One year from today, the European Union (EU) General Data Protection Regulation (GDPR) will impose strict data breach disclosure regulations, requiring organizations to notify authorities within 72 hours of becoming aware of a data breach.
This will have real-world impact, and not just for EU member states. The EU GDPR also will impact multinational companies that offer products or services to EU residents, meaning chief information security officers (CISOs) around the world will need to understand and communicate the impact of the GDPR on both their security and business operations.
Unlike existing privacy regulations, the EU GDPR describes severe penalties for violations, including fines of up to €20 million, or up to four percent of the offending company’s global annual revenue, whichever is higher. This may sound excessive, but attackers are becoming more sophisticated, and networks more complex.
The GDPR is a great step toward ensuring company-wide focus on information security and data protection — and might be the motivation some organizations need to change how they think about cybersecurity.
While complying with the regulation can be daunting, the effective implementation of appropriate security controls and processes will better protect the organization and the data of its customers. Knowing the network and understanding its exposure are the keys to reducing cyber-risk, and the critical first steps in improving overall security posture.
Businesses will need to spend the remaining twelve months ensuring that their cybersecurity program is ready and able to comply with the new regulation. Here are four of the most important steps for IT security professionals and CISOs to focus on as they strengthen their security programs and prepare for the incoming legislation:
Implement an information security framework
The GDPR stresses the importance of implementing “technical and organizational measures”. CISOs are increasingly turning to information security frameworks to guide their efforts to protect critical systems and data, and as such, this can be a great starting point for developing appropriate measures.
While the EU does not prescribe a particular framework, a company’s adherence to the NIST Cybersecurity Framework (2014) and/or ISO/IEC 27001/27002 will make demonstrating compliance far more likely in the event of a breach. Leveraging an industry framework, like NIST or ISO, can help organisations identify, implement and enhance their cybersecurity practices and use a common language to communicate issues to stakeholders. Those companies that are not currently using a framework should consider doing so.
Identify personal data, including ‘special’ data
Under the EU GDPR, the definition of “personal data” has expanded to include a person’s “identity” in other contexts. This is important because personal data under the new regulation may not appear in an obvious form, and may include things like IP addresses, application user IDs, Global Positioning System (GPS) data, cookies and media access control (MAC) addresses. This means that organizations will need to be on the lookout for these new types of personal or specialized data.
One approach to address this is data discovery, which involves using both active scanning and passive network monitoring to locate unencrypted sensitive data. From there, whether to remove the data or apply controls can be determined.
Include unknown or unauthorized assets
IT environments today are busy and dynamic, with traditional assets, containers, mobile and IoT devices all making the corporate network more difficult to secure. This added complexity and scale not only introduces new security risks, but can also undermine the organization’s compliance posture.
With new devices and applications constantly connecting to networks, it’s critical that organizations have complete visibility across their entire IT infrastructures. This is the only way to fully understand where they’re exposed, what the risks are and how to reduce them.
Validate security with certifications
EU certification bodies have begun work on an EU-wide seal that incorporates the requirements of the regulation; although, there isn’t a published timeline for the certification process. That said, it may resemble current certification processes, and companies should be able to leverage existing certifications, such as ISO/IEC 27001 or SOC2. If considering investing in this type of certification, the GDPR is a good incentive to move forward.
While technology innovation and business operations have continued to evolve over the last twenty years, the industry’s security and privacy standards have not. The GDPR was designed to address this gap, forcing organizations to not only rethink, but readjust their approach to security.
It’s time for organizations to make security a board-level issue. Failing to make educated investments in security or continuing to ignore its impact on the bottom line will gravely impact the organization’s overall security and compliance posture.
This is part of a series of blogs, written exclusively for Infosecurity by Tenable. See other entries