[BreachExchange] Life Under #GDPR and What It Means for Cybersecurity

[Audrey McNeil]

https://www.infosecurity-magazine.com/opinions/life-gdpr-cybersecurity/

The General Data Protection Regulation (GDPR) is officially going into
effect one month from today on May 25th, and its arrival will change how
the internet both collects and manages private information.

Under this reform, citizens of the European Union will have more control
over the security of their personal data, and websites will be required to
follow strict compliance mandates to ensure this data is protected.

So what does this mean for the future of cybersecurity, and how is the
digital economy going to be impacted as a whole? Even if your website has
no direct affiliation with the UK or EU, it’s still important to be aware
of what GDPR compliance entails and create a data processing strategy in
advance.

Just because you’re located outside of GDPR borders doesn’t mean you don’t
have European connections through vendors, customers or stakeholders.

The penalties for non-compliance are serious which means now is the time to
prepare. Here’s what you should know about how the GDPR will shift the
landscape of cybersecurity and what measures can be taken to get ready.

What constitutes as personal data will change
This is a broad term which covers anything used to disclose a person’s
identity online, but under the GDPR, the definition of personal data will
expand even more. Aside from the basics of name, phone number and email
address, information like a postal code, driver’s license, passport, credit
card, bank account, IP address, workplace, union membership, social
factors, genetics and biometrics also need to be taken into account.

Before collecting this data, a website must obtain explicit consent from
the person, clarify how the information will be used and honor the right of
each individual to withdraw their consent any time, at which point the
stored data must be erased altogether.

Data collection and storage will be restrictive
Since GDPR lends itself to the expectation of increased data privacy, this
builds pressure on websites to tighten their cybersecurity and even
integrate new practices. This means getting highly specific on what
qualifies as consent.

Assuming that anyone who visits the website has granted you access to their
personal information for marketing uses is no longer an option: you must
obtain permission for their data through affirmative action and unambiguous
language that is visibly stated on the website. In addition, the data
processing must be systematically monitored, and a public breach in this
sensitive material needs to be reported within 72 hours of the security
violation.

Standard firewall technologies are not enough
In this hyper-connected world, just about every kind of office equipment,
from computers and printers to HVAC units and alarm systems to mobile
devices, is now internet enabled.  This magnifies the potential for even
the most secure networks to be compromised, so in response, the
preventative measures need to become more sophisticated.

Firewall protection is beneficial, but this software is not adequate on its
own anymore. A multi-layered approach to cybersecurity is more effective.
Opt for technologies that encrypt unstructured data, automate all manual
processing, condense the storage in one location and reinforce the safety
of managed file transfers.

Network access endpoints must be integrated
Because multiple connected devices can increase the risk of personal data
being exploited, all network access endpoints need to have one consolidated
entry dashboard. This streamlines data management across the various
endpoints, enhances visibility of the whole endpoint network so internal IT
teams can supervise and protect the flow of data, controls who can move
through an endpoint to minimize any threats of remote access, and optimizes
the detection and response time for suspicious activities.

In addition, merging these network endpoints will create a meticulous and
secure audit trail to ensure that you’re remaining accountable to all GDPR
compliance directives.

Security risks should be assessed and reported
Data leakage can occur at any stage in the supply chain, so it’s important
to perform routine checks on all aspects of this framework including
website traffic, social media interaction, email threads and other forms of
online engagement. This will identify the areas which are most vulnerable
to a security breach, so the right measures can be taken to reduce the
likelihood of a data penetration.

A thorough risk assessment also evaluates how efficiently the network
access software is functioning to mitigate the spread of viruses, malware
and other outside factors that contribute to lost or stolen data. The more
informed you are of the risks, the better equipped you’ll be to avoid them.

Robust data processing strategies are critical
Under GDPR, data protection is split between two distinct tiers—the
controller and processor. A business owner or manager who obtains the
personal information from customers then decides how that data is utilized
is the controller, and the employees who are responsible for executing a
controller’s directives are the processors. In order to prevent any misuse
of data, you need robust protocols to check the balance of power.

For this reason, more companies are hiring data protection officers (DPO)
to serve as the main point-of-contact for all data processing activities.
In addition to providing accountability for the controller, a DPO can
educate all team members on GDPR compliance and make sure those parameters
are followed across the board.


Compliance with data privacy regulations is the main factor in gaining
consumer trust—or compensating for a loss of trust, as in the case with
Facebook’s recent Cambridge Analytica scandal. GDPR will require that any
use of personal data hinges on the precise, unambiguous consent at the risk
of immense non-compliance fines.

So moving forward, Facebook and other corporations will be subject to rigid
protocol intended to avoid situations like Cambridge Analytica. GDPR puts
the right to provide or withhold, share or delete back in the hands of the
people.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180426/175fe5cb/attachment.html>