In taking stock of the past year, two particular themes emerge that have bounced from mouth to mouth and from ear to ear: we are talking about cyber crime with particular reference to the phenomenon of ransomware and GDPR, the European regulation on data protection. Right from the start, it was clear that these two topics were not destined to end in the year itself…definitely obvious on the GDPR front considering that it will begin to take effect in May 2018! So far, the trend has been to inform by recognizing the need to take action in light of the impending deadline (exactly four months to date). In fact, instead of looking for quick fixes to get what they need in place to be compliant, businesses should look beyond the May 2018 deadline and focus on actual sustainable improvements. Complying with the GDPR therefore means responding to an obligation – under penalty of heavy fines – but also seizing an opportunity: a compliance project will not produce optimal results if it is not based on a clear business strategy, which will allow the entity that implements it to respond to needs such as cybersecurity… This issue is coming back to the forefront. By leveraging GDPR compliance, organizations would go on to assess whether their data processing activities and the potential risks to stakeholders that result from those activities are covered by the security measures currently in place. The regulation leaves it up to companies to assess and decide what types of measures will need to be implemented to comply and ensure that all possible precautions are put in place to minimize the risk of a data breach. By implementing controls over people, processes, and technology, you can protect your organization from accidental or malicious data breaches. Robust cyber security operations then become an essential part of GDPR compliance.
Among the various stakeholders within the company, the IT security manager has one of the most important roles in the GDPR compliance process. In view of GDPR is renamed CISO -Chief Information Security Officer- and it is the decision maker of maximum libel for cyber security with pivotal function in protecting the company from attacks involving data loss. The CISO and the entire Information Security team should be deeply involved in the definition of GDPR plans, in particular, during the preparatory phase anyone working in the IT security of a company must:
- understand the risks i.e. know exactly what personal data about EU citizens is being collected by the company and whether the exposure of that data may fall under the GDPR definition of a personal data breach;
- prevent breaches with appropriate protective measures;
- detect breaches and respond to them quickly;
- look beyond the GDPR.
There are many aspects related to cyber security risks that a security team needs to take into account even if not specifically stated in the GDPR: cyber security is a continuous process, and constant improvement is the only way to stay ahead of the curve. Data breaches are happening relentlessly because hackers have become experts at targeted attacks and evading defenses. The company must operate under the assumption that the IT infrastructure is constantly under attack and has potentially already been compromised in a variety of ways. Essentially a shift in perspective must be made from threat prevention to detection and response. Solutions with behavioral analytics, artificial intelligence and machine learning will enable the enterprise to ferret out threats that have already penetrated within its borders. If undetected, these exploits can compromise infrastructure and intellectual property and generate the types of data breaches required by GDPR.
Under this approach, cyber security is not seen as the remedy, but as the prevention. It consists of predicting and preventing breaches, detecting those that occur, and reacting intelligently to minimize the impact. For this process, human expertise is merged with software scalability. Thinking like a hacker would is the key to implementing a profitable approach to react to solutions in ways technology can’t, and educating automated technology to make it smarter day by day.