Dealing with GDPR: Start By Eliminating Breaches

In less than a year, GDPR kicks in and will have profound effects on anyone with a cyber security brief

Many companies are scurrying to keep up, huddling with legal, compliance, and technology consultancies to grapple with the problem. This begs the question: shouldn’t they be dealing with basic data breaches first?

Some businesses may still think that the General Data Protection Regulation (GDPR) doesn’t apply to them. Most of them are wrong. The regulation, which comes into force on May 25 next year, will hit any company that processes data on E.U. citizens, regardless of its location. If you run an ecommerce site in the U.S. but you have customers in Europe, you’ll be on the hook if you don’t protect their data properly.

This makes GDPR more than just a regional piece of legislation. It also takes privacy and security requirements further than ever before, broadening the definition of personal data and mandating data breach notifications in most cases.

Complying with this legislation isn’t a ‘fire and forget’ project, either. It includes accountability principles that force you to re-examine your privacy and cybersecurity stance regularly. You must prove that you are protecting sensitive customer data all the time, no matter what changes you make to your data processing systems. In most cases, you’ll need a data privacy officer to conduct regular privacy impact assessments when you make changes.

If you don’t get it right, the penalties could be severe. Expect to pay up to €20 million for certain offenses, or 4% of your global revenue, whichever is higher.

It might sound daunting, but GDPR should be a welcome change. For too long, companies picked their way through different regional regulations, each of which mandates requirements at different levels. Yet these rules haven’t been tight enough to drive the message home to the C-suite, which is why grim data breach headlines keep mounting.

Facing what amounts to the first-ever worldwide data protection mandate, companies must now take this seriously. Lawyers and consultants have been quick to jump on the issue, offering a range of services to help get your house in order, and issuing ominous warnings of what can happen if you don’t.

You’ll certainly have to identify the location of your data, classify it properly, and then determine adequate levels of protection. You’ll need to document user consent for specific data uses rather than getting blanket consent to cover everything.

Meeting these challenges won’t get you very far, though, unless you take care of basic cybersecurity hygiene. Many companies are still failing here, allowing attackers to gain access to their networks and pilfer company data. Verizon recently released its 2017 Data Breach Investigations Report (DBIR). 88% of the breaches it documented fell into patterns it first identified in 2014, showing that overall attack strategies remain relatively static. In other words, attackers can innovate when they have to, but they mostly don’t need to because the old tricks still work.

Malware plays a big part in the average cyberattack. According to the 2017 DBIR, 51% of all breaches included malware, two thirds of which installed itself using malicious email attachments.

In many cases, this malware doesn’t even have to be that new. Hewlett Packard Enterprise’s (HPE) 2016 Cyber Risk Report claimed the top ten vulnerabilities exploited over the prior year were more than a year old. 68% were three years old or more. It seems that attackers can get into a company without investing in expensive zero-day exploits by using vulnerabilities that victims should have patched long before.

Traditional antivirus software attempts to tackle this problem, but it has its limitations. Antivirus companies have been trying to make computers safer since the late 1980s, when they began producing programs to counter some of the first malicious software programs. Things were easier back then, because there were fewer viruses to target, making them more manageable.

Since those early days, virus volumes have exploded as cybercriminals created sophisticated supply chains designed to evolve and adapt daily malware variants. There are now hundreds of millions of malware strains in the wild, many of which are able to mutate on a per-machine basis, making it incredibly difficult for virus-based security software to keep up.

If malware is often the first step in stealing corporate data, then businesses need tools that can eliminate not just older exploits, but zero-day strains too, and do it reliably. How can you begin to meet your GDPR requirements to keep data safe if you’re using software that often misses new malware strains?

Artificial intelligence technology is shifting focus away from signature- and heuristics-based malware prevention. Instead of trying to actively spot every malicious piece of software individually and neutralize it, AI tackles the problem differently. It trains a machine learning algorithm using vast sets of data. One data set contains benign, legitimate software, while the other houses known malicious programs. It explores a range of technical properties in each file, folding it into a statistical model.

When AI anti-malware tools encounter new software they can analyze it against this statistical model, determining its legitimacy more quickly and accurately. That makes it easier to stop malicious software from executing, long before customers get around to applying patches.

There is no silver bullet for the GDPR challenge because the regulation imposes complex and far-reaching requirements that touch many different parts of an organization.

Companies are busy preparing for GDPR by mapping their data assets and adapting systems to delete user data on request. They’re considering collecting information into centrally managed data lakes for easier access, and exploring anonymization to protect sensitive personal data and comply with the law’s new Privacy by Design principles.

These measures will help companies to avoid the significant penalties, but if attackers are still able to easily infiltrate computer networks with file droppers that connect back to command and control networks, then all bets are off. They will still hemorrhage customer information and leave themselves wide open to reputational and regulatory risk.

Don’t put all that effort and expense into legal consultation and software changes without taking care of the basics first. Eliminating malware from your organization is a quick win that will help set you along the GDPR path to compliance.