end-user access decreased from 53% of respondents in 2016 to 51% of participants in 2017.

Even so, challenges still abound in cloud security. Seventy-one percent of survey respondents say it’s difficult to apply conventional information security principles in a cloud environment, with close to that same percentage of participants (62%) saying their organization’s use of cloud resources increases compliance risk. Meanwhile, sixty-seven percent of IT professionals cite their companies’ inability to directly inspect cloud providers for security compliance as a source of difficulty, though 61% of respondents say their organizations now evaluate the security capabilities of a cloud provider prior to engaging their services and deploying their technology.

  1. Encryption and Access Management Solutions Are Growing in Use and Importance

Seventy-seven percent of those who participated in Gemalto’s 2018 study think the ability to encrypt or tokenize sensitive or confidential data stored in the cloud is important, with more than nine in ten (91%) saying it will become more important in the next two years. At this time, 47 percent of respondents say they use encryption or similar tools to secure data at rest in the cloud; 58% report that encryption is used for data sent and received by the cloud provider. Encryption or tokenization of data within cloud applications has also increased by eight percentage points (from 28% to 36%) over the last two years.

In addition, strong user access controls and access management to data stored in the cloud has increased in importance according to the study. The ability to control strong authentication prior to accessing data and applications in the cloud has increased from 73 percent of respondents to 81 percent of respondents over the past few studies. In addition, 53 percent of respondents say their organization uses multi-factor authentication to secure access to data in the cloud environment. Just under that percentage of respondents (47 percent) say their organizations use multi-factor authentication for employees’ access to the cloud. When asked the percent of cloud applications that have user-enabled access controls, the average is only 19 percent.

The Tip of the Iceberg

The findings presented above are just a snapshot of Gemalto and Ponemon Institute’s study on the ever-evolving cloud data security landscape. The report also investigates what organizations look for when choosing a cloud service provider (CSP) and what IT professionals consider to be the most important identity and access management features for the cloud. It also delves into organizations’ engagement with the cloud differentiated by respondents’ country of origin.

For insight into these and many other issues, download Gemalto’s Cloud Governance and Security Research.

 

This blog post also appears on the Gemalto Security blog here.

Four Data Security Trends that Defined 2017

With 2018 upon us, it’s important we take stock of the data security trends and threats that defined 2017. Several notable trends emerged over the course of the year, after all, and these will no doubt continue to shape the data security landscape into 2018 and beyond.

Here are four such remarkable data security trends that helped mould the past year:

1. International Malware Outbreaks

One of the most notable data security trends of 2017 were three strains of malware made headlines for attack campaigns that swept across national boundaries. On 12 May, WannaCry ransomware got things going with an outbreak that claimed the United Kingdom’s National Health Service (NHS), Spanish telecommunications giant Telefonica, and at least 200,000 other organizations worldwide as victims. NotPetya followed less than two months later when the Petya impersonator/wiper malware struck a Ukrainian power supplier, France’s Saint-Gobain, and close to 17,000 other targets primarily in North America and Europe. Both attacks leveraged EternalBlue, an exploit which abuses a vulnerability in Microsoft’s implementation of the Server Message Block (SMB) protocol, for distribution.

It wasn’t until October 2017 that Bad Rabbit, a strain of Diskcoder, reared its head. This malware used drive-by attacks as its primarily means of infecting users. As a result, it infected only a few hundred computers mainly located in Russia, Ukraine, Germany, Turkey, South Korea, the United States, and a few other countries.

2. Mega-Breaches (and Curious Responses)

In light of the hacking attack disclosures involving LinkedInDropbox, Yahoo (which only got worse), and others, history will no doubt remember 2016 as the “Year of the Mega Breach.” 2017 didn’t produce as many mega-breaches as 2016, but it nevertheless yielded some notable data security incidents…with some equally extraordinary responses. You can find a database of data breaches going back to 2013 in Gemalto’s Breach Level Index.

For instance, Equifax acknowledged in the beginning of September that hackers had breached its systems and thereby compromised the personal information of 143 million American citizens. Consumers’ personal data was simply left unencrypted. Things went awry on the day of disclosure when the credit bureau directed concerned users to visit a resource to verify if they were victims of the breach. That resource was located at a separate site riddled with bugs. Additionally, a slow disclosure time and subsequent gaffes on Twitter led Brian Krebs to call the response a “dumpster fire.”

Two months later, the world learned of the data breach at Uber that compromised 57 million driver and rider accounts in 2016. The ride-sharing company ultimately met the hackers’ ransom of $100,000 to ensure the attackers deleted their copy of the stolen data. It then went further by insisting the hackers sign a NDA, camouflaging the ransom payment as a bug bounty program payout, and remaining silent about the breach for more than a year.

3. CIA Hacking Tools

In the spring of 2017, WikiLeaks published a series of documents pertaining to the Central Intelligence Agency’s hacking operations. Detailedin those leaked sources are various tools used by CIA agents to infiltrate their targets, including malware for smart TVsand iOS exploits. The documents even include borrowed code from public malware samples.

Symantec subsequently analyzed those hacking tools in April and linked them to 40 attacks in 16 countries conducted by a group called Longhorn. It’s unclear how many additional attacks those tools have since facilitated.

4. Attacks against Cryptocurrency Exchanges

One Bitcoin was worth just $979 on 1 January 2017. Since then, its value has multiplied more than 13 times, with its rate peaking at $19,843. Investors no doubt celebrated that price explosion. But they weren’t the only ones tracking the digital money’s increase. Malefactors also saw the rise of Bitcoin; they took it upon themselves to try to hack various exchanges for the cryptocurrency. Indeed, at least eight marketplaces have suffered data breaches as of 23 December, with Parity Technologies losing $32 million in Ethereum and hackers stealing $70 million in Bitcoinfrom NiceHash. One can expect this data security trend to continue into 2018.

What Made 2017 Stand Out for You?

Which of these data security trends and threats concerns you most? Also, what other data security trend grabbed your attention in 2017? If so, let me know in the comments!

 

This post also appeared on the Gemalto Security blog here.

6 steps to prepare for post Brexit GDPR compliance

Ever since the vote to leave Are you ready for GDPR? the EU last year, it’s been unclear how much, if any, of the incoming GDPR legislation would be applied in the UK. Thankfully, the government has taken this on board, and today revealed plans to improve our current data protection legislation.

This updated law aims to:

  1. Transfer the European Union’s current General Data Protection Regulation into UK law
  2. Grant the UK’s data protection watchdog new powers to levy bigger fines on firms that break laws
  3. Give UK citizens more control over what happens to their personal information, such as asking for personal data posted when they were children to be deleted

This overhaul of UK data protection law is a big step towards updating the country’s approach to cybersecurity. By putting control of their personal data back in the hands of consumers, the pressure is on for businesses to ensure they are adhering to data protection laws. Those that don’t risk losing consumer trust.

Incorporating the incoming GDPR legislation into UK law is an important step, as it will dispel any uncertainty businesses had around its fate post-Brexit. With the deadline for compliance fast approaching, there is now no reason for UK businesses not to be moving towards meeting these data protection laws.

Six steps every business should undertake ahead of GDPR
While it’s all well and good talking about compliance, it’s another thing entirely to understand the steps a business must take to work towards it. So, what does a business need to do, to ensure it’s protecting the data it holds? Below are six steps every business should undertake on its journey towards GDPR compliance.

Step one – Get to grips with GDPR’s legal framework
The first step that any business needs to take is to understand how each aspect of the legislation apply to them. By conducting a full audit against the GDPR legal framework, a business will need to understand what it needs to do and what the consequences for failing to do so are. As part of this compliance audit, a business should hire a Data Protection Officer (DPO), who will be responsible for ensuring the company adheres to the regulations. Ideally, a DPO would have a background in both law and technology, so they’re able to understand both the technical specifications and the regulatory framework needed to meet this. Every organisation is different, and so no GDPR journey will look the same – correct guidance from business leaders to employees is needed ensure the whole company understands how to be compliant.

Step two – Create a Data Register
Once a business understands the steps they need to take, it’s important that they keep a record of the process. This is best done with a Data Register – essentially a GDPR diary. The Data Protection Association (DPA) of each country will enforce GDPR, and be responsible for judging if a business is compliant when determining any penalties for being breached. In this event, the Data Register will be a crucial tool for demonstrating the progress the affected business has made in becoming compliant. If they have no proof, the DPA would be able to fine between 2% and 4% of the company’s turnover. The amount and speed of the DPA’s decision would depend on the sensitivity of the data.

Step three – Classify data
While understanding what protections, if any, are already in place is important, this step focuses on helping businesses understand what data they need to protect and how that is being done. First, a business must locate any Personal Identifiable Information – information that can directly or indirectly identify someone – of EU citizens. It’s crucial to know where this is stored, who can access it, who it has been shared with etc. It can then determine which data is more vital to protect. In addition to this, it’s important to know who is responsible for controlling and processing the data, and making sure all the correct contracts are in place.

Step four – Identify the top priorities 
Next, a business needs to evaluate how that classified data is being produced and protected. Regardless of how data is collected, the first priority should always be to protect the user’s privacy. Businesses should ask themselves if they need the sensitive data they have collected – this data is worth a lot to a hacker, and has the greatest risk of being stolen. Businesses should complete a Privacy Impact Assessment and Data Protection Impact Assessment of all security policies. When doing this, it’s important to keep the rights of EU citizens in mind, including restrictions of processing and data portability. In particular, any data third parties use to identify someone must be deleted if requested by that individual and approved by the EU. It’s crucial that all this data is correctly and promptly destroyed and can’t be accessed. This process is known as the “right to be forgotten”.

Evaluating how the business protects this data comes next (for example, with encryption, tokenisation or psuedonymisation). The evaluation must explore: any historical data, the data being produced and any data that is backed up – either on-site or in the cloud. This data must be anonymised to protect the privacy and identities of the citizens it relates to. All data needs to be protected from the day it is generated to the day it is not needed.

Step five – Document and assess any additional risks and processes 
Of course, there’s more to compliance than just protecting the most sensitive data – the next stage of the process is to assess and document any other risks, to discover any other processes or areas that might be vulnerable. While doing this, the business should update its Data Register, to show the DPA how they are addressing any existing risks. Only by doing this can a business demonstrate to the DPA that it is treating compliance and data protection seriously and with respect.

Step six – Revisit and repeat
Finally, the last step on the compliance journey focuses on revisiting the outcome of the previous steps and remediating any potential consequences, tweaking and updating where necessary. Once this is complete, businesses should evaluate their next priorities and repeat the process from step four.

The basis of this new data protection bill and GDPR is to push businesses into action and start putting security at the top of the agenda. When next May comes around, businesses won’t be able to hide anymore. It’s vital to start making the preparations for compliance now, before it’s too late. It’s not a case of if, but when, a breach occurs and that revelation could cause serious damage to their reputation. Not only this, but businesses will also face severe fines. With just a year to go, there are no longer any excuses for businesses when it comes to protecting their customers data.

What can you do to prepare for the emerging GDPR requirements? Read Preparing for the General Data Protection Regulation.

Game of Threats: It’s Time for a New Data Security Script

This data breach comes just as HBO has released the seventh series of Game of Thrones. For the first six seasons, it’s been somewhat easy to predict what might happen because readers of George R. R. Martin’s books knew the general storyline. Season seven is different. There’s no book to provide a script. This time around, viewers are all flying blind – with the exception of a few clues that may foreshadow the events of this new season. (Of course, this could now change because of the breach, but .)

This is kind of how IT and security teams find themselves today when it comes to protecting their data and networks from hackers and other threats. It’s a new Game of Threats and there’s no script to follow. There’s so much data to defend, the attack surfaces have increased and the threat vectors are too large to stay on top of. Security teams can no longer rely on what traditional strategies have told them in order to predict how best to defend their networks and what is most critical – their data. The script they have followed –breach prevention – is a thing of the past just like medieval history and the dodo bird.

Much like the castles of Dragonstone, Riverrun and Winterfell that were built to protect the great houses in the Game of Thrones, today’s security teams continue to rely on defending the perimeter as the foundation of their strategy. Build walls and moats, set up sentries to keep guard and monitor who gets in (or not) with the right password or credentials. Even as the threats and technology landscape has changed dramatically, this is the essence of security practiced today. But just like the first (and second) Siege of Riverrun, castles and perimeter defenses can easily be compromised and taken control of by outsiders.

Breach prevention (as a foundational strategy) is dead. Relying on perimeter security as the principle means of protecting sensitive information is a fool’s errand. Instead, companies should stop pretending they can prevent a perimeter breach. They should accept this reality and build their security strategies accordingly. They need to learn how to best secure the breach and adopt cybersecurity situational awareness.  It is impossible to protect everything by building bigger walls and adding more guards to detect attacks. Deploy layered defensive strategies that enable them to protect what matters most, where it matters.

In 2017, companies will spend $90 billion on information security worldwide, up nearly eight percent from last year. Most of this is being spent on prevention, detection and response products and services. Now let’s weigh that against how effective this has been. According to the Breach Level Index, in 2016 there were more than 1.4 billion data records stolen which was up 86% versus 2015. So, one might say companies are not making very good investments with their IT budgets. You know the saying made famous by Albert Einstein that the definition of insanity is doing the same thing over and over again and expecting different results? It applies very well with how data security is done today.

It’s time for a new data security mindset. One that shifts from breach prevention to breach acceptance and is focused on securing the breach. This Secure the Breach manifesto is something we have been saying for five years. Companies need to move their security controls as close as possible to the data and users accessing that data because perimeter security controls do not protect data. By embedding protection on the assets themselves you ensure that even after the perimeter is breached, the information remains secure. By implementing a three step approach – encrypting all sensitive data at rest and in motion, securely managing and storing all of your encryption keys, and controlling access to apps and authentication of users – you can effectively prepare for a breach. That way, you can Secure the Breach and more effectively defend your company in the Game of Threats.

Protect what matters, where it matters – Discover how at Secure the Breach.

This post also appears on the Gemalto Enterprise Security Blog here.

 

What challenges enterprise cyber security executives?

data-security-confidence-index-2017-infographic-image-300x179Here’s an understatement for you: this is an interesting time to be a cyber security or risk management executive at an enterprise.

In reality, this is the most challenging period ever for organizations when it comes to safeguarding data and systems. There is a rising number of data breaches—nearly 1.4 billion data records were lost or stolen in 2016, according to Gemalto’s Breach Level Index—and serious threats such as ransomware are making worldwide headlines on a regular basis.

On top of that, companies are having to deal with a growing number of data protection regulations. This includes the General Data Protection Regulation (GDPR), a set of rules created by the European Parliament, European Council and European Commission to strengthen data protection for individuals within the European Union (EU).

Despite these and other developing challenges swirling around the cyber security landscape, many organizations are relying on the same old security solutions they’ve had in place for years. For example, a majority of IT professionals still think perimeter security products are effective at keeping unauthorized users out of their networks, according to a new Gemalto report conducted by independent research firm Vanson Bourne.

The report, Gemalto’s fourth-annual Data Security Confidence Index, also shows that companies are under investing in technology that adequately protects their business.

To gather data for the study, Vanson Bourne surveyed 1,050 IT decision makers across the U.S., U.K., France, Germany, India, Japan, Australia, Brazil, Benelux the Middle East and South Africa on behalf of Gemalto. The sample was split between manufacturing, healthcare, financial services, government, telecommunications, retail, utilities, consultation and real estate, insurance and legal, IT and other sectors from organizations with 250 to more than 5,000 employees.

A huge majority of those surveyed (94%) think perimeter security tools are quite effective at keeping unauthorized users out of their networks. But at the same time, about two thirds (65%) are not extremely confident that their data would be protected should their perimeter be breached. This represents a slight decrease from the survey conducted last year (69%). And despite the broad lack of confidence, nearly six in 10 of the organizations report that they think all their sensitive data is secure.

This shows that at many organizations, perimeter security is the focus but a good understanding of technology and data security is still lacking. Many of these businesses are continuing to prioritize perimeter security without realizing it has been largely ineffective against sophisticated cyber attacks.

The latest Gemalto research findings show that 76% of the decision makers said their organization had increased investment in perimeter security technologies such as firewalls, intrusion detection and prevention systems (IDPS), antivirus software, content filtering tools and anomaly detection systems to protect against external attackers.

Despite this investment, however, two thirds of the survey respondents (68%) think unauthorized users could access their networks, rendering their perimeter security ineffective.

These findings suggest a lack of confidence in the solutions being used today, especially when you consider that more than one quarter of the organizations (28%) have suffered perimeter security breaches over the past 12 months.

The reality of the situation gets even worse when you take into account the fact that, on average, only 8% of the data breached was encrypted. That means the vast majority of the stolen data was completely exposed to attackers—an unacceptable situation for organizations that should be doing all they can to protect sensitive information.

Furthermore, according to the report more than half of the respondents said they do not know where their sensitive data is stored, and more than one third of businesses do not encrypt valuable information such as payment or customer data. In other words, if this data is stolen, a cyber criminal would have full access to the information and could use it for crimes such as identify theft, financial fraud or ransomware.

It is clear that there is a divide between organizations’ perceptions of the effectiveness of perimeter security and the reality. By believing that their data is already secure, businesses are failing to prioritize the measures necessary to protect their data.

Businesses need to be aware that hackers and other bad actors are going after companies’ most valuable assets: their data. It’s important that they focus on protecting these resource, otherwise reality will inevitably bite those that fail to do so.

Inadequate security not only exposes organizations’ data to attackers, it leaves enterprises open to the risk of non compliance with regulations such as GDPR. There seems to be a global trend toward reforming and enhancing data protection laws, and many companies are not sure how to approach these new requirements.

That’s especially true of data privacy, which has traditionally been an afterthought, rather than included in products “by design.” This necessitates a longer-term change in approach and mindset.

With GDPR, which becomes enforceable in May 2018, organizations need to understand how to comply by properly securing personal data to avoid the risk of administrative fines and reputational damage. However, more than half of the survey respondents said they do not think they will be fully compliant with GDPR by May next year.

With less than a year to go, companies need to begin introducing the correct security protocols in their efforts to reach GDPR compliance, including encryption, two-factor authentication and key management strategies.

Investing in cyber security solutions has clearly become more of a focus for businesses in the last 12 months. However, what is of concern is that so few are adequately securing the most vulnerable and crucial data they hold, or even understand where it is stored. This is standing in the way of GDPR compliance, and before long the businesses that don’t improve their cyber security will face severe legal, financial and reputational consequences.

That’s not all. Organizations that don’t bring their security infrastructure up to date might also face the wrath of their customers, employees, business partners and other stakeholders. Fortunately, they can take steps to bolster security before it’s too late.

Discover more and download the Data Security Confidence Report.

Also posted on the Gemalto Enterprise Security blog here.