- Security TWENTY
- Women in Security
Get a breach defence system, or get denial plans ready, is the advice from one IT security product firm ahead of the GDPR (general data protection regulation), that replaces the UK Data Protection Act 1998 in May 2018, as part of an European Union-wide (regardless of Brexit) update of data privacy law.
Andy Norton, director of threat intelligence at Lastline said: “GDPR sets out a legal requirement for the gathering, managing, storing and disposing of personally identifiable information (PII) on European citizens. If you are holding information considered PII on European citizens, you are subject to the GDPR requirements regardless of where you are in the world or where the information is held. The NIS directive is guidance on how providers of essential services and critical infrastructure should apply security controls to their environment in order to make it resilient to attack.
“GDPR in effect is ensuring the provision of privacy is treated as critical infrastructure. Many of the articles in GDPR related to securing, auditing and monitoring requirements are taken from the [EU] NIS Directive. Much of the frenzied activity to date has been spent on finding out where data is, and whether it is held in a compliant manner. What has not been addressed is the requirement for state of the art, continuous vigilance in the monitoring and auditing of the security controls.
“Common place wisdom implies that ‘the breach is inevitable’, in which case European coffers are about swell massively; GDPR fines could even pay for Brexit. There is a 72 hour ticking clock, and once an organisation discovers a malicious infection into the internal network, they must prove before the clock runs out that the infection did not exfiltrate data considered to be PII. If at the end of the 72 hours they are uncertain about the extent of the compromise they have a decision to make. Either they don’t inform the regulatory body, and risk increased fines if further investigation uncovers PII data was involved in the compromise, or do inform the governing body (the ICO in the case of the UK), and risk customer confidence losses. Organisations need to provision an automated breach defence system, that can prevent and prove no PII data was taken, and that therefore there is no potential for harm and the ICO need not be involved.”
The UK data protection regulator, the Information Commissioner’s Office (ICO) this month launched a dedicated advice line (on 0303 123 1113 and select option four) aimed at people running small businesses or charities. Information Commissioner Elizabeth Denham said: “All organisations have to get ready for the new data protection rules, but we recognise that the 5.4 million small organisations in the UK face particular challenges. Small organisations want to be ready when the new law comes into force in May 2018, but they often struggle to know where to start. They may have less time and money to invest in getting it right and are less likely to have compliance teams, data protection officers or legal experts to advise them what to do.”
While the ICO has offered guidance on its website it has only said that ‘by the end of the year’, the ICO will publish a Guide to the GDPR along the same lines as its current Guide to Data Protection.
As Professional Security reported in its June 2017 print issue, after a Westminster Briefing conference in London on GDPR, businesses want certainty about how to comply with changing data protection law, as a senior man at the ICO, Jonathan Bamford, head of parliamentary and government affairs, admitted at the event – but he was unable to give any.
Meanwhile from the Black Hat Europe event for cyber security, a September 2017 survey of 127 IT and security people from 15 European countries painted a picture of a sector feeling under siege, and that they do not have the time, budget, or staff to meet the growing security challenges and the extra burdens imposed on them by regulations such as GDPR. For the full survey visit https://www.blackhat.com/docs/eu-17/Black-Hat-Attendee-Survey.pdf.