Understanding GDPR & What it Means for Cyber Security
On May 25, 2018, the European Union will begin enforcing the new General Data Protection Regulations (GDPR) that will create one data protection standard throughout the EU.
These regulations were designed to create a unified standard for personal data privacy and to simplify the enforcement of data privacy laws throughout all EU countries. What some organizations are surprised to learn is that these regulations go beyond the physical confines of the EU and apply to any organization that collects or holds information on EU citizens. Furthermore, these regulations were designed to strongly favor an individual’s right to control personal data. GDPR provides significant restrictions on many current business practices regarding data collection and use, so organizations need to update both businesses as well as cybersecurity practices. Companies throughout the world need to understand and ensure compliance with GDPR guidelines if they have any interaction with personal data from EU residents.
What are the consequences for non-compliance?
Similar to US HIPAA regulations, fines for GDPR non-compliance can be steep. Depending on the offense, there is a sliding scale for fines that reaches a maximum of 4% of global turnover or €20 million, whichever is greater. Any company that is not yet GDPR compliant and collects or holds personal data for EU citizens should immediately begin implementing compliance strategies or face financially crippling fines.
What type of data must be protected?
GDPR defines personal data as anything that can be used to directly or indirectly identify a person, such as a name, location data, online identity, tracking identifiable online habits, etc. In the past, many organizations have freely collected information with minimal restrictions. GDPR changes this dynamic, asserting that organizations prove there is a compelling reason for collecting, storing or using personal data and, upon request, must provide a complete audit trail for its collection and use. These new guidelines give EU citizens additional rights in multiple areas. Here are a few examples:
- Consent: Organizations cannot continue to use automatic “opt-in” or “check-box” approaches to consent. When organizations seek to collect, use or store personal data, individuals must explicitly opt-in, and the organization must request permission in simple, clear language that includes information on how the data will be used. It must also be easy for people to withdraw consent.
- Disclosure following information breach: An organization must notify both affected users and authorities within 72 hours of discovering a breach that is likely to “result in risk for the rights and freedoms of individuals.”
- Right to access: EU citizens will have the right to know if an organization is processing their personal data and for what purpose. Organizations in control of the data must provide a free electronic copy of the data.
- Right to be forgotten: Covered data subjects have the right to have an organization erase and stop using their personal data if they withdraw consent. When this happens, the organization’s data controller must weigh the subject’s rights vs. “the public interest in the availability of the data.”
As you can see, GDPR has created a lot of new regulations surrounding data use. This is a short list of examples, but GDPR also includes rules for data portability, legitimate use of data for direct marketing, data profiling and more.
How does this impact an organization’s cybersecurity approach?
While every company should always be considering the safety and security of information, GDPR is looking to ensure that organizations are taking data security seriously and incorporating it into the initial design of any new systems, as well as securing all existing systems. Many large companies collecting data on EU citizens will be required to employ a Data Protection Officer to ensure compliance and proper reporting.
Similar to US HIPAA requirements, GDPR calls for organizations to limit personal data access to only those users that requires the specific data to perform his/her job. Organizations must also prove that appropriate network safeguards are in place to protect the privacy of the data. With the prominence of BYOD and mobile devices, combined with IoT devices moving into the mainstream, endpoint devices represent a large risk for GDPR non-compliance. Malware can be inadvertently delivered by trusted employees who access networks remotely using devices that may be unchecked for potential security vulnerabilities.
Most IoT devices and many BYOD devices lack basic security. With everything from printers to HVAC systems and medical equipment becoming internet-enabled, ensuring that these endpoint devices cannot be used to attack the network or as a conduit for network access is crucial. Traditional security technologies such as firewalls, intrusion prevention systems, and identity management solutions are all necessary, but they are no longer enough. None of these solutions were designed to address the issues of device health and security posture for devices accessing the network. Whether mobile devices are BYOD or owned by the organization, these devices put the network at risk for viruses and malware every time they connect to an outside network.
Controlling access and endpoint connections
To mitigate the risks posed by endpoint devices, organizations need a comprehensive security solution that limits access and automatically enforces network usage policies. To accomplish this goal, organizations need to see and control all endpoints, as well as data access. The best way to address this issue is by using a Security Automation & Orchestration solution that features network access control. This enables organizations to integrate information from multiple security sources into a single, comprehensive dashboard, which coordinates information to increase the fidelity of each alert. This simplifies management and provides the benefits of integrating multiple best-of-breed security solutions to accurately triage alerts.
One solution that helps to ensure endpoints are GDPR compliant is Network Sentry. It helps organizations ensure endpoint access is GDPR compliant and that organizations can limit access to protected information, by providing:
Visibility: It provides complete visibility into all endpoints on the network. Organizations cannot protect devices if the IT team doesn’t know the devices exist. After the WannaCry virus hit the UK’s NHS centers by exploiting older versions of software, organizations are also finding that visibility is important for instantly locating devices and checking the software and security versions. Network Sentry provides the 100% visibility into all endpoint devices and actions.
Control: Network Sentry offers identity management, endpoint compliance, and security policy enforcement capabilities that help organizations to enforce specific access policies with role-based access to network resources. Each device can be checked before it connects to the network to ensure it meets minimum security and software patch requirements. Organizations can set specific levels of access by role, title, time and device, making it easy to restrict access to personal data. It also keeps a complete log, recording 100% of actions to provide a comprehensive audit trail to prove GDPR compliance.
Response: Automated threat response detects and continuously monitors devices for suspicious behavior, then automatically quarantines suspect devices in real-time. It then forwards the alert and context to a security analyst for remediation. Network Sentry’s immediate reaction can prevent the spread of malware and significantly decrease the potential for a data breach.