[BreachExchange] How Will The GDPR Survive In The Jungle of Big Data?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Jul 10 19:01:48 EDT 2018


https://hackercombat.com/the-general-data-protection-
regulations-role-in-the-age-of-big-data/

We are living in the age of big data, in a world that now generates 2.5
quintillion bytes of data every day. For the mathematically inclined, that
is roughly 2,684,354,270.08 gigabytes, a mind-blowing number for any mere
mortal. And to make the situation even more incomprehensible, this number
grows exponentially after one week, one month, one year. This data
explosion has been a dream come true for cybercriminals looking to
compromise security and breach the security of our online information. The
more data that exists behind closed systems, the more enticing an attack
becomes for hackers.

Regulators are busy these days trying to moderate the world, especially
those companies legally responsible for leaking the sensitive data of their
customers. Just look at Alphabet, the parent company of Google, who has
recently been asked by the European Union to pay an $11 billion fine for an
antitrust violation. As we hurtle towards the future with increasing speed,
the protection of big data gets harder and harder, and we can no longer
depend on the antiquated storage and security systems of the past.

New regulations and expectations around the handling of big data have
recently come into sharper focus as the General Data Protection Regulation
(GDPR) kicked into effect in may of this year. The regional law established
a heavy price for EU-member companies who don’t comply with the new
standards of data protection. The fine currently stands at €20 million or
four percent of the company’s global income, whichever is higher for every
instance of failed compliance. This scale ensures that corporate behemoths
like Google and Microsoft as well as smaller companies both suffer the
stiffest possible penalties.

Fortunately, companies operating in EU-member states have decided to write
a universal “Terms of Service” for their customers, regardless of where
they are located. This means the way they will handle data is similarly
compliant with GDPR regardless of whether the customer lives in an
EU-member state or not. In order to achieve full compliance, companies must
invest in a reliable cybersecurity infrastructure that covers the following
requirements:

Intrusion Prevention

Installing antivirus software is just not enough anymore, as it does not
prevent many advanced threats. Corporate enterprises who want to do
business in EU countries will need to take a more aggressive approach.
Spear phishing emails are actively trying to tempt employees into clicking
on malware links and consequently reveal their personal information to the
phishing website. This data can then be used to design all sorts of
threats, including blackmail through ransomware.

Increased security includes logs that record the actions of all users and
audit the movement of outsiders on a network. These solutions must allow
admins to assess the vulnerabilities within the system and respond to them
with patches as soon as possible.

Mandatory Encryption

In order to keep data private, hard drive encryption should be established
for all company employees. This is especially true for laptop users in a
corporate setting, as data contents from these personal devices can be
easily lost in unencrypted form. Even if someone’s data is stolen, the
thief will not be able to break the encryption, which means the information
is essentially useless. Any business who doesn’t embrace this reality is a
business without a future.

Releasing Customer Information

Few people actually read the lengthy Terms and Conditions of a product or
service. For the most part, they just click and move on. But for those
paying attention, it is clear companies can only release customer data to a
third party if it is legally required for some reason. They must be
compelled by the court to do so, likely for investigative purposes.

At the end of the day, the new rules of GDPR have made the computing world
more private and secure. If only these same regulations had been in place
10, 15, or even 20 years ago! But as the saying goes—better late than never.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180710/4e6c012e/attachment.html>


More information about the BreachExchange mailing list