At time of writing, only 93 days remain before the European Union’s (EU) General Data Protection Regulation (GDPR) goes into effect on May 25. GDPR will strictly regulate the way enterprises can store and process the personal information of EU citizens, and applies even to companies outside the EU. The consequences of violating the law are incredibly severe, yet many enterprises in the U.S. seem unprepared to comply with the full extent of GDPR. Passive breaches especially may prove the most devastating and overlooked aspect of GDPR compliance.
But what are passive breaches? And where are companies failing at GDPR preparations most? We asked Steven Grossman, VP of Strategy of Strategy at cyber risk analytics vendor Bay Dynamics, 5 questions about GDPR compliance and passive breaches. Here’s our conversation, edited slightly for readability:
1. Where do you think enterprises are at most risk for GDPR compliance violations? What are corporations overlooking that could end up hurting them?
There are many layers to preparing for, and complying with, the GDPR. If you divide the world into people, process and technology, changes to people and process are always more challenging to implement. The right people and process are also a requirement to successfully implement technological change.
In the context of GDPR, that means a collaboration between the security, privacy, compliance, legal and technology stacks to ensure they understand the regulation, know where covered data resides in the organization, what business processes touch that data and what controls are in place to protect it. I think this very fundamental first step is where many companies continue to be challenged. Keep in mind personal information is not residing just in human resources and order processing systems. It’s in corporate email, on file shares and Access databases created by someone who couldn’t get IT to respond fast enough, on the cloud and in all sorts of places. How many people know where their cloud provider’s data centers are geographically located?
So there is the historical challenge of finding all this data and locking it down or destroying it. That’s the easy part. Moving forward, the business needs to make sure that they are providing their employees and third parties with an easy button for working securely. You don’t want to leave one of your employees having to make the choice between getting their job done or violating the GDPR. Either choice can end badly for the enterprise, impacting the bottom line in the form of lower profitability or regulatory fines. In line with the people and process changes, the right technical controls need to be put in place as well, to ensure that data is not accidentally or intentionally exposed.
Data protection is not a new concept, but the potential fines give the GDPR teeth and have led companies to reexamine their posture. That is why you’re seeing a resurgence of technologies like data loss prevention (DLP), CASB and user and entity behavior analytics (UEBA).
2. Why do you think enterprises aren’t preparing for GDPR? Where is the disconnect?
I don’t think you have many large enterprises that are not scrambling right now to prepare. They are likely behind the proverbial eight ball, but the alarm has gone off. I think those that may be asleep at the wheel when it comes to GDPR are non-EU based mid-sized and smaller companies that think that because they are not located in the EU, it doesn’t apply to them. It applies to anybody storing or processing personal data on EU citizens. What’s worse is that it is particularly dangerous for these smaller companies that often have less structured controls in place and have less resources to prepare and comply with the GDPR.
3. There has been some talk about inadvertent or passive breaches being the major downfall of enterprises in the GDPR era. How would you define these kinds of breaches, and how should enterprises prepare for them?
Inadvertent or passive breaches are usually referring to non-malicious actions by a human being that leads to a loss of data, introduction of a bad actor, or malware. They have been a significant problem since the beginning of time. Inadvertent breaches are not just the downfall of the GDPR era. It is often said that humans are the weakest link in security, but that is only part of the story. It is also about culture, training, business processes and controls.
First, from a culture perspective, employees and third parties need to understand the importance of handling data securely and the ramifications to their employer (and therefore their job) if mishandled. These ramifications now become even more significant with GDPR. To elevate security in the eyes of employees and third parties, you are now seeing security as a performance factor in employee evaluations and third-party contracts. Everybody recognizes the importance of security training and secure business processes, but unfortunately, they usually get pushed to the bottom of the priority list, in lieu of more active risks.
The best approach I’ve seen has been to automate and distribute as much as possible. Behavioral analytics, used in a GDPR compliant manner, can help you identify non-malicious, risky handling of sensitive data that allows for more targeted training at “teachable moments” that are far more effective than the spray and pray four hour training used to check the box on compliance requirements. Similarly, behavioral analytics can be used to identify when a business group is violating security policies in a consistent way that helps identifies broken business processes, allowing for targeted change efforts.
Like active malicious threats, dealing with inadvertent or passive breaches requires an ongoing effort. It’s not a one and done process, where you put something in place and move on.
4. Do you have any suggestions on the best way to train employees in cybersecurity? What areas should companies focus on in their training for GDPR compliance?
As mentioned earlier, it requires ongoing training and reinforcement. The industry can learn from factories a century ago, where worker safety was a serious concern. Significant effort was expended across the people, process, and technology spectrum to greatly reduce the exposure of factory workers to dangerous conditions. It of course has not eliminated injuries, but has made safety a cultural mandate. Factories have signs everywhere about being safe and it is a high priority issue in the back of everybody’s mind. A lot of that effort was driven by government regulation and the creation of OSHA. Similarly, we are reaching a pivoting point, much of which is being driven by industry and government regulation, where cyber security is becoming a prominent issue for the business. This will change how everybody thinks of the problem and lead to positive changes.
5. What should enterprises do to prepare for GDPR compliance overall?
There is obviously a lot to do. Enterprises should start by identifying their in-scope data, where it resides, where it moves, who accesses it and how they access it. They should classify, monitor, and limit access to the data to limit its exposure (DLP is key here). Third party experts can be of significant value in getting the job done.
GDPR is a significant regulation with many dimensions. Internal resources have a day job, and most simply don’t have the bandwidth to make the required changes in the short time frame remaining. It is up to internal resources to drive the right sponsorship, provide the institutional knowledge and work with third parties to achieve changes in people, process and technology that achieve compliance in a way compatible with their business needs.
Thanks again to Steven Grossman of Bay Dynamics for his time and expertise!
Latest posts by Ben Canner (see all)
- 3 Ways to Mitigate False Positives in Your SIEM - October 28, 2020
- Is It To Early to Think about Business SIEM in 2021? - October 22, 2020
- Gartner Names 4 Cool Vendors in Security Operations and Threat Intelligence - October 19, 2020