Category Archives: Data policy

Two Years and Counting: Why IT Leaders Need to Wise Up Now to the EU GDPR

by Bharat Mistry

Last week, the much-anticipated European General Data Protection Regulation (GDPR) passed its final regulatory hurdle. There’s no going back now: on 4 May 2018 all UK organisations will be bound by the new laws – which introduce a series of rigorous requirements designed to enhance privacy protections for EU citizens and harmonise rules across the region.

But with potential fines of 4% of annual turnover for transgressors, how many UK IT leaders really know what they need to do to comply? Concerning new figures from Trend Micro suggest widespread ignorance of the new laws is putting organisations right in the firing line.

Heads in the sand
The GDPR will introduce several key changes, which UK organisations need to start thinking about now. May 2018 might sound a long way off, but it’s little more than 700 working days away. Key among these new elements are:

  • Mandatory appointment of data protection officers for large firms
  • Mandatory breach notification within 72 hours of an incident
  • Fines of €20m or 4% annual global turnover – whichever is higher
  • Right to be forgotten
  • Right to data portability
  • Multinationals will only need to report to one national privacy regulator – in the country they’re headquartered

So exactly how low is awareness of the forthcoming regulation among IT leaders? Worryingly, a fifth (20%) of those Trend Micro spoke to in a new piece of research are still unaware of its existence. Of those that are, nearly a third (29%) don’t think that the regulation will apply to their organisation, or are unsure. Even worse, a quarter of IT leaders (26%) don’t know how much time they have to become compliant, and nearly one in 10 don’t know what steps to take to do so.

Getting ready for 2018
The truth is that the regulation is far from prescriptive in what it requires from organisations and their IT departments. It demands they do business a certain way in order to better protect the privacy rights of their customers, but doesn’t specify particular data loss prevention tools, or encryption technologies, for example. On the one hand this presents challenges for the IT department. But it is also designed to encourage a more holistic approach to information security, which fits with a best practice, strategic approach.

With that in mind, here are just a few steps organisations should be thinking about now, in order to prepare for May 2018:

  • Conduct a data audit to find out what data you hold and how you are using it
  • Classify data according to sensitivity and your organisation’s risk appetite
  • DLP technologies can help prevent accidental and deliberate data leaks
  • Staff awareness and user education training programs to focus on data protection
  • Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
  • Regular pen testing to check the resilience of systems to attack
  • Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc
  • Advanced server-side technologies like Deep Security can help lock down risk across physical, virtual and cloud environments from a single console





Banking on Hybrid Cloud: Some Top Security Tips

by Bharat Mistry

A new Wall Street Journal news story this week claims that Amazon Web Services is beginning to make headway in the banking sector. If it’s true it’ll be a major breakthrough for the public cloud provider in an industry which has long been too risk averse and highly regulated for its brand of multi-tenant cloud computing. What the piece doesn’t mention explicitly is that if the notoriously conservative financial services industry is signing up to the public cloud, it’s most likely to be as part of hybrid deployments.

Yet even with a mix of private and public cloud installed to limit risk, organisations must remember that cloud computing brings with it a whole new set of security and management challenges. Forward planning, as always, is everything. Continue reading

Time for Change: Europe’s New Data Protection Regime is Almost Here

by Bharat Mistry

They must have put something in the water round the EU negotiating table this month. Barely a week after a landmark deal was agreed to implement the Network and Information Security (NIS) Directive, the European Parliament and Council have cleared the way for an imminent final agreement on the much-anticipated EU General Data Protection Regulation (GDPR). As it stands, the new region-wide law will have a major impact on the way UK organisations handle and protect their customers’ data.

The message for CISOs is clear: it’s time to get serious about compliance plans. Continue reading

Europe’s New Security Law: CISOs Can Take on NIS and Win

by Bharat Mistry

It’s been a long time coming, but Europe finally looks set to get a harmonized cyber security law fit for the 21st century. On Monday, MEPs and the Council of Ministers agreed on the wording of the Network and Information Security Directive (NIS). It promises to mandate that “operators of essential services” take “appropriate” security measures, and that any breaches are notified to the authorities.

The proposed directive will be overwhelmingly positive in the long run – for improving Europe’s information security, information sharing and incident response. But it also signals the start of an intensely busy time for CISOs all over the region as they scramble to meet a whole new set of requirements.

A long time coming
NIS has been several years in the making. Over that time we’ve never experienced a truly catastrophic IT-related critical infrastructure security incident. But the warning signs are there. Nation states, financially motivated cybercriminals and hacktivists all have the tools at their disposal to launch successful targeted attacks aimed at disrupting operations, or stealing valuable IP and customer information. Then there are the incidents that come from human mistakes and technical failures. EU NIS agency ENISA estimates these combined threats result in annual losses of around €260-€340 billion (£189-£247bn).

The financial services sector is perhaps the most regularly targeted by hackers, given the wealth of sensitive data it holds. But others are at risk too. That’s why the NIS directive aims to improve security standards among essential operators in the energy, transport, banking, financial, health and water supply sectors, alongside some providers of online marketplaces, search engines and cloud platforms. Smaller firms will be exempt, although the details are still being worked out.

What happens next?

  • The provisionally-agreed text needs to be formally approved by Parliament’s Internal Market Committee and the Council Committee of Permanent Representatives
  • Member states will then have 21 months to implement the Directive into national laws
  • Member states will also have to identify concrete “operators of essential services” from these sectors
  • A “strategic cooperation group” will be set up to exchange info and best practices, draw up guidelines and help member states with “cybersecurity capacity building”
  • A network of Computer Security Incidents Response Teams (CSIRTs) will be set up to co-ordinate responses to cross-border and internal threats
  • Data breaches will have to be reported to the relevant public authorities

As with any kind of proposed legislation, the devil is in the detail. But it’s likely that NIS will apply to a large swathe of organisations in the sectors mentioned above. The question CISOs must ask themselves now is “do I have an appropriate level of security in place?” In many cases, breach detection, response and reporting will need to improve. The very fact that notifications are to be mandated will focus CEO minds on data security. This is in combination with the European General Data Protection Regulation, which is mooting fines of up to 5% of revenue for serious infractions.

Cyber security has never had a higher profile at a European policy-making level and boards will be forced also to raise it up their agendas. This will mean more work, but also potentially more resources, for the under pressure CISO. The message is simple: start planning now to ensure you’re not left with too much to do come deadline day.