GDPR- security vs privacy
Howard Roberts, Chief Technology Officer at Arkphire, will be a speaker at Ireland’s GDPR conference Dublin Data Sec 2018.
The General Data Protection Regulation (GDPR) places focus on the protection of Personally Identifiable Information (PII). While the regulation focuses entirely on PII, organisations must also consider data protection in a much wider context in order to protect critical data assets. PII should not be looked at in isolation as the only area of concern. It should now be considered as one more classification of critical asset that must now be appropriately handled. While security and privacy are closely aligned they are discretely separate issues. However, a robust security posture is a basic requirement in order to enable privacy.
There are 3 elements to be considered when assessing security posture in relation to GDPR (or any other regulation):
Technology is a key element but is only part of the picture. The key areas of focus for companies around the GDPR directive include:
- Data Classification
- Data Protection (Backup & Recovery, Encryption)
- Disaster Recovery
- Next Generation Firewalls, Intrusion Detection & Protection
- Identity & Access Management
- End-point and Advanced Malware Protection
- 24x7 Infrastructure & Security Monitoring & Management
Simple things that make a huge difference to security posture:
While there is a huge focus on technology solutions to enhance security posture the reality is that most breaches occur because of human error and/or infrastructure vulnerability due to weak patch management. Two things that make a real difference:
- Robust patch management
- End-user awareness training
In recent times we have seen many instances of ransomware and malicious code for which software providers had released security patches many months in advance of the attack. Patched systems were not vulnerable so why don’t people do it? The reality is that while robust patch management sounds simple it can be quite difficult to achieve without assistance. In many cases, it is resource constraints that lead systems being exposed to poor patching.
The need for focus on end-user security awareness cannot be over emphasised. No matter how much has been invested in security infrastructure, end users can unwittingly expose organisations. The threat landscape is becoming more and more complicated and as such it is vital for organisations to place focus on awareness training for end users as an on-going exercise while the threat landscape is constantly changing.
The above actions are basic preventative measures that all organisations should heed. It is impossible to be 100% secure, but it is possible to make yourself a hard target. In the current climate, the vast majority of attacks are opportunistic in nature. Should a breach occur it is incumbent on organisations to notify where the breach may affect personal data. The current average number of days between infection and detection is 260 days. This is a far cry from the requirements of the new GDPR directive for companies to notify within 72 hours. Many organisations struggle to understand how to meet such a short target. To have control it is vital that organisations have correct visibility.
Visibility is key
Many organisations have invested in multiple point solutions to enhance their security posture and many times with good cause. However, it is now becoming more and more difficult to understand the interaction between all these independent components. Arkphire assists organisations in this regard by bringing the right levels of visibility to allow detection time to be reduced to minutes rather than days, weeks or months. Appropriate action can then be taken to contain and remediate with a clear understanding as to exactly what happened and what systems and data were affected.