The GDPR Disclosure Problem

Uploaded on 2018-11-28 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

Enterprises haven’t always been particularly transparent or timely in disclosing their data breaches. This type of behavior bred significant consumer distrust and was one of the key data security provisions within the GDPR (General Data Protection Regulation).

According to GDPR regulations, companies must “notify personal data breaches likely to present a risk to without undue delay, and within 72 hours if feasible, after becoming aware of the breach.” It’s a clear win for consumers whose data may have been stolen for months before they were notified.

However, the new rules imposed by the EU can be particularly challenging for organisations to disclose a breach within such a tight a timeframe. 

Is 72 hours of discovery a realistic timeframe to accurately assess the breach, affected data and communicate the situation effectively to the public? Most businesses would say that it’s not.

Most organisations have only a vague idea of where all their data is stored, which makes assessing and disclosing the harm of the breach extremely difficult. 

If they unveil a breach too early, businesses risk assessing the situation inaccurately, which means they will have to issue an update, extend a negative news cycle, and further damage their company’s reputation. 

This leaves business, security and IT leaders with a lose-lose situation: either they disclose on time and run the risk of getting it wrong or conduct thorough due diligence to get it right and pay a hefty fine.

Businesses can avoid this situation by aligning their policies and technology. When a data breach transpires, companies should be honest, empathetic and timely, to ultimately maintain their customers’ digital trust.

Not all companies refuse the release of a disclosure for nefarious reasons: they may simply not know they’ve been breached, or it may take a while to determine the scope of the exposure. 

Businesses leverage tools and policies to build transparency to understand where their data is located, providing visibility into cloud infrastructure to streamline the discovery process. Continuous monitoring is the most reliable method of identifying and tracking users who are accessing data on company systems.

Whether you’re on the lookout for an unauthorised employee viewing confidential patient data, or a malicious outsider trying to steal cardholder data, monitoring is vital for a strong security posture. Simply monitoring your infrastructure could help in identifying and disclosing a breach quickly.

Before implementing monitoring tools, it is helpful to perform a full security configuration audit to see the true state of your network and its security to eventually improve cloud infrastructure security posture.

Visibility is incredibly helpful in allowing businesses to move quickly and efficiently during a breach disclosure assessment. 

A best practice would be to centrally collect and view data from all environments, comprehensively leveraging the visibility tool to detect, deny, and disrupt threats. 

If you choose to use a visibility tool, ensure it has host-based, behavioral detection to give you complete wide spread visibility into your environment.

Implementing a security strategy that incorporates real-time vulnerability monitoring, threat intelligence correlation, intrusion detection and full visibility, enables an organisation to become secure by design. 

Meaning a company can go from four hours to four minutes in terms of detection and knowledge about a security event. That alone can drive massive cuts in time-to-detection, enabling the issue of data breach disclosure to be quick and correct.

From monitoring file activity and user activity, to automatically patching vulnerabilities and scanning configurations, security is ingrained within the correct infrastructure and appropriate tools. 

The overall goal of GDPR is to ensure the data privacy of all EU citizens and reshape the way organisations approach data privacy and security. 

Enabling continuous monitoring and complete visibility into your company infrastructure is a way organisations can meet the challenge of assessing, disclosing and even possibly preventing a breach within the 72-hour window.

While there are challenges to GDPR compliance, there are also opportunities to significantly upgrade security infrastructure and create visibility and control over the data in corporate systems as well as the opportunity to build greater trust with your customers.

Infosecurity Magazine:

You Might Also Read:

GDPR Alert As Average ICO Fines Double In A Year

« Cathay Pacific Admits Cyber-Attack
Google Helps Boost High Street Spending »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

XYPRO Technology

XYPRO Technology

XYPRO is the market leader in HPE Non-Stop Security, Risk Management and Compliance.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

IT Governance

IT Governance

IT Governance is a leading global provider of information security solutions. Download our free guide and find out how ISO 27001 can help protect your organisation's information.

CYRIN

CYRIN

CYRIN® Cyber Range. Real Tools, Real Attacks, Real Scenarios. See why leading educational institutions and companies in the U.S. have begun to adopt the CYRIN® system.

Infinigate UK

Infinigate UK

Infinigate is a value-added distributor of IT security solutions to protect and defend IT networks, servers, devices, data, applications, as well as the cloud.

Contrast Security

Contrast Security

Contrast Security is the leader in modernized application security, embedding code analysis and attack prevention directly into software.

Purdicom

Purdicom

Purdicom (formerly known as Selcoms) is an award winning distributor specialising in Wireless, Cloud & Security technologies.

GreyCastle Security

GreyCastle Security

GreyCastle Security is a leading cybersecurity services provider dedicated exclusively to cybersecurity and the practical management of cybersecurity risks.

UKAS

UKAS

UKAS is the national accreditation body for the UK. The directory of members provides details of organisations offering certification services for ISO 27001.

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky Industrial CyberSecurity (KICS)

Kaspersky addresses all the cybersecurity needs of industrial organizations in its Kaspersky Industrial CyberSecurity (KICS) portfolio.

Blackpoint Cyber

Blackpoint Cyber

Blackpoint’s mission is to provide effective, affordable real-time threat detection and response to organizations of all sizes around the world.

DeepFactor

DeepFactor

DeepFactor is the industry’s first Continuous Observability platform enabling Engineering and AppSec teams to find and triage RUNTIME security, privacy, and compliance risks in your applications.

DataSolutions

DataSolutions

DataSolutions is a leading value-added distributor of transformational IT solutions in the UK and Ireland.

Dig Security

Dig Security

Dig Security offers the first data detection and response (DDR) solution, providing real-time visibility, control and protection of your data assets across any cloud.

ALSCO

ALSCO

ALSCO is dedicated to bringing first class IT services, technical support, and solutions to goverment, companies and organizations worldwide.

Harbottle & Lewis

Harbottle & Lewis

Harbottle & Lewis is a leading UK-based law firm focused on the Private Client and Technology, Media and Entertainment sectors.

ITQ Latam

ITQ Latam

ITQ Latam are specialists in cybersecurity, in a convergent ecosystem of technological solutions in infrastructure, cloud and security networks.

ZainTech

ZainTech

Zaintech is a regional digital & ICT solutions provider offering comprehensive digital solutions and services to enterprise and government customers in the MENA region.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Health Sector Cybersecurity Coordination Center (HC3)

Health Sector Cybersecurity Coordination Center (HC3)

HC3 was created by the US Department of Health and Human Services to aid in the protection of vital, controlled, healthcare-related information.