Tag Archives: data breach

Two Years and Counting: Why IT Leaders Need to Wise Up Now to the EU GDPR

by Bharat Mistry

Last week, the much-anticipated European General Data Protection Regulation (GDPR) passed its final regulatory hurdle. There’s no going back now: on 4 May 2018 all UK organisations will be bound by the new laws – which introduce a series of rigorous requirements designed to enhance privacy protections for EU citizens and harmonise rules across the region.

But with potential fines of 4% of annual turnover for transgressors, how many UK IT leaders really know what they need to do to comply? Concerning new figures from Trend Micro suggest widespread ignorance of the new laws is putting organisations right in the firing line.

Heads in the sand
The GDPR will introduce several key changes, which UK organisations need to start thinking about now. May 2018 might sound a long way off, but it’s little more than 700 working days away. Key among these new elements are:

  • Mandatory appointment of data protection officers for large firms
  • Mandatory breach notification within 72 hours of an incident
  • Fines of €20m or 4% annual global turnover – whichever is higher
  • Right to be forgotten
  • Right to data portability
  • Multinationals will only need to report to one national privacy regulator – in the country they’re headquartered

So exactly how low is awareness of the forthcoming regulation among IT leaders? Worryingly, a fifth (20%) of those Trend Micro spoke to in a new piece of research are still unaware of its existence. Of those that are, nearly a third (29%) don’t think that the regulation will apply to their organisation, or are unsure. Even worse, a quarter of IT leaders (26%) don’t know how much time they have to become compliant, and nearly one in 10 don’t know what steps to take to do so.

Getting ready for 2018
The truth is that the regulation is far from prescriptive in what it requires from organisations and their IT departments. It demands they do business a certain way in order to better protect the privacy rights of their customers, but doesn’t specify particular data loss prevention tools, or encryption technologies, for example. On the one hand this presents challenges for the IT department. But it is also designed to encourage a more holistic approach to information security, which fits with a best practice, strategic approach.

With that in mind, here are just a few steps organisations should be thinking about now, in order to prepare for May 2018:

  • Conduct a data audit to find out what data you hold and how you are using it
  • Classify data according to sensitivity and your organisation’s risk appetite
  • DLP technologies can help prevent accidental and deliberate data leaks
  • Staff awareness and user education training programs to focus on data protection
  • Restrict number of privileged accounts and roll-out strong authentication (eg 2FA) for those accounts
  • Regular pen testing to check the resilience of systems to attack
  • Develop an incident response plan to ensure you can report within 72 hours. Involve key stakeholders including legal, HR, PR teams etc
  • Advanced server-side technologies like Deep Security can help lock down risk across physical, virtual and cloud environments from a single console

 

 

 

 

From Panama to the Philippines, Data Breaches Remain a Business Scourge

by Bharat Mistry

It’s been a busy time for data breaches. First in late March the database of the Philippine Commission on Elections (COMELEC) was ransacked in what could be the biggest government breach in history. And then just days later, Panamanian law firm Mossack Fonseca was attacked and 11.5 million documents leaked to the press detailing the shadowy offshore tax arrangements of many current and former world leaders.

The repercussions of these two incidents will be felt for months or even years to come. If ever there was a fortnight to remind CISOs of the value of best practice data protection, it was the one just gone. Continue reading

Red Team Alert: How Forward Planning Can Minimise the Effects of a Data Breach

by Ross Dyer

Data breach stories make the news so often these days that no IT security leader can pretend to be unaware of the threat out there. If anything, the situation is getting worse, not better, with attacks becoming more sophisticated and harder to spot. If nothing else, news that TalkTalk lost 7% of its broadband customers in Q4 should focus minds on the issue at hand.

If you don’t prepare now for a potential data breach, if and when one finally hits it could have a far more serious impact on the company. Continue reading

What CISOs Can Learn from the Sony Pictures Attack

by Ross Dyer

One of the things you’ll hear some CISOs grumble about from time to time is how tricky it can be sometimes persuading the business to release more funds. The skill of the good security chief, of course, is in translating highly technical concepts into a language the board will understand. But even so, it can be a tough sell when the end result of thousands of pounds of investment is … precisely nothing. With cyber security you’re effectively buying insurance against a damaging breach.

So it was interesting last week to see Sony declare that it spent a whopping $15 million on investigation and remediation after major cyber attack last year. It gives just a small insight into the potential financial impact of failing to adequately ‘insure’ your organisation against attack. Continue reading