Partner Perspectives  Connecting marketers to our tech communities.
SPONSORED BY
2/14/2018
09:00 AM
Simon Eappariello
Simon Eappariello
Partner Perspectives
50%
50%

The GDPR Clock Is Running Out. Now What?

Many organizations impacted by new European Union data privacy rules that go into effect May 25 are still blind to some of the basics.

On May 25, the European Union’s General Data Protection Regulation (GDPR) goes into effect. The transformative new law is expected to have a profound impact on how businesses the world over collect, manage, and defend their data. But while companies have had more than two years to prepare for the ground-breaking legislation – passed in late 2015 – many organizations that will be impacted most by the new rules are still blind to some of the basics.

For starters, despite being drafted and enforced by the European Commission, the GDPR represents the first global mandate on data protection. That's because in the age of big data and widespread connectivity, almost every business today is global in scope and data-driven to some extent. Consequently, there are few companies that won’t need to adjust their policies over the next few months.

Better Late than Never

Where to begin? Bearing in mind that almost all businesses will be touched by the legislation, security teams the world over can start with this three-pronged approach:

Step 1: Assess and audit your data posture
Incremental changes to an existing operational structure can be costlier than reevaluating your approach to data collection and storage from the top-down. Businesses should know where and how they are storing data, if it is encrypted, and if the encryption keys are stored appropriately. Businesses should do this now while they still have time rather than making “knee-jerk” changes once GDPR is active.

If your company isn't already implementing audit trails to keep track of where the larger business stands on compliance, this should be your first step. Audit trails assure that no one is resting on their laurels by giving teams necessary “checks-and-balances” in the lead up to the May deadline. These records can be used to hold individuals across the organization accountable, and to assure that they are meeting deadlines by creating a paper trail of activity. IT can reference these trails incrementally in the weeks leading up to the GDPR deadline to get a pulse-check on the overall status of the transition.

Step 2: Re-evaluate systems and technology
Many existing information security systems will need to be restructured or reconsidered to comply with the new GDPR  standard. Organizations that rely solely on next-generation firewalls, for instance, won’t be putting enough protections around user data to adequately block theft on the way out. Even proprietary encryption techniques designed by an organization’s IT team may not be as robust as the latest industry standards once compliance becomes an issue. Businesses should look to source technologies built for modern distributed mobile environments, where data can be stored and accessed in a multitude of ways. Solutions that find, encrypt and/or anonymize PII data could become crucial for limiting GDPR fines after a data breach.

Reporting and monitoring of traffic and the exchange of data should also be automated, and easy-to-access – not to mention easy-to-use – since staff at various levels of the corporate totem pole with varied technical expertise will be accessing this information to assure GDPR.

Step 3: Align business goals across the organization
Data collection and storage policies need to be transparent across the business to assure that proper checks and balances are in place. Historically, this knowledge only tends to fall on IT and security administrators, but given the high-stakes of noncompliance with GDPR, the burden needs to fall on all employees across the organization. GDPR gives businesses the opportunity to replace legacy processes that had presented communication challenges in the past. Since adhering to GDPR requires buy-in across the organization, issues that were once relegated to dark corners of the company should be top-of-mind throughout.

Hopefully, bearing these approaches in mind and viewing GDPR as an opportunity – not a burden – will set organizations for success as the May 25th deadline for compliance approaches.

Simon Eappariello is the senior vice president of product and engineering, EMIA at iboss. He has a long history working in cybersecurity, networking, and information technology for global organizations in both the private and public sectors. Simon heads up iboss engineering ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication
John Fontana, Standards & Identity Analyst, Yubico,  9/19/2018
Turn the NIST Cybersecurity Framework into Reality: 5 Steps
Mukul Kumar & Anupam Sahai, CISO & VP of Cyber Practice and VP Product Management, Cavirin Systems,  9/20/2018
NSS Labs Files Antitrust Suit Against Symantec, CrowdStrike, ESET, AMTSO
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/19/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
iboss has created the first and only web gateway as a service specifically designed to solve the challenge of securing distributed organizations. Built for the cloud, the iboss Distributed Gateway Platform leverages an elastic, cloud-based node architecture that provides advanced security for todays decentralized organizations with more financial predictability. Backed by more than 110 patents and patents pending, and protecting over 4,000 organizations worldwide, iboss is one of the fastest growing cybersecurity companies in the world. To learn more, visit www.iboss.com.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "I'm not sure I like this top down management approach!"
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17332
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. The svgGetNextPathField function in svg_string.c returns its input pointer in certain circumstances, which might result in a memory leak caused by wasteful malloc calls.
CVE-2018-17333
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in svgStringToLength in svg_types.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because sscanf is misused.
CVE-2018-17334
PUBLISHED: 2018-09-22
An issue was discovered in libsvg2 through 2012-10-19. A stack-based buffer overflow in the svgGetNextPathField function in svg_string.c allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact because a strncpy copy limit is miscalculated.
CVE-2018-17336
PUBLISHED: 2018-09-22
UDisks 2.8.0 has a format string vulnerability in udisks_log in udiskslogging.c, allowing attackers to obtain sensitive information (stack contents), cause a denial of service (memory corruption), or possibly have unspecified other impact via a malformed filesystem label, as demonstrated by %d or %n...
CVE-2018-17321
PUBLISHED: 2018-09-22
An issue was discovered in SeaCMS 6.64. XSS exists in admin_datarelate.php via the time or maxHit parameter in a dorandomset action.