Be more GDPR compliant– tune up your Next Generation Firewall?

GDPR | Next Generation Firewall

Does effective cyber security protection and GDPR compliance mean that existing solutions will need replacing?

That depends on what you have deployed and how you have configured it. The changing nature of the cyber security threat does call for an agile and adaptable protection approach that will increasingly make use of automation and machine learning. In addition, the requires of GDPR call for an effective cyber security regime that protects data effectively and has monitoring and detection systems in place. 

 

A comprehensive approach requires multiple layers of protection not just to address the different types and areas of threats but also to provide an element of redundancy. Threats that may not have been picked up by say your endpoint protection solution may be detected by your network layer security solution for example. Research has indicated that most deployed security products only 10% of their features enabled and correctly configured.  

 

While some features just may not be relevant for a particular deployment, the main reasons why many businesses just don’t switch these features on include;  

  • Difficulty configuring the features
  • Lack of adequate skill set
  • Concerns it will slow down performance
  • Don’t understand how the features will benefit them 

 

It’s worth flipping the conversation on its head and viewing things in terms of the benefits, which once they are clear enough, turning on the required features becomes a no brainer. We are overwhelmed with all kind of statistics about the cost of cyber attacks – one startling one is a US government indicates that 75% of small business suffer a cyber breach, while the cost of the average cyber attack is over $1m. So, there are massive benefits to getting security right in terms of avoiding reputational damage and worst still sever financial costs or potential fines.  

 

Going back to the original question – do you need to replace the solutions already deployed. First, you need to look at what you have, how its configured and how much more you can do with it.  

 

A good area to start with is your firewall, if you have a well-featured Next Generation Firewall (NGFW) in place, you just need to make sure it is configured for maximum protection. Here are some of the features you need to enable to make it close to 90% effective – if you don’t enable them it would be analogous to having keys to all your business premises doors and windows but leaving all but a few ajar. 

1. Turn on Intrusion Protection Systems (IPS)

By default, your NGFW may have intrusion detection enabled (IDS) but given that most people don’t understand the alerts even if they are monitoring them, it’s worth automating the protection by enabling IPS.  You can implement a IPS to block attacks such as worms, virus and downloadable exploits/attachments.

 2. Enable network-based anti-virus protection

The feature will use deep packet inspection to identify threats. This is particularly useful to have a second bite at stopping threats not picked up by endpoint security. Also, some devices such as IoT types devices may be more vulnerable to such an attack but are unable to run anti-virus software. 

 3. Enable Malware protection

Malware may not be blocked by other technologies such as IPS or AV and therefore a good anti-malware engine must be deployed to help in the fight against this principal threat. Next Generation Firewall malware protection features can include indications of compromise based on event correlation, site reputation and sandboxing reports. 

 4. Use security intelligence feeds

This feature enables integration of near real-time global intelligence feeds to identify and block bad domains and emerging malware sites before they cause damage 

 5. Enable Sandboxing

Sandboxing is a useful tool in identifying and preventing attacks, it provides the ability to run and analyse executable code in an isolated environment. The results can be fed back to the NGFW to block or allow a file

6. User and Application Control

Compliance regulations mandate auditing capability that logs who, what, when users are accessing systems. You can configure a Next Generation Firewall to log and control what your users are doing and when they are allowed to. Importantly it can also manage and minimise the impact of non-productivity applications such as Netflix during business hours. 

7. Web Filtering and Protection

Blocks individual sites or categories that are either suspect or have no business relevance e.g. adult content, job portals etc. Suspect sites are also commonly used to inject malware onto unsuspecting visitors.

8. Segmentation of the network

Segment your internal networks into logical groups and protect each segment via an interface on your Next Generation Firewall. That way you will protect against lateral spread if a virus/malware gets in.

9. Log everything

A logging solution should be in place and logs from all critical assets sent to the logging solution. This will provide an invaluable tool for any future analysis especially when a breach occurs 

 

 

If you are not utilising the above capabilities it will leave you susceptible to threats that could otherwise have been mitigated. Make sure your security team is familiar with Next Generation Firewall capabilities and take full advantage of the available features to ensure your network is protected against the full spectrum of threats. Get more bang for your NGFW buck.

Free eBook: A View of the Cybercrime Threat Landscape

 

$2,235,018 per year

The average amount SMBs spent in the aftermath of a
cyber attack or data breach due to damage or theft of IT
assets and disruption to normal operations.

The amount is staggering, and enough to jeopardize the viability of
many companies. Yet the business benefits that come with the internet,
Cloud computing and other applications are impossible to forego
and remain competitive.

That’s why business owners and executives are asking one question:

  • Is our internet safe?

If your service provider can’t demonstrate how it is making you
company less likely to become a victim of cybercrime, then it is time
to consider alternatives.

In this eBook, we’ll outline what companies are up against
today, and how Cisco Umbrella can help bring you peace of mind.

Download the eBook here!

5 Takeaways from the Carphone Warehouse Breach

The Carphone Warehouse breach is the biggest so far announced in the post GDPR era.

What are the salient points to note from this breach? 

  1. 6 million records accessed 
  2. NCSC, ICO, FCA investigating 
  3. 3 million records accessed in 2015 breach 
  4. Cyber security risk identified by board in last FY report 
  5. If GDPR applies, maximum fine of £420m could apply 

 

A recently announced massive cyber attack at Dixons Carphone Warehouse has resulted in significant unauthorised access to millions of records including personal data. It appears that two breaches occurred which resulted in; 

 

  • 6 million customer records being stolen including 5.9 million payment card details  
  • 1.2 million customer records including name, address, email 

 

In January Carphone Warehouse were fined £400,000 for a breach that occurred in 2015 when 3m customer records (including personal details) and 1,000 employee records were stolen. 

 

Dixons say the breach was only discovered in the week leading up to the announcement and it actually occurred in the July 2017. Under the Data Protection Act they would be liable to a maximum fine of £500,000. Under the new GDPR regulation the fine could rise to a maximum of £420m based on last years’ global turnover of £10.5bn. 

 

In their most recent report, Dixons identified information security as a risk and their potential vulnerability to malware and cyber attacks. They identified potential consequences that could include reputational damage, reduced cash flow, financial penalties, reduced revenue and profitability, loss of competitive advantage. Dixons did appear however to be heading in the right direction to manage the risk ensuring senior management oversight including a Strategic Improvement Plan and increased investments targeted at managing the information/cyber security risk. 

 

The independent regulator the ICO is investigating the current breach along with the FCA and NCSC. The ICO has said it is yet to determine whether GDPR or the 1998 Data Protection regulations will apply. 

 

The NCSC is working on how the breach has impacted UK citizens and what measures can be taken to prevent such a breach re-occurring. They have also published guidance on what to do for people who think they have been affected by the breach. 

 

The CEO Alex Baldock has apologised saying that they have fallen short of expected standards. He confirmed that they have called in cyber experts to investigate as well as relevant authorities and the unauthorised access has now been blocked. 

 

Anyone affected or concerned about their personal data being accessed and how it could be used should contact Action Fraud. 

 

The breach came to light as a result of a massive attempt to compromise the cards in a card processing system, this means that someone tried to use the card details to take unauthorised payments. 

 

Dixons shares fell 6% following the announcement of the breach. 

 

Useful Resources

GDPR Readiness Test [Checklist]
GDPR 12 Step to take NOW [Infographic] 
9 Steps to Implement a Security Management Tool [eBook]

 

 

How to protect your information assets with technology

Having GDPR compliant processes and procedures is an essential and fundamental part of ensuring a robust data security and management regime is implemented in your organisation. Another crucial and as important component of compliance is having the right tools in place that will support the necessary management, security and monitoring of data assets. This means that you will need to have information at your fingertips about what is happening with your data and your IT infrastructure in general. The technology assets can be quite extensive depending on your environment, but we will focus on just a few elements which are network and device centric. Additional controls will inevitably exist at the application and database level of your infrastructure.
GDPR requirements include breach detection and notification and this is an area where most organisations will need to dramatically improve their approach. Given that most successful breaches steal data within hours while the average time to detect is approaching 100 days, you can see there is a large gap that needs to be bridged. While there may not be the available investment of skilled resources to bridge the gap instantaneously, there are some basic and effective starting points that could bring dramatic and immediate benefits.

Endpoint Security

An effective endpoint security solution will monitor and block threats from compromising the endpoint and propagating threats across your network. Today’s endpoint security must go beyond traditional anti-virus due to the sophistication and ever changing nature of cyber attacks. Systems based only known attacks will be ineffective as malware is able to adapt and evade signature based detection. An advanced endpoint security solution can analyse suspicious files and interrogate up to the second threat intelligence information in the cloud to block attacks that a conventional solution would not notice.
Enhancing endpoint security is, therefore, a quick for organisations looking to significantly improving their security posture at a relatively low cost.

Perimeter Security and threat management

Ask yourself this question, do you know data traffic is coming in or going out of your network? Do you have visibility of what is happening?
Perimeter security for a long time has been about blocking incoming traffic and less about seeing what is going out. Most attacks will rely on data exfiltration as well as callbacks to sites hosting malware.
Implementing effective perimeter security and advanced threat
management will go a long way to dramatically reducing the unwitting interaction between an organisations users or endpoints and known
malware sites. Such a solution must also be good at blocking attempted intrusions as well as scanning file content for threats before allowing
access. Many organisations still have traditional firewalls or have purchased newer devices with advanced features which are yet to be enabled. With the increased regulatory regime of GDPR, it is imperative that the necessary levels of security and threat management are implemented on these platforms. If they do not have the capabilities, they simply need to be replaced with platforms that have a chance of providing protection in the
ever changing threat landscape.

Event Logging and Management

Good IT management will necessitate a security event management tool. The tool will prove invaluable for monitoring, reporting and investigating IT related activity in an organisation.
It can be an effective tool in detecting and preventing attacks by correlating activity and alerts from a number of sources thus aiding in determining the chronology and scope of a security event and it’s root cause. The event management tool will also play a key role in supporting any reporting into a breach because the logs can be analysed to determine the sequence of events and scope of a breach. This will support efforts associated with
the reporting requirements of GDPR for notifying the authorities of breaches.
Correctly specified and implemented technology will have a major role to play in achieving and maintaining good data security standards.

Useful Resources

Related Blogs

GDPR compliance: technology and data handling explained

What is GDPR? 6 questions you need to answer before the deadline

Will GDPR protect your personal data?

GDPR compliance: technology and data handling explained

The GDPR regulation is ultimately about good data/information management and governance. Though many organisations acknowledged previous iterations of data protection regulation, GDPR demands that everyone step up their game and take responsibility or face severe consequences. The innovative use of technology aligned with the data handling processes and procedures will go a long way to achieve and maintain GDPR compliance.
Compliance with GDPR has strong data governance at its foundation.
Data governance should have executive ownership at its core and necessitates strong commitment is communicated and actioned. It involves auditing and risk management where data is identified, classified and managed in a controlled manner. Technology can inevitably be used to automate and scale this process especially where data volumes are extensive.

Data analysis and classification

One of the early steps on the GDPR journey is the analysis of data that is held, and identification and tagging of personal data. Organisations may hold a combination of structured and unstructured data, oftentimes data is held in multiple locations as multiple copies of records are made. Once identified, organisations will need to tag personal data and link pieces of data together that relate to the same individual. Systems will then also need to manage the consent element of GDPR enabling all data being held to be collated in accordance with access and consent requirements of GDPR.

Data management and security

Systems need to be in place that manages data quality throughout its lifecycle. Data location needs to be accurate, duplicates need to be detected, records need to be accurate and should be updated including corrections, amendments and deletions when requested including backup copies which are no longer required.
To support the data security requirements, systems functionality need to be in place that manages data records including encryption, deduplication, backup, deletion and providing access to complete records in a transferable manner. Applications that manage the data also need to be secure ensuring
that user access policies are enforced, and users do not get access to data they are not authorised to. Manual processes are likely to be inadequate and therefore technology will inevitably need to be in place to support this requirement.
In a cloud environment, this will need to be provided by cloud providers whose systems are GDPR compliant. The organisation, however, will still be responsible for securing the data and policing user access irrespective of the cloud providers security controls. For an on-premise scenario, the organisation will have total responsibility for ensuring the systems are in place.

Breach detection, response and reporting

GDPR requires that certain types of breaches are notified to the relevant authorities within 72 hours of the breach occurring. The notification will also require details of the breach such as; how many records were accessed, mitigating measures to counter the breach, consequences of the breach, risks to the individual, categories of data breached. To fully comply with this requirement, organisations will need to have excellent cyber security protection mechanisms and controls in place. This will include at least the following components;
  • Network Security to ensure only authorised devices are able to access the networks
  • User authentication mechanisms to ensure only authorised users have access to systems
  • Intrusion Prevention Systems that detect and block unauthorised network access
  • Monitoring systems to identify and alert if unauthorised activities are detected
  • Logging capabilities to ensure all activity is logged and the information is available to undertake a forensic investigation should the need arise
These are just a few areas where technology applied effectively will greatly assist with GDPR compliance. Implementing the above technologies may well require additional investment if the systems are not yet in place, or it may just be a case of fine-tuning and optimising systems that are already in place.
Inevitably changes need to be made if anything more than lip service is to be paid to GDPR. There is, however, a positive spin on GDPR because it’s not about preventing business but about handling data properly, which must be a good thing for all concerned.

What is GDPR? 6 question you need to answer before the deadline

Why is GDPR necessary?

Regulations such as GDPR have come about as a consequence of technology. The increasing storage of private data over decades has led to concerns over individual privacy. Technology has meant that there is a risk that privacy could be trampled on or sensitive user data accessed inappropriately.
Worst still data could be stolen and used for criminal activity. In essence, regulation ultimately is about protecting individual privacy and individual rights from abuse or misuse of technology.

Why has technology become a problem?

Technology has been deployed over the decades initially as a solution to a business problem. Latterly, technology has been deployed as a fundamental part of the business fabric without which most businesses would cease to operate. In the age of digitisation technology in some instances is the business. Technology has however been deployed in a haphazard manner without security at its core and in many instances, organisations are playing catch up as opposed to having security as part of their core design.

So how is GDPR different to other regulations?

GDPR aims to compel organisations to protect individual privacy by ensuring that those handling the sensitive data are competent; only storing what data is essential, enforcing a policy that only allows access to the relevant people, and has systems in place to protect against and detect unauthorised access.
GDPR gives real teeth to data regulators in terms of enforcement powers including significant fines. It also extends responsibility globally to anyone who processes EU citizens data.

What do businesses need to do to comply with GDPR?

In order to comply with GDPR regulation, organisations need to do the following;
  • Awareness–ensure everyone in your organisations knows about GDPR
  • Information- document what personal data you hold and where
  • Privacy and rights– ensure procedures cover individual rights
  • Subject access requests– update procedures to handle access requests
  • Lawful basis– identify your lawful basis for processing data
  • Consent– review how you manage consent
  • Minors– ensure you have consent for minors
  • Breaches– ensure you have a plan and procedures to detect and report them
  • Impact assessment– plan to undertake these in accordance with ICO guidelines
  • Data Processing Officer– designate a DPO within your organisation
That is it in a nutshell. It is obviously much more involved in practice. The information commissioners website is a great resource for understanding what needs to be done and how to do it.

What are the benefits of becoming GDPR compliant?

Achieving compliance with GDPR will have a number of direct and indirect benefits. Firstly there will be a cost associated with achieving compliance which will likely involve resources of time and money.
Being compliant however is a strong indication that the organisation is processing data in a robust way compliant with best practices. This should mean that organisations are;
  • More likely to protect sensitive data and thus individual privacy and rights
  • Less likely to be breached as they will have better security in place
  • Are more likely to detect security breaches
  • Will be able to respond satisfactorily to individual’s information requests
There is an increasing trend amongst organisations that are now requiring their supply chain to confirm their compliance with GDPR. This will become a differentiator enabling GDPR compliant organisations to be viewed more credibly.

What are the consequences of not complying with GDPR?

Non-compliance with GDPR can have quite severe consequences over time. This could include being excluded from business opportunities as well as the likely punitive measures that may result from an ICO investigation if an organisation has been found wanting in it’s approach to compliance.
Analysts are also predicting that after PPI claims expire next year, GDPR breaches will spawn a new chapter in the claims culture that could run for decades. Compliance with GDPR should be seen as a business opportunity and approached positively in terms of the benefits that it might bring to organisations.

Useful Resources

GDPR Readiness Test [Checklist]
GDPR 12 Step to take NOW [Infographic] 
9 Steps to Implement a Security Managment Tool [eBook]

Will GDPR protect your personal data?

I hope that this news is not scary but we are less than 2 months way from GDPR coming into force. A recent government cyber breach survey highlighted some interesting facts about GDPR preparedness of the UK business community.

 

The research was conducted across a sample of around 1500 businesses spanning all sectors from micro-business to large enterprise. While the trend was not necessarily surprising, what was surprising was the response of business like yours in the medium size sector. Here are some numbers that may or may not surprise you.

 

33% of medium sized business have NOT heard of GDPR

52% of medium sized business have NOT made changes/prepared for GDPR

50% of medium sized business have NOT made cyber specific preparation for GDPR

 

The results for each sector re-outline in the tables below.

 

 

 

 

 

 

Recall that GDPR is relevant for all organisations that hold personally identifiable data. This does not just relate to customers, it also relates to staff. If you employ people it’s a fair guess that you hold personally identifiable data on your staff.

 

Based on the fact that we are less than 2 months away, what does this mean for our personal if around half of businesses aren’t doing anything about complying with the new standards. I think I would rather not think about that for too long. Lets just review the steps that organisations need to take as outlined in one of our previous articles. We re-iterate them below and have also included some useful links that can take you a long way towards understanding;

 

  • What the regulation requires of you
  • How to get started
  • Where you can get help

 

 

GDPR 12 steps that you can take right now

 

A really useful starting point is contained in the Information Commissioners website which provides a range of resources explaining GDPR and how organisations can go about preparing to comply with it.

 

Their 12 steps guide covers the initial activities that can be started immediately and include;

 

  • Awareness of Decision Makers
  • Information Audit
  • Update Privacy Notices
  • Procedures for Individual Rights
  • Subject access requests procedures
  • Consent procedures
  • Under-age Consent Procedures
  • Privacy Impact Assessments
  • Data Protection Officer
  • International Implications

 

The guide is summarised below for convenience.

 

Layout of  the 12 steps

 

  1. Awareness

You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

  1. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

 

  1. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 

  1. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

  1. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 

  1. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

 

  1. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

  1. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

  1. Data breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 

  1. Data Protection by Design and Data

Protection Impact Assessments

You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

  1. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

 

  1. International

If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Checklist: GDPR Test Your Readiness

GDPR requires organisations to have a plan along with the necessary process and controls to detect a data breach, regularly evaluate the effectiveness of security practices, and document evidence of compliance.

This checklist is an easy way of seeing how prepared you are to meet these new requirements

Download: GDPR Self assessment

Infographic: GDPR 12 Steps You Can Take NOW

Click Here to Download the PDF: GDPR 12 Steps That You Can Take Right Now

 

So now we know what it is and what it means, this week we take a look at what we should do about it. A really useful starting point is contained in the Information Commissioners website which provides a range of resources explaining GDPR and how organisations can go about preparing to comply with it.

Their 12 steps guide covers the initial activities that can be started immediately and include;

  • Awareness of Decision Makers
  • Information Audit
  • Update Privacy Notices
  • Procedures for Individual Rights
  • Subject access requests procedures
  • Consent procedures
  • Under-age Consent Procedures
  • Privacy Impact Assessments
  • Data Protection Officer
  • International Implications

The guide is summarised below for convenience.

1. Awareness 

You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

 

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 

6. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

 

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

8. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 

10. Data Protection by Design and Data 

Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

11. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

 

12. International

If your organisation operates in more than one EU member state (i.e you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

In our next blog we will discuss some of the technical implications borne out of GDPR compliance.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

GDPR: 9 Steps to Implement a Security Mgmt Tool

Download the PDF Version (GDPR Get Prepared SIEM Checklist)

Background

The General Data Privacy Regulation (GDPR) officially known as REGULATION (EU) 2016/679, will come into force on 25thMay of 2018. The regulation covers the protection of natural persons with regard to the processing of personal data and on the free movement of such data. The regulation builds on existing data protection regulations such as the UK Data Protection Act 1998, the Belgian Privacywet, or the German Bundesdatenschutzgesetz (BDSG).

The regulation will affect the vast majority of businesses as most businesses today hold personal data, even if it’s only HR data. A significant change is that it will put data processors under significantly more legal liability if a breach occurs.

Breaches will need to be reported within 72 hours and must include information such as;

  • The nature of the personal data breach including, where possible:
  • A description of the likely consequences of the personal data breach; and
  • A description of the measures taken, or proposed to be taken, to deal with the personal data breach and, where appropriate, of the measures taken to mitigate any possible adverse effects.

 

If the breach is sufficiently serious to warrant notification to the public, the organisation responsible must do so without undue delay.

In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place. The following sections of this booklet outlines a checklist to implement a robust security and event management platform that will be a core component of a GDPR compliant security strategy.

 

  1. Implement a Security and Event Management Tool (SIEM)

A SIEM is a fundamental security tool for many organisations.

Implementation of a SIEM helps companies monitor all users and system activity to identify suspicious or malicious behaviour. This is achieved by centralising logs from applications, systems, and the network and correlating the events to alert where unexpected activity is detected.

You can then investigate the cause of the alarm and build up a view of what has occurred by determining if a particular attack method was utilised, looking at related events, source and destination IP address, and other details.

Article 30 of GDPR states that each controller, and where applicable, the controller’s representative, shall maintain a record of processing activities under its responsibility.

You must also take into consideration data stored or processed in cloud environments. If personal data is in the cloud, it is within the scope of GDPR, and therefore it is beneficial for the SIEM tool to maintain a record of activity across your public and private cloud infrastructure as well as on premises.

 

  1. Create a Log of Critical Assets that Store/Process Sensitive Data

GDPR covers all IT systems, network, and devices, including mobile devices, making it essential that you account for all assets across your infrastructure and understand where personal data is held.

It’s important to record all assets and locations that process or store personal data. It’s also worth noting that your company could be exposed to attacks and regulatory fines if employees process or store personal data on unapproved devices.

Without strong governance practices in place, it can be easy to lose track of assets.

It is important to sample your systems, networks, and data stores to determine if personal data is exposed outside your defined data flows and environments.

Keep in mind that this is a process. Records will need to be updated on an ongoing basis as your business and technology changes.

 

  1. Undertake Vulnerability Scanning

To identify where weaknesses exist that could be exploited

New vulnerabilities in systems and applications arise almost daily.

It is essential that your organisation stays on top of these weaknesses with regular vulnerability scanning.

These vulnerabilities may exist in software, system configuration, in business logic or processes. It is essential to consider all aspects of vulnerabilities and where they can exist.

However, simply finding a vulnerability is often not enough.

There are multiple factors that need to be considered such as whether the systems are in accordance with GDPR and what the business-criticality is, whether intrusions have been attempted, and how the vulnerability is being exploited by attackers in the wild.

Effective vulnerability assessment requires continuous scanning and monitoring of critical assets where personal data is stored or processed. It is equally as important to monitor cloud environments in addition to on-premises environments.

 

  1. Conduct Risk Assessments

To identify where weaknesses exist that could be exploited

The use of an information security framework can assist by providing a starting point for organisations to better understand the risks facing the business.

Article 35 of GDPR requires organisations to conduct a data protection impact assessment (DPIA) or similar. Whereas Article 32 of the regulation requires organisations to “implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”

Existing frameworks such as NIST, ISO / IEC 27001, or similar standards can assist companies in undertaking and supporting the DPIA process.

While GDPR does not specify a framework for risk assessments or threat modelling, a company’s adherence to any well-established and internationally recognised standard will make demonstrating compliance with Articles 32 and 25 much more likely in the event of a breach.

 

  1. Regularly Test

To gain assurance that security controls are working as designed, GDPR asks for a process for regularly testing, assessing, and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.

Assessing and evaluating the effectiveness of security controls is by no means an easy feat. Usually, the larger the IT environment, the more disparate the technology stack, and the more complex the environment. Thus, the harder it is to gain assurance.

Three broad techniques exist to validate the effectiveness of security controls:

  1. Manual assurance. This involves audits, assurance reviews, penetration testing and red-team activities.
  2. Consolidated and integrated security products, so that fewer point products need to be managed and reported on.
  3. The use of automated assurance technologies.

With these methods, you can gain a measure of assurance that your systems are secured as intended. However, it is worth remembering that assurance is not a one-time effort, rather an ongoing, repeatable process.

 

  1. Ensure Threat Detection Controls are in Place

To reliably inform you in a timely manner when a breach has occurred, GDPR requires organisations to report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without any delay. The typical time-to-compromise continues to be measured in minutes, while time-to-discovery remains in weeks or months. In such circumstances, it’s essential to have comprehensive threat detection capabilities that can detect issues as soon as they occur.

Threats can occur internal to the company or externally and can be on-premises or in cloud environments. This makes it important to be able to collect and correlate events quickly as well as supplement the information with reliable threat intelligence to stay on top of emerging threats.

There is not one place or tool that will be suitable for all purposes. At times a threat is discovered on the endpoint, the perimeter, or by analysing internal traffic. In this case, controls should be placed accordingly in the environment to increase the chance of detecting threats as soon as they occur.

 

  1. Monitor Network and User Behaviour

To identify and investigate security incidents rapidly, GDPR is focused on ensuring that citizen data is gathered and used appropriately for the purposes it was stated.

Therefore, it is important to focus not just on external threats or malware, but also to detect whether users are accessing data appropriately. Context is critical when evaluating system and network behaviour.

For example, an abundance of Skype traffic in the network used by your inside sales team is probably a normal part of operations. However, if the database server that houses your customer list suddenly shows a burst of Skype traffic, something is likely wrong.

There are many methods that can be deployed to monitor behavioural patterns. One method is to utilize NetFlow analysis, which provides the high-level trends related to what protocols are used, which hosts use the protocol, and the bandwidth usage. When used in conjunction with a SIEM, you can generate alarms and get alerted when your NetFlow goes above or below certain thresholds.

 

  1. Have a Documented and Practiced Incident Response Plan

To comply with GDPR regulations, organisations need to have a plan in place to detect and respond to a potential data breach to minimise its impact on EU citizens. In the case of an attack or intrusion, a streamlined incident response process can help you respond quickly and effectively to limit the scope of the exposure.

If you have unified threat detection controls and processes established to alert you to an incident, your incident response plan should be able to quickly and accurately determine the scope of impact. You should investigate all related events in the context of other activity in your IT environment to establish a timeline, and the source of attack should be investigated to contain the incident.

Once you have controlled the incident, you should evaluate if a possible breach of personal data occurred and decide if reporting is required under GDPR. Then, you should prioritise and document all response and remediation tactics. Be sure to verify that your incident response activities have successfully remediated the issue. You will need to inform the regulator of all steps taken, and where necessary, inform any affected EU citizens.

 

  1. Have a Communication Plan in place to detect and respond to a potential data breach

In the event of a breach, your organization must report to the regulatory body within 72 hours of being aware of the breach.

For high-risk events, the controller must notify data subjects without undue delay (Article 31).

The notification given is required to at least:

  • Describe the nature of the breach
  • Provide the name and contact details of the organization’s data protection officer
  • Describe the likely consequences of the breach
  • Describe the measures taken or proposed to be taken by the data controller to address the breach and mitigate its adverse effects.

Ask yourself:

  • Can I identify whether systems in scope of GDPR are affected in a breach?
  • Do I have the contact details of the regulatory body that I need to notify?
  • If need be, do I have a reliable mechanism to contact affected customers

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.

GDPR: 12 Steps That You Can Take Right Now

So now we know what it is and what it means, this week we take a look at what we should do about it. A really useful starting point is contained in the Information Commissioners website which provides a range of resources explaining GDPR and how organisations can go about preparing to comply with it.

Their 12 steps guide covers the initial activities that can be started immediately and include;

  • Awareness of Decision Makers
  • Information Audit
  • Update Privacy Notices
  • Procedures for Individual Rights
  • Subject access requests procedures
  • Consent procedures
  • Under-age Consent Procedures
  • Privacy Impact Assessments
  • Data Protection Officer
  • International Implications

The guide is summarised below for convenience.

1. Awareness 

You should make sure that decision-makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.

 

2. Information you hold

You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.

 

3. Communicating privacy information

You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.

 

4. Individuals’ rights

You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.

 

5. Subject access requests

You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information.

 

6. Lawful basis for processing personal data

You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.

 

7. Consent

You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.

 

8. Children

You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.

 

9. Data Breaches

You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.

 

10. Data Protection by Design and Data 

Protection Impact Assessments. You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.

 

11. Data Protection Officers

You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.

 

12. International

If your organisation operates in more than one EU member state (i.e you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

In our next blog we will discuss some of the technical implications borne out of GDPR compliance.

 

Speak to one of our Experts?

We help businesses of all shapes and sizes in protecting their vital IT assets. For a consultation with our team as to how we can help protect you from a cyber breach, simply get in touch for a free, no-obligation conversation. Alternatively, our free downloadable guide offers more insight into avoiding (and surviving) a cyber-attack.