Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/24/2018
10:30 AM
Danelle Au
Danelle Au
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR: Ready or Not, Here It Comes

As organizations all over the world look ahead to May 25 when Europe's General Data Protection Regulation takes effect, many will fall short.

"Hindsight is 20/20" is an old cliché that laments the clarity of retrospection and the regret that often accompanies having overlooked (or ignored) the now-obvious ingredient that contributed to an unfortunate event. Often the sentiment is one that implies that preventing the mishap was within the speaker's power but for the making of an ill-informed decision. Implied is the wish that things would be different "if I could do it again…"

Today, organizations all over the world are looking ahead to May 25, 2018, the date that Europe's General Data Protection Regulation (GDPR) takes effect, and are trying to put in place the means to avoid having to utter those words. They are reading the law, huddling with consultants, and checking with their legal and technical teams so that when May 24 dawns they can go to bed confident they've done all they can do.

But there's evidence that the time and money being spent today may not be going to the right places, and that many companies, despite earnest efforts to prepare in advance, will fall short of GDPR compliance.

The BBC reports that a recent survey of board members of 105 companies listed on the FTSE350, the largest 350 British companies on the London Stock Exchange, reveals that one in 10 lacks any plans for dealing with a cyberattack, and that more than two-thirds are untrained for such an event, despite the fact that more than half acknowledge that a cyberattack is a primary threat to their organization.

Read that again. The survey didn't find that one in 10 organizations believes it is unprepared for an attack or lacks confidence in its preparedness. One in 10 companies lacks any plan for dealing with a cyberattack. In the first weeks of 2018, it is unfathomable to consider that 10% of large, global corporations have no plan for dealing with the inevitability of an attack on their networks and an attempt to access data.

What reasoning could there possibly be for dereliction of duty of this kind? With no specific knowledge or insight, I can only speculate. But it's human nature to make no decision when overwhelmed with an abundance of information. Clearly, even in the age of big data analytics, there are successful businesses and business leaders who find themselves in that situation. They will be in for a rude awakening if, after GDPR takes effect, they experience a data breach and — with no plan on file to prove a good-faith effort at prevention — suffer a steep reputational and financial blow.

Whatever the reason —  paralysis of where to start/how to face an invisible threat, misguided "can't happen to me" delusion, or just compacted at the bottom of a list of more pressing business critical functions — ignoring the very real possibility of coming under the hammer of the European Commission and writing a check equal to 4% of gross global revenue cannot be taken lightly.  

There is another cliché appropriate to this situation: forewarned is forearmed. However, with repeated and massive alarms raised and extensive discussion of the issues, forearmed has at this point eclipsed forewarned as an imperative. With so many companies seemingly following horror movie tropes of running toward a threat or simply not evaluating the situation with anything resembling common sense, there are three areas that, if given focus and careful consideration, can not only serve to prevent an organization from falling under the non-compliance blade but can improve overall security posture against any compromise or loss:

  • Communication. Start by ensuring that both business and IT are working toward a common goal of safe and frictionless operations with a clear understanding of how to document the roles of stakeholders in advance of material compromise. This includes discussions, role definition, and process development for executive, legal, communications, security, HR, and even the corporate board.
  • Connect the dots. This will involve mapping the business environment and assessing risk, from infrastructure to the critical assets most likely to be targeted and understanding all the ways in which exposure can occur.
  • Continuous evaluation. Once both the risk has been measured and the roles have been defined, it's necessary to validate the process and plans — repeatedly. From technologies that can test and simulate attacks, to tabletop exercises that play out response plans/responsibilities, to engagement with services firms to root out vulnerability, it's important to discover both the points of exposure and the impact of change to keep organizations from security atrophy and continuously in compliance.

Related Content:

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for ... View Full Bio
 

Recommended Reading:

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/3/2020
Pen Testers Who Got Arrested Doing Their Jobs Tell All
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/5/2020
New 'Nanodegree' Program Provides Hands-On Cybersecurity Training
Nicole Ferraro, Contributing Writer,  8/3/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-15820
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, the markdown parser could disclose hidden file existence.
CVE-2020-15821
PUBLISHED: 2020-08-08
In JetBrains YouTrack before 2020.2.6881, a user without permission is able to create an article draft.
CVE-2020-15823
PUBLISHED: 2020-08-08
JetBrains YouTrack before 2020.2.8873 is vulnerable to SSRF in the Workflow component.
CVE-2020-15824
PUBLISHED: 2020-08-08
In JetBrains Kotlin before 1.4.0, there is a script-cache privilege escalation vulnerability due to kotlin-main-kts cached scripts in the system temp directory, which is shared by all users by default.
CVE-2020-15825
PUBLISHED: 2020-08-08
In JetBrains TeamCity before 2020.1, users with the Modify Group permission can elevate other users' privileges.