GDPR: raising the bar for cyber security
New legislation to be introduced next year will raise the bar for cyber security. Matt Walmsley of Vectra Networks tells defence features writer Mark Lane that Artificial Intelligence will allow organisations to meet the requirements and avoid fines.
Many businesses and organisations are running out of time to prepare themselves for new rules on IT and data protection.
The new EU General Data Protection Regulation (GDPR), which will impose tighter sanctions on businesses when it comes to security breaches and the risk to or potential loss of personal data, comes into force in one year’s time – on 25 May 2018.
But, in the opinion of Matt Walmsley, Director of EMEA at Vectra Networks, IT, security and compliance leaders both in the EU and globally still have a long way to go before they can truly describe themselves as GDPR-ready.
He says: “Getting your data secured before GDPR comes into play is crucial to avoiding fines which could cripple an organisation. For companies that don’t have visibility of what is going in and coming out of their network, the challenge lies in creating that visibility in real time, in the most autonomous way possible.”
GDPR will also enforce breach reporting requirements and punitive sanctions. For businesses, this means they will have to report any data breach within a 72-hour window or risk facing heavy fines of up to 4% of global turnover for failing to comply.
Brexit will make no difference. The new regulation will affect any organisation that processes EU citizen data, regardless of whether they are based in or outside of the EU.
Walmsley adds: “The aim of GDPR is to give people more control over, and the assurance of greater security for, their personal data. In addition, its intention is to simplify the regulatory environment for businesses internationally. It means that businesses will have to put the correct sanctions in place to better protect personal data – whether it is their employees’ or their customers’. With the rapid accumulation of personal data from cloud computing, the Internet of Things and social networking, properly safeguarding personal data has become a non-negotiable aspect of modern business.
“As such, businesses must have the right capabilities in place in order to achieve full compliance. However, as many businesses have found out so far, it’s no small feat.”
He argues that this new legislation brings new challenges to the industry. The IT and technology sectors are already wrestling with a long-standing skills shortage and, as the compliance deadline looms, there are also rising concerns over the cost involved.
Walmsley says: “Organisations will need to shift their IT infrastructure to enable effective network monitoring, and encrypt personal data to ensure ongoing confidentiality, assessment and evaluation. As daunting as it may seem, the sooner that these new processes and structures are in place, the easier the transition between a pre-GDPR and post-GDPR world will be.”
Also, once organisations have made the necessary changes, they could find that the new regulations work to their benefit.
“While some organisations may feel unable to cope with these new regulations, the hope is that GDPR may actually reduce legal complexity and ultimately enable businesses to expand operations across the EU more easily,” says Walmsley.
Complying with GDPR will require organisations to put in place the appropriate technologies, IT infrastructure and processes to create robust systems that provide data protection, system assurance, breach notification, and the supporting details.
“It’s not a case of if your organisation experiences a breach, but when. It is up to management and your IT teams to ensure it is ready,” he cautions.
He also points out that while it may well fall under the responsibility of the IT, security and compliance team, the onus of GDPR compliance has to be recognised across the board.
He says: “In case of a breach, playing the blame game will not only dismiss the seriousness of the situation, but also damage the corporate reputation and employees’ respect. Trust is easily lost, so companies need to rectify the incident quickly and efficiently. Organisations that can show how they comply with the principles – for example, by documenting the decisions they take about a processing activity – will have a better chance to remedy any loss or damages.”
GDPR requires that ‘appropriate technical measures’ are taken to protect and manage the processing of personal data, but detecting unusual and potentially threatening cyber behaviour inside a network calls for real-time detection and a robust system of behavioural analysis to highlight anything unusual.
Walmsley believes that using artificial intelligence (AI) can help an organisation as it enables automation which helps to enforce data-handling standards by alerting cyber security staff when data is transferred between parties in a manner that violates or is not consistent with established practices.
After analysing, learning and understanding standard network behaviour, AI can constantly monitor for the anomalous movement of data between hosts, including the volume and frequency of data movement, to hunt for hidden threats.
When threats are detected, AI can then provide insight into the host transmitting the data, including where it is transmitting the data, the volume of data involved and any specific technique used to send it.
“AI threat detection algorithms persistently listen, learn and watch network traffic to quickly spot hidden cyber attacks that have defeated or evaded defensive capabilities,” says Walmsley.
“Deploying AI-based monitoring and detection within the network also provides a means to validate and strengthen the effectiveness of perimeter defences. By highlighting threats in real time that have prevented detection or have beaten existing systems, organisations can quickly detect and address any anomalies or potential breaches.”
Disclosure of a data breach within 72 hours is critical in avoiding fines that affect the entire organisation. In this respect, Walmsley says using AI to automate the gathering of early detection, context and evidence of a threat, is key. If a data breach has occurred then it is likely there will be a requirement for disclosure, which must be comprehensive, describing the nature of the breach, the data sets compromised, contact information of people responsible for the data, and the measures that the organisation intends to take to address the issue.
He adds: “Whilst the need for quick identification and response to cyber attacks is clearly evident, the unfortunate reality is that it is often a slow affair. In fact, the M-Trends 2017 report revealed that it takes an average of 199 days before a breach is detected. The report also found that over half of those breaches are only discovered after receiving a notification from an external party. When GDPR formally comes into effect in May 2018, such time frames will simply be unacceptable.
“Companies need to reduce threat notification and response processes from years, months and weeks to just hours and minutes. AI and automated threat detection are powerful tools that need to be leveraged by businesses if they are going to stand a chance of meeting the new requirements set out by GDPR.”
He argues that by automating labour- and time-intensive tasks that are typically the responsibility of senior cyber security analysts and incident response teams, time spent on threat investigations can be reduced significantly. This allows security teams to focus on data loss prevention and mitigation.
“Building real-time visibility into all network traffic, hidden spots and unknown attackers puts security event context firmly at your fingertips,” says Walmsley.
He concludes: “By giving cyber security teams the ability to identify and act quickly against the early stages of an attack, well before a data breach has occurred, the risk of GDPR-reportable data breaches, and thus fines, can be reduced. As well as this, detections and altering capabilities contribute to assessment and form part of an appropriate technical cyber security architecture that supports GDPR compliance.”
If you would like to join our community and read more articles like this then please click here