[BreachExchange] Compliance With GDPR Is Not The Answer To Your Security Challenges

Audrey McNeil audrey at riskbasedsecurity.com
Mon May 21 19:29:56 EDT 2018


Even though Australian companies don't have to comply with the General Data
Protection Regulation (GDPR) when it comes into effect on Friday, that
doesn't make it irrelevant. But compliance with the GDPR, our own National
Data Breach (NBD) notification laws and updated privacy laws being
introduced in New Zealand is not enough to ensure your systems and users
are safe in today's threat landscape.

The GDPR sets rules about notification periods for data breaches, access to
personal identifiable information (PII), the right to be forgotten, being
able to take your data with you when you leave a service provider and an
obligation to create systems so that they are secure by design.

There are also some really stiff penalties for non-compliance.

However, there is a danger that companies get so caught up with spending
resources on ensuring they are compliant with rules and regulations that
they don't target their resources where they can make the most difference.
For example, the loss of data from the Target breach, that was revealed in
November 2013, was substantial and resulted in the leaking of over 100
million PII records. And while there were many failures at Target, they
were compliant with major rules of the time. For example, they were
certified as compliant with the Payment Card Industry Data Security
Standard (PCI DSS) standards just two months before the breach.

Compliance is important. Boards and senior management are closely monitored
on such things and non-compliance can lead to fines or even harsher legal
action should something go pear-shaped.

The challenge is to integrate compliance into your security posture rather
than make it a stand-alone set of rules that are managed in isolation of
the rest of your infosec strategy. And, if you're a multi-national company
that needs to comply with multiple regulations then there are even more

Have a focal point

The good news is the GDPR is probable the most stringent set of rules
you'll need to comply with. One of the roles the GDPR requires is someone
who is designated the Data Protection Officer (DPO). That person is the go
to person for GDPR compliance. That's a role that ought to exist in every
organisation. Even if you're a small company, having one person as the
focal point for privacy issues is helpful. Many companies have an OH&S
officer - think of the DPO as providing health and safety guidance for your

Know what you have

I facilitate a lot of security events with major companies. And while some
say they have a strong handle on what data they have, many say they
struggle with "data sprawl" - where information that should only be stored
in a central, managed system ends up being copied to other places for

It's important that businesses look for the nooks and crannies where data
is hiding. And then ask why it's being copied around and put steps in place
to assist users with meeting their business needs in a secure way.

The problem is rarely caused by users who want to simply circumvent
procedures and processes. It's more likely that the existing systems don't
work to support business processes.

Plan and practice your communications system

When you're looking at where your data is stored, think about who you'd
have to notify if a breach occurs. Do you have contact details for all your
staff and customers? How is it kept up to date? What about your
communications plan for an incident? Is it up to date and has it been

Update processes and systems so compliance is easy

Compliance with the GDPR and other rules should not be about adding a bunch
of new obligations to your existing business processes.

You can make systems and processes compliant without adding complexity. New
rules such as the NDB and GDPR are an opportunity to look at existing
processes and practices and improve them.

Rather than see compliance as a problem, it can be an opportunity.

Stay risk focussed

One of the problems a commitment to compliance can create is a loss of
focus on real risks. While non-compliance with laws is a serious issue, you
still need to ensure you're keeping an eye on the security risks facing
your business.

Most of the news rules that are being enacted globally are heavily focused
on PII. But protection of intellectual property, disruption of your
operations from ransomware and financial loss through business email
compromise remain significant issues.

Don't take your eye off the risk ball when playing the compliance game.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180521/d400c0d9/attachment.html>

More information about the BreachExchange mailing list