The General Data Protection Regulation, or the GDPR as it is more commonly called, is getting closer to being a potentially costly reality for businesses around the world. Some of the largest fines that companies could face will result from data breaches and not reporting these in a timely manner (within 72 hours of being detected). It may sound like an obvious statement, but detecting a data breach is an essential first step in reporting it.
It's a commonly accepted concept now that at some point most businesses will experience a data breach, if they haven't already. In the past, many companies may have thought that they wouldn't be a target as they were too small, or not storing anything valuable to hackers.
The technologies available to hackers have become more advanced over the years, with some setting themselves up to provide cyber-crime-as-a-service (CCaaS, perhaps?). For a simple fee, wannabe hackers can get access to the tools that they need, and 24x7x365 support for them. These range from DDoS-as-a-service, to tools that allow you to easily take over a target's computer and siphon off data, user credentials and more without leaving any obvious signs.
Often, data breaches occur without the target organisation ever realising it has happened, or at least not until it's too late and data has been exfiltrated. With such a swiftly evolving threat landscape and a widely acknowledged cyber security skills gap, how can businesses keep up with this and ensure that they can detect breaches, and/or ensure that any data stolen cannot be used?
In a recent interview with Computer Weekly, CenturyLink Chief Security Officer, Dave Mahon advised that businesses should adopt a proactive cyber security programme as the majority of organisations are reactive in regards to their cyber security strategy. The only way that enterprises can go now is to find a trusted partner that can fill the skills gap and offer proactive and even predictive services that can protect their data and alert them of any breaches.
CenturyLink has developed a Managed Security Service that can help customers by monitoring events and log files, using advanced data analytics to swiftly recognise and alert on breaches. If you’ve been breached, you want to know about it as soon as possible so that you can comply with the GDPR by alerting the Information Commissioner’s Office (the ICO) and anyone impacted by the breach within the specified 72 hours to avoid those fines, and to mitigate the damage that has been done. This can be combined with our incident management and response service, which allows customers to take advantage of our highly experienced security teams for advice, recommendations and incident management should a breach occur, to give customers more peace of mind that the right steps will be taken to minimise the impact of a breach.
Protecting Personal Data with Encryption
We are proud to be working with Thales e-Security to offer customers the ability to encrypt their data at rest using the Vormetric Data Security Platform. The regulation states that businesses do not need to inform data subjects if the data controller “…has implemented appropriate technical and organisational protection measures, and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorised to access it, such as encryption.” It also states that data controllers don’t need to inform the relevant supervisory authority (i.e. the ICO in the UK) if “…the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.” This shows just how valuable data encryption can be to companies that need to comply with the GDPR.
In truth though, much of what the GDPR requires is not new, and could be seen as largely common sense if a proactive, or even predictive cyber security programme has been successfully implemented in a business. Whether you need to comply with the GDPR or not, encrypting data is good business practice, but this shouldn't be seen as a silver bullet for GDPR compliance. A good deal of the change required by the regulation will be organisational as opposed to technological - if you're yet to begin your journey to GDPR compliance, there is still time before the May 2018 deadline, but you should engage with a trusted partner that can advise you on first steps sooner rather than later.
If you missed our joint webinar with Thales e-Security on Friday 17th November, you can take a look at the replay online, in which we discussed best practices for GDPR when hosting data off-premises.