Endpoint
4/5/2017
11:30 AM
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR Doesnt Need to be GDP-Argh!

These 10 steps will ease the pain of compliance with the General Data Protection Regulation, the EU's new privacy law that goes into effect in a little over a year.

If your organization does business with Europe, or more specifically does anything with the personal data of EU citizens, you’re going to be living the dream (or perhaps nightmare) that is preparing for the General Data Protection Regulation (GDPR).

For many organizations, this is going to be a tedious exercise; even if you have implemented processes and technologies to meet current regulations, there is still work to be done to steer clear of penalties. And, as you might expect, infringement carries heavy fines: €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.

The regulation comes into effect on May 25, 2018, at which point organizations will be held accountable –  immediately. It’s hard to say exactly how organizations are doing, but depending on which news you choose to read, it doesn’t appear that too many are ready. And for good reason.

For one thing, preparing for GDPR is likely to be a cross-functional exercise, as legal, risk and compliance, IT, and security all have a part to play. Some organizations will need to adopt new roles and responsibilities, such as appointing a data protection officer and nominating representatives within the EU to be points of contact.

So, with just over a year to get this sorted, what do you need to do?

If you’re just beginning your GDPR compliance quest, start by having employees attend a training to learn about the best practices for implementing GDPR. Training can also save you from the costly fines down the line, which, depending on the level of GDPR infringement, can amount to 4% of your organization’s worldwide annual gross revenue for the previous year.

You’ll also need to determine where the personal data of EU citizens physically resides, the categories of personal data you control or process, how and by whom it is accessed, and how it is secured. In addition, processes for access control, incident detection and response, and breach notification will also need review or implementation.

To help get you started, I’ve put together a list of 10 steps your company can take toward becoming GDPR-compliant:

Step 1: Encrypt data both at-rest and in-transit. Why? If you are breached but the personal data is rendered unintelligible to the attacker, then you do not have to notify the person whose data has been breached.

Step 2: Limit access. The idea of a “need-to-know-basis” has been around in the military for eons. The same process now needs to apply to personal data. Review who has access to personal data and why they have access, then revoke rights as necessary. When gaining consent to process personal data you will need to state the reasons for processing the data, and identify people who have access to the data. Shared admin accounts and overinflated user privileges are generally bad practices, but with GDPR they become totally unacceptable.

Step 3: Have a broad-based vulnerability management process in place. Make sure you’re scanning all devices on your network to maintain visibility into weaknesses in your infrastructure. If you have remote employees, don’t forget about them! Remote workers create additional risk because their devices can house sensitive data while they are connected to unsecured networks. Ensuring the ongoing confidentiality, integrity, and availability of all systems across your company is key.

Step 4: Backups. Backups. Backups. Make backups! Not just in case of a dreaded ransomware attack, but as a good housekeeping practice in case of storage failure, asset loss, natural disaster, even a full cup of coffee spilled on a laptop. If you don’t currently have a backup vendor in place, there are a number of server and database options available. Disaster recovery should always be high on your list, regardless of the regulations you are required to meet.

Step 5: Secure your web applications. Privacy-by-design needs to be built into processes and systems. If you’re collecting personal data via a web app, and still using http/clear text, then it’s likely you already have a problem.

Step 6: Pen tests are your friend. Attacking your systems and environment to understand your weak spots will tell you where you need to focus. It’s also better to go through this exercise with an opportunity to course correct, rather than wait for an attacker to point out your weaknesses by getting onto your network. You can do this internally or employ a professional team to perform regular external tests.  

Step 7: Detect attackers quickly and early. Finding out that you’ve been breached after the fact is an all too common scenario. The Verizon Data Breach Investigations Report has called out compromised credentials as a top attack vector, yet many organizations still can’t detect when these credentials are used by attackers. User behavior analytics is one way to quickly investigate and remediate anomalous user account activity within your environment. Deploying deception technologies, like honey pots and honey credentials, is another strategy for spotting attackers early.

Step 8: Don’t ignore shadow IT. You likely have some approved cloud services deployed already, but unless you’ve switched off the internet, it’s also possible that there are unsanctioned services and apps occurring in your environment with data that needs to be protected.

Step 9: Prioritize and respond to the alerts your security products generate daily. Attackers can easily take advantage of the flood of information bombarding security teams every day. It’s great if you have a SIEM in place and have the capability to respond 24/7.  (Attackers work evenings and weekends too!) But if you don’t have SIEM, or the time or budget to take on a traditional deployment, consider products or managed offerings that can offer round-the-clock protection.  

Step 10: Don’t wait for an attack to engage an incident response team. GDPR stipulates that companies report personal data breaches to a supervisory authority within 72 hours of discovery. But aside from the reporting requirements, it’s critical to contain the attack and limit damage as quickly as possible. So If you don’t have dedicated IR capabilities in-house, at least have a clear and fast route to third-party services. That means, going through the process of vetting and engaging potential vendors and partners in advance in order to know exactly who to call with the necessary expertise  should the worst happen. 

[Check out the two-day Dark Reading Cybersecurity Crash Course at Interop ITX, May 15 & 16, where Dark Reading editors and some of the industry's top cybersecurity experts will share the latest data security trends and best practices.]

Related Content:

 

Samantha is responsible for that ensuring Rapid7's international markets receive the proper solutions messaging, collateral, and information. She also trains sellers (internal and partners) on security concepts and solutions. She has nearly 20 years of employment experience ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
atrisk
50%
50%
atrisk,
User Rank: Apprentice
4/6/2017 | 10:49:55 AM
GDPR- proactive approach
GDPR is the real deal.  Companies will take notice after a few fines are levied. IT needs to look at all devices that can act as a risk gateway. Mobile is a clear candidate and organizations need to look at services beyond pen testing. Have all the security on the server side simply means that they have already broken down your front door. Secure the mobile applications that are being used on devices, especially those on BYOD. Encrypt and monitor them, creating a barrier that prevents access to your servers. 
Joe Stanganelli
0%
100%
Joe Stanganelli,
User Rank: Ninja
4/5/2017 | 3:30:23 PM
Joe's take x3
Good tips.  My take on some of these items:

1) €20 million or 4 percent of your worldwide annual gross revenue, depending on the violation.

Good luck, I say, to EU regulators.  This is a hefty, scary max penalty.  In reality, I suspect that smaller enterprises/businesses have more to fear here than larger and more entrenched enterprises.  (I'm thinking now of the VW diesel scandal that, had US regulators gone full throttle, could have completely bankrupted and obliterated VW.)  For companies that regularly do business in the EU and aren't tech companies with which the EU already has a major bone to pick (e.g., Google, Facebook, etc.), there may be some leniency.

On the other hand, the first tests of this will show us just how serious the EU is when it comes to privacy matters, I suppose.  So while I have my pet theories, nothing surprises me anymore in the data privacy and data stewardship realm.



2) Encrypt data both at-rest and in-transit.


This advice -- which may be seen as a bit silly -- is an unfortunately important one, even in the US and in other more lightly regulated jurisdictions.  Even in the absence of regulations, the revelation of the lack of at-rest encryption in the case of a data breach -- even where it would not have actually helped mitigate matters any -- can be highly brand damaging.  (Remember the Anthem nee Wellpoint breach?)


3) Backups. Backups. Backups.

And -- more to the point -- SECURE your backups!  Seems like a "duh!" imperative, no?  Well, that "common sense" was lost on Adobe when they suffered their major breach of their backup systems, impacting over 150 million users.

I always have more to say on this topic because I work in the field, but for now I'll shut up.  3 bulletpoints in an Internet comment is enough for now.  ;)
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.