Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Cloud

1/24/2018
10:30 AM
Danelle Au
Danelle Au
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR: Ready or Not, Here It Comes

As organizations all over the world look ahead to May 25 when Europe's General Data Protection Regulation takes effect, many will fall short.

"Hindsight is 20/20" is an old cliché that laments the clarity of retrospection and the regret that often accompanies having overlooked (or ignored) the now-obvious ingredient that contributed to an unfortunate event. Often the sentiment is one that implies that preventing the mishap was within the speaker's power but for the making of an ill-informed decision. Implied is the wish that things would be different "if I could do it again…"

Today, organizations all over the world are looking ahead to May 25, 2018, the date that Europe's General Data Protection Regulation (GDPR) takes effect, and are trying to put in place the means to avoid having to utter those words. They are reading the law, huddling with consultants, and checking with their legal and technical teams so that when May 24 dawns they can go to bed confident they've done all they can do.

But there's evidence that the time and money being spent today may not be going to the right places, and that many companies, despite earnest efforts to prepare in advance, will fall short of GDPR compliance.

The BBC reports that a recent survey of board members of 105 companies listed on the FTSE350, the largest 350 British companies on the London Stock Exchange, reveals that one in 10 lacks any plans for dealing with a cyberattack, and that more than two-thirds are untrained for such an event, despite the fact that more than half acknowledge that a cyberattack is a primary threat to their organization.

Read that again. The survey didn't find that one in 10 organizations believes it is unprepared for an attack or lacks confidence in its preparedness. One in 10 companies lacks any plan for dealing with a cyberattack. In the first weeks of 2018, it is unfathomable to consider that 10% of large, global corporations have no plan for dealing with the inevitability of an attack on their networks and an attempt to access data.

What reasoning could there possibly be for dereliction of duty of this kind? With no specific knowledge or insight, I can only speculate. But it's human nature to make no decision when overwhelmed with an abundance of information. Clearly, even in the age of big data analytics, there are successful businesses and business leaders who find themselves in that situation. They will be in for a rude awakening if, after GDPR takes effect, they experience a data breach and — with no plan on file to prove a good-faith effort at prevention — suffer a steep reputational and financial blow.

Whatever the reason —  paralysis of where to start/how to face an invisible threat, misguided "can't happen to me" delusion, or just compacted at the bottom of a list of more pressing business critical functions — ignoring the very real possibility of coming under the hammer of the European Commission and writing a check equal to 4% of gross global revenue cannot be taken lightly.  

There is another cliché appropriate to this situation: forewarned is forearmed. However, with repeated and massive alarms raised and extensive discussion of the issues, forearmed has at this point eclipsed forewarned as an imperative. With so many companies seemingly following horror movie tropes of running toward a threat or simply not evaluating the situation with anything resembling common sense, there are three areas that, if given focus and careful consideration, can not only serve to prevent an organization from falling under the non-compliance blade but can improve overall security posture against any compromise or loss:

  • Communication. Start by ensuring that both business and IT are working toward a common goal of safe and frictionless operations with a clear understanding of how to document the roles of stakeholders in advance of material compromise. This includes discussions, role definition, and process development for executive, legal, communications, security, HR, and even the corporate board.
  • Connect the dots. This will involve mapping the business environment and assessing risk, from infrastructure to the critical assets most likely to be targeted and understanding all the ways in which exposure can occur.
  • Continuous evaluation. Once both the risk has been measured and the roles have been defined, it's necessary to validate the process and plans — repeatedly. From technologies that can test and simulate attacks, to tabletop exercises that play out response plans/responsibilities, to engagement with services firms to root out vulnerability, it's important to discover both the points of exposure and the impact of change to keep organizations from security atrophy and continuously in compliance.

Related Content:

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-6852
PUBLISHED: 2019-11-20
A CWE-200: Information Exposure vulnerability exists in Modicon Controllers (M340 CPUs, M340 communication modules, Premium CPUs, Premium communication modules, Quantum CPUs, Quantum communication modules - see security notification for specific versions), which could cause the disclosure of FTP har...
CVE-2019-6853
PUBLISHED: 2019-11-20
A CWE-79: Failure to Preserve Web Page Structure vulnerability exists in Andover Continuum (models 9680, 5740 and 5720, bCX4040, bCX9640, 9900, 9940, 9924 and 9702) , which could enable a successful Cross-site Scripting (XSS attack) when using the products web server.
CVE-2013-2092
PUBLISHED: 2019-11-20
Cross-site Scripting (XSS) in Dolibarr ERP/CRM 3.3.1 allows remote attackers to inject arbitrary web script or HTML in functions.lib.php.
CVE-2013-2093
PUBLISHED: 2019-11-20
Dolibarr ERP/CRM 3.3.1 does not properly validate user input in viewimage.php and barcode.lib.php which allows remote attackers to execute arbitrary commands.
CVE-2015-3166
PUBLISHED: 2019-11-20
The snprintf implementation in PostgreSQL before 9.0.20, 9.1.x before 9.1.16, 9.2.x before 9.2.11, 9.3.x before 9.3.7, and 9.4.x before 9.4.2 does not properly handle system-call errors, which allows attackers to obtain sensitive information or have other unspecified impact via unknown vectors, as d...