GDPR: FORCES A WHOLESALE SHIFT IN INFORMATION SECURITY THINKING

The new European General Data Protection Regulation is now adopted and, following the two year transition period, will be in force come May 2018. Jason Hart, ex ‘ethical’ hacker and CTO at Gemalto Identity & Data Protection, reasons that a whole new mindset is needed around information security for organisations to understand the point of the regulation, ensure compliance and keep their reputation intact and avoid hefty financial penalties.

Acceptance Is Better Than Prevention
Two absolutely fundamental words are at the heart, literally, of the GDPR – data protection. It is this that provides explicit recognition of the fact that for the cybercrime industry the ‘new oil’ is data. The prospect of a raw material that can be compromised, accessed and ultimately monetised drives the relentless assault on organisations from various attack vectors. No data, no value, it really is that simple, so given the immense volume of personal data organisations hold and transact then the requirement to protect becomes paramount and has driven the need for consistent regulatory frameworks like GDPR.

We’ve seen all the breach news, the fact that cybercrime against individuals is now a mainstream criminal activity (and now recorded in the Crime Survey for England and Wales), and with more and more data being created, stored, shared and analysed the potential value for the cyber-criminal is ever increasing. A paradigm shift in information security thinking is needed to keep data, and hence organisations, protected, safe and secure.

UNDERSTANDING DATA IS UNDERSTANDING RISK
However, this is a lot easier said than done given the volume, variety and ever growing size and dynamic variance of the data field. Taking a step back to look at all departments and associated data – its type (financial, personal, commercial, operational and so on), what is sensitive, its flow, use and location – is the hardest and most complex step along the way to data safety and security. Bear in mind too that a data audit, whilst the essential first step to securing data, is an ongoing and dynamic process and shouldn’t be seen as a tick-box exercise but something evolutionary in an ever-changing digital world. A poor understanding of the data landscape and lack of relevant and appropriate data security controls were central to the vast majority of data breaches that have occurred in the last decade and more. The core of the new regulatory framework is about addressing the risk for different types of data and the application of controls around confidentiality, integrity, and availability. What’s the data, where is it, and what’s protecting it? Get this right and compliance follows.

DATA INTIMACY + ENCRYPTION & KEY MANAGEMENT + AUTHENTICATION = COMPLIANCE
Once the audit of the data universe is underway then the application of appropriate security controls is relatively straightforward. Encryption is key, and key management is even more key! Data is valueless if it is encrypted and it is now so easy to encrypt wherever it is located – on the server, in storage, on the device or travelling across the network. However, encryption without the means to decrypt is pointless and where encryption has been vulnerable before is in the management of the encryption keys. Keep these separate, safe and secure and the degree of difficulty to compromise, access and steal data rises enormously. Add in user controls, like two-factor authentication and ingrain a culture of security within an organisation and compliance to the, rightly so, stringent regulation becomes a matter of fact. Criminals will inevitably gain access to the ‘vault’, either technologically or via other means (the case of ringing reception at the US Department of Homeland Security pretending to be someone who has lost their network access information is one of the real world being a vector of attack), but once in the vault if they can’t access the jewels then they’ll go find a more vulnerable target.

ACTION NOW TO GET OUR CUSTOMERS COMPLIANT
Collectively we can all influence the safety of the digital world by re-inventing what is essential information security thinking. Get our mutual customers to understand that breach prevention, whilst valid, is not today’s priority. Data protection is. Consider this, of the 700 million or so data records stolen in 2015 only 4% were ‘secure’ breaches involving encrypted, hence valueless, data. Working with customers to understand their data universe and its nature, how to encrypt it and manage the encryption keys securely, and how to authenticate and protect its users (technologically and in the real, imperfect, working world) will ensure compliance.

But a word of caution – it is getting to understand the data that will take the time and our customers need to start this process now. The implications of not doing so don’t need to be repeated.

Contact Exclusive Networks about solutions for understanding data security and compliance with the GDPR.

See Jason outline the three factor approach to data security – authentication, encryption and key management