Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/14/2018
09:00 AM
Simon Eappariello
Simon Eappariello
Partner Perspectives
50%
50%

The GDPR Clock Is Running Out. Now What?

Many organizations impacted by new European Union data privacy rules that go into effect May 25 are still blind to some of the basics.

On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The transformative new law is expected to have a profound impact on how businesses the world over collect, manage, and defend their data. But while companies have had more than two years to prepare for the ground-breaking legislation – passed in late 2015 – many organizations that will be impacted most by the new rules are still blind to some of the basics.

For starters, despite being drafted and enforced by the European Commission, the GDPR represents the first global mandate on data protection. That's because in the age of big data and widespread connectivity, almost every business today is global in scope and data-driven to some extent. Consequently, there are few companies that won’t need to adjust their policies over the next few months.

Better Late than Never

Where to begin? Bearing in mind that almost all businesses will be touched by the legislation, security teams the world over can start with this three-pronged approach:

Step 1: Assess and audit your data posture
Incremental changes to an existing operational structure can be costlier than reevaluating your approach to data collection and storage from the top-down. Businesses should know where and how they are storing data, if it is encrypted, and if the encryption keys are stored appropriately. Businesses should do this now while they still have time rather than making “knee-jerk” changes once GDPR is active.

If your company isn't already implementing audit trails to keep track of where the larger business stands on compliance, this should be your first step. Audit trails assure that no one is resting on their laurels by giving teams necessary “checks-and-balances” in the lead up to the May deadline. These records can be used to hold individuals across the organization accountable, and to assure that they are meeting deadlines by creating a paper trail of activity. IT can reference these trails incrementally in the weeks leading up to the GDPR deadline to get a pulse-check on the overall status of the transition.

Step 2: Re-evaluate systems and technology
Many existing information security systems will need to be restructured or reconsidered to comply with the new GDPR  standard. Organizations that rely solely on next-generation firewalls, for instance, won’t be putting enough protections around user data to adequately block theft on the way out. Even proprietary encryption techniques designed by an organization’s IT team may not be as robust as the latest industry standards once compliance becomes an issue. Businesses should look to source technologies built for modern distributed mobile environments, where data can be stored and accessed in a multitude of ways. Solutions that find, encrypt and/or anonymize PII data could become crucial for limiting GDPR fines after a data breach.

Reporting and monitoring of traffic and the exchange of data should also be automated, and easy-to-access – not to mention easy-to-use – since staff at various levels of the corporate totem pole with varied technical expertise will be accessing this information to assure GDPR.

Step 3: Align business goals across the organization
Data collection and storage policies need to be transparent across the business to assure that proper checks and balances are in place. Historically, this knowledge only tends to fall on IT and security administrators, but given the high-stakes of noncompliance with GDPR, the burden needs to fall on all employees across the organization. GDPR gives businesses the opportunity to replace legacy processes that had presented communication challenges in the past. Since adhering to GDPR requires buy-in across the organization, issues that were once relegated to dark corners of the company should be top-of-mind throughout.

Hopefully, bearing these approaches in mind and viewing GDPR as an opportunity – not a burden – will set organizations for success as the May 25th deadline for compliance approaches.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
Higher Education: 15 Books to Help Cybersecurity Pros Be Better
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
Worst Password Blunders of 2018 Hit Organizations East and West
Curtis Franklin Jr., Senior Editor at Dark Reading,  12/12/2018
2019 Attacker Playbook
Ericka Chickowski, Contributing Writer, Dark Reading,  12/14/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
10 Best Practices That Could Reshape Your IT Security Department
This Dark Reading Tech Digest, explores ten best practices that could reshape IT security departments.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-20201
PUBLISHED: 2018-12-18
There is a stack-based buffer over-read in the jsfNameFromString function of jsflash.c in Espruino 2V00, leading to a denial of service or possibly unspecified other impact via a crafted js file.
CVE-2018-20194
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...
CVE-2018-20195
PUBLISHED: 2018-12-18
A NULL pointer dereference was discovered in ic_predict of libfaad/ic_predict.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. The vulnerability causes a segmentation fault and application crash, which leads to denial of service.
CVE-2018-20196
PUBLISHED: 2018-12-18
There is a stack-based buffer overflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because the S_M array is mishandled.
CVE-2018-20197
PUBLISHED: 2018-12-18
There is a stack-based buffer underflow in the third instance of the calculate_gain function in libfaad/sbr_hfadj.c in Freeware Advanced Audio Decoder 2 (FAAD2) 2.8.8. A crafted input will lead to a denial of service or possibly unspecified other impact because limiting the additional noise energy l...