Cloud

1/24/2018
10:30 AM
Danelle Au
Danelle Au
Commentary
Connect Directly
Facebook
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

GDPR: Ready or Not, Here It Comes

As organizations all over the world look ahead to May 25 when Europe's General Data Protection Regulation takes effect, many will fall short.

"Hindsight is 20/20" is an old cliché that laments the clarity of retrospection and the regret that often accompanies having overlooked (or ignored) the now-obvious ingredient that contributed to an unfortunate event. Often the sentiment is one that implies that preventing the mishap was within the speaker's power but for the making of an ill-informed decision. Implied is the wish that things would be different "if I could do it again…"

Today, organizations all over the world are looking ahead to May 25, 2018, the date that Europe's General Data Protection Regulation (GDPR) takes effect, and are trying to put in place the means to avoid having to utter those words. They are reading the law, huddling with consultants, and checking with their legal and technical teams so that when May 24 dawns they can go to bed confident they've done all they can do.

But there's evidence that the time and money being spent today may not be going to the right places, and that many companies, despite earnest efforts to prepare in advance, will fall short of GDPR compliance.

The BBC reports that a recent survey of board members of 105 companies listed on the FTSE350, the largest 350 British companies on the London Stock Exchange, reveals that one in 10 lacks any plans for dealing with a cyberattack, and that more than two-thirds are untrained for such an event, despite the fact that more than half acknowledge that a cyberattack is a primary threat to their organization.

Read that again. The survey didn't find that one in 10 organizations believes it is unprepared for an attack or lacks confidence in its preparedness. One in 10 companies lacks any plan for dealing with a cyberattack. In the first weeks of 2018, it is unfathomable to consider that 10% of large, global corporations have no plan for dealing with the inevitability of an attack on their networks and an attempt to access data.

What reasoning could there possibly be for dereliction of duty of this kind? With no specific knowledge or insight, I can only speculate. But it's human nature to make no decision when overwhelmed with an abundance of information. Clearly, even in the age of big data analytics, there are successful businesses and business leaders who find themselves in that situation. They will be in for a rude awakening if, after GDPR takes effect, they experience a data breach and — with no plan on file to prove a good-faith effort at prevention — suffer a steep reputational and financial blow.

Whatever the reason —  paralysis of where to start/how to face an invisible threat, misguided "can't happen to me" delusion, or just compacted at the bottom of a list of more pressing business critical functions — ignoring the very real possibility of coming under the hammer of the European Commission and writing a check equal to 4% of gross global revenue cannot be taken lightly.  

There is another cliché appropriate to this situation: forewarned is forearmed. However, with repeated and massive alarms raised and extensive discussion of the issues, forearmed has at this point eclipsed forewarned as an imperative. With so many companies seemingly following horror movie tropes of running toward a threat or simply not evaluating the situation with anything resembling common sense, there are three areas that, if given focus and careful consideration, can not only serve to prevent an organization from falling under the non-compliance blade but can improve overall security posture against any compromise or loss:

  • Communication. Start by ensuring that both business and IT are working toward a common goal of safe and frictionless operations with a clear understanding of how to document the roles of stakeholders in advance of material compromise. This includes discussions, role definition, and process development for executive, legal, communications, security, HR, and even the corporate board.
  • Connect the dots. This will involve mapping the business environment and assessing risk, from infrastructure to the critical assets most likely to be targeted and understanding all the ways in which exposure can occur.
  • Continuous evaluation. Once both the risk has been measured and the roles have been defined, it's necessary to validate the process and plans — repeatedly. From technologies that can test and simulate attacks, to tabletop exercises that play out response plans/responsibilities, to engagement with services firms to root out vulnerability, it's important to discover both the points of exposure and the impact of change to keep organizations from security atrophy and continuously in compliance.

Related Content:

Danelle is vice president of strategy at SafeBreach. She has more than 15 years of experience bringing new technologies to market. Prior to SafeBreach, Danelle led strategy and marketing at Adallom, a cloud security company acquired by Microsoft. She was also responsible for ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
Why Enterprises Can't Ignore Third-Party IoT-Related Risks
Charlie Miller, Senior Vice President, The Santa Fe Group,  5/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-11232
PUBLISHED: 2018-05-18
The etm_setup_aux function in drivers/hwtracing/coresight/coresight-etm-perf.c in the Linux kernel before 4.10.2 allows attackers to cause a denial of service (panic) because a parameter is incorrectly used as a local variable.
CVE-2017-15855
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, the camera application triggers "user-memory-access" issue as the Camera CPP module Linux driver directly accesses the application provided buffer, which resides in u...
CVE-2018-3567
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing the HTT_T2H_MSG_TYPE_PEER_MAP or HTT_T2H_MSG_TYPE_PEER_UNMAP messages.
CVE-2018-3568
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, in __wlan_hdd_cfg80211_vendor_scan(), a buffer overwrite can potentially occur.
CVE-2018-5827
PUBLISHED: 2018-05-17
In Qualcomm Android for MSM, Firefox OS for MSM, and QRD Android with all Android releases from CAF using the Linux kernel, a buffer overflow vulnerability exists in WLAN while processing an extscan hotlist event.