If you conduct business in the EU, offer goods or services to, or monitor the online behavior of EU citizens, then the clock is ticking. You only have a few more months – until May – to make sure your organization complies with GDPR data privacy regulations. Failure to abide by GDPR means you could get hit with huge fines.
Finding and investigating data breaches: Why it’s always too little, too late
Personal data protection and the requirements under the legislation apply to many aspects of maintaining and protecting personal information, but the focus here is specifically on data breaches, where the business may not be aware of the breach but remains culpable.
Personal data as defined under the GDPR regulation includes any information related to an identified or identifiable natural person (‘data subject’) (GDPR Chapter 3, Articles 12-23), that can be used to directly or indirectly to identify the person – a person’s name, photo, email address, bank details, social network posts, medical information, computer IP addresses etc.
A personal data breach isn’t a predictable event, or a single incident that occurs at a specific moment. As was evident from every single recent major attack – examples include Yahoo!, Target, NHS and Equifax – it is a carefully planned, multi-stage attack that happens over time, with organizations becoming aware of the breach long after the attack has begun, and in most cases, after the data theft.
Guess how long US companies take to detect a data breach? Well, according to the Ponemon 2017 Cost of a Data Breach Study, it’s an average of 201 – yes, 201 – days. That’s because attackers manage to evade existing defenses, remaining undetected for long periods of time. Moreover, analysts have limited visibility into threats lurking within their networks. SOC teams, struggling with both endless alerts (many of which turn out to be false) and a lack of qualified cyber analysts, can only manage to build a full-blown investigation when it is too little, too late.
GDPR: Who’s covered?
Well, practically every organization, if it has something to do with the private information of EU citizens. While the breadth of GDPR’s impact and information on audits and best practices will be known only when it goes into effect May 2018, it’s clear that enterprises already needed to have started to take steps to strengthen network security to prevent data loss and meet compliance requirements. So, who ultimately is responsible for data protection and GDPR compliance?
|Who||What They Do||Examples|
|Data Controllers||Collect and use personal data, determine the purposes, conditions, and means in which personal data is processed||Doctors, politicians, government agencies, social networking sites and more|
|Data Processors||Process data under the direction of a data controller, but have no impact on the ways the data is collected||Payroll processing companies, data storage providers, hosting providers and more|
For data processors, GDPR demands specific data protection and data privacy requirements when it comes to personal data.
Who’s in charge?
A Supervisory Authority (SA), established in each EU Member State, has been tasked to enforce GDPR and monitor the application of GDPR rules to protect individual rights with respect to the processing and transfer of personal data within the EU.
What will non-compliance cost?
Actual enforcement processes and the full penalties are still uncertain at this point, but what is clear is that non-compliant organizations may face administrative fines of up to €20,000,000 or up to four percent of the entity’s global turnover, whichever is higher. While the uncertainty may be due in large part to each SA’s power to act independently and each Member State’s authority to determine sanctions for GDPR infringement, all SAs are expected to co-operate with each other and with the European Commission.
What does the 72-hour rule mean?
72 hours is the timeframe from breach awareness to full disclosure. When a personal data breach occurs, organizations have a 72-hour window to notify the SA of their EU Member State about the breach. They also must provide the SA information about the nature of the breach, its extent and likely consequences, and how the enterprise intends to address the breach, including full details of its response and mitigation efforts.
Moreover, GDPR requires multiple actions to take place within that 72-hour notification window – and each one is challenging enough to carry out even without the time limit. Tracing the breach across the organization, understanding when and how the attacker infiltrated the organization, knowing the path or paths the attack took once it was in, and identifying the data that was compromised are just some of the steps required in the investigation.
Moreover, compiling the story of the breach demands not just proper investigation tools, but also the human resources needed to collect information, run and manage the investigation.
What can you do now to ensure compliance?
As the number of alerts to investigate grows, so does the need to find skilled professionals. Recent numbers from Cyberseek talk about more than 285,000 open security positions in the United States alone, with Cisco estimating more than 1 million are open worldwide. According to the Center for Cyber Safety and Education, by 2022, there will be 1.8 million unfilled positions. The cyber analysts who are on the job are overwhelmed.
In the face of these obstacles to GDPR compliance, organizations must take a new approach. They need to consider solutions that can augment both their cyber analysts’ activities as well as the multitudes of security software already in place.
Below are only recommended capabilities to win the 72-hour race and ensure GDPR compliance. They definitely do not serve as an insurance policy. Each business needs to asses, review and decide what it needs for its specific business operation. Key capabilities include:
Full visibility and holistic coverage – to continuously monitor network, endpoints and payload, gather intelligence, and provide complete visibility across the different stages of an attack, and ensure faster and earlier awareness of breaches.
Intelligence-powered detection – to allow retroactive investigations to find and stop malware that has evaded initial security tools and may have already infected the organization. The system must also provide contextual evidence from past events to ensure faster and more accurate automated investigation of alerts.
Retrospective investigation gives awareness and visibility into malware that evades initial security tools and allows you to stop previously unknown attacks that were not yet detected but already infected the organization. The profiling and patterns of previously known malicious activities, combined with profiling and patterns of legitimate behavior, are used to quickly and more accurately detect attacks and minimize false positives.
Automated investigations – to cut dependency on human resources on your path to become GDPR-compliant; address the shortage of skilled SOC analysts and consequent alert fatigue; and ensure accelerated investigation of the full scope of the incident.
Ability to investigate 100% of alerts – to fuse information from multiple detection engines and use automation and big data analytics to create meaningful conclusions – cutting analyst-required handling time and hastening breach awareness.
Unified, integrated-by-design investigation environment – presenting investigation workflows and attack timelines to provide the SOC analyst with a complete picture of the attack with insights and recommendations for attack mitigation, eliminating the long and cumbersome processes of step-by-step building of the attack storyline and recovery planning.
Finding and investigating data breaches has always been a “too little, too late” scenario, and the coming GDPR regulations aim to end it. Don’t wait for the last minute and risk some hefty fines by making sure you’re GDPR-compliant… now.