We are taking our first steps into 2018, a year that will deliver a barrage of new regulatory changes, with GDPR set to be the crowning glory arriving on the 25th of May. Some have been proactive about achieving compliance, taking bold strides towards the deadline, others are panicking and spending vast sums in a last ditch attempt. Many are still blissfully unaware of their shortcomings, and of how much they will cost when the time comes.
Data breaches plagued 2017, with the Equifax attack and the final revelation that every Yahoo! account holder had been affected in a previous attack, making many firms aware of the potentially crippling reputational damage, not to mention the financial damage that can be inflicted by investors losing confidence.
Regardless of whether you are confident that your organisation is up to the challenge or not, Rashmi Knowles, Field CTO, RSA, shared her thoughts on what organisations must remember to best avoid failing compliance. One thing Knowles makes clear is that there is no silver bullet that you can buy that will erase the problem.
“The more we talk to companies the more we realise how far behind organisations are, even financial institutions for example, who you would typically expect to be forward leaning,” said Knowles.
“You would expect them to be very good with breach detection, incident response, having comprehensive response plans in place, but all of those things are becoming a bigger challenge.”
The RSA Field CTO explained that a proactive approach is also required, going beyond simply having a set of plans and protocols in place.
“Breach detection should be fairly straight forward. I think a lot of organisations rely on being able to detect an incident, but if you are just relying on incidents and logs then actually you are only looking at the envelope, not opening the envelope to see there is a bomb inside,” Knowles said.
To achieve GDPR compliance, a central pillar of the incoming regulation states that breaches must be announced in a timely fashion following their discovery. Uber was recently in breach of this requirement, having not only left a significant breach undisclosed, but also actively seeking to cover it up.
Entrenching the requirements of this regulation, Knowles said: “With GDPR, obviously you have to report a breach, so if you have to report a breach you have to be able to know what has been taken, and you can only know what has been taken if you have the ability to recreate the attack. If you look at some big examples recently, Yahoo, Equifax, they actually had no idea.”
The security firm, RSA, has focussed on business-driven security, focussing on the crux of what GDPR is and encouraging business-related cybersecurity understanding.
Expounding on this viewpoint, Knowles said: “At RSA we talk a lot about business driven security, which is linking a security incident to a business context, understanding what is going on in the technology world and how it impacts the business. With GDPR you need to understand that, so if you have a DDoS attack you want to tell your business about the impact it has had and what can be done about it.”
“There are four key areas that I have been talking to customers about in approaching GDPR. The biggest challenge, the first piece of homework for organisations is to understand what data they have, what proof they have of the consent and then how they process, delete and prove the whole cycle has been completed.”
Listing the steps together, Knowles said: “The first key area is risk assessment, followed by incident detection/response. The third area is around data governance and then the fourth area is around compliance.”
The RSA Field CTO explained that it is vital for compliance to take an evidence based approach, saying that “even if you have a breach but you can prove you are doing the right things, then actually on the one hand you may not get a fine and also consumers will be a little bit more forgiving because they know you will be doing the right things. In recent breaches this does not apply because we know the companies were not doing the right things.”
“A lot of vendors are saying they have a GDPR solution, there is no solution for GDPR. I think because organisations are panicking and they have budgets signed off, because the business is now seeing it as a priority, there have been lots of surveys that say how much organisations are willing to spend on GDPR. The budget is there and people are saying ‘let’s just buy all of this technology and that will help us to become compliant’, but obviously that is not the case.”
Resources are of critical importance in terms of GDPR, and while throwing money at the problem will not have a great impact, the world is in desperate need of more skilled professionals to monitor and enforce the new regulation. This is yet another example of the pressure that the entire tech industry is under regarding a lack of valuable skills.
“We have a skills shortage, the Information Commissions Office is now saying we need 7,000 Data Protection Officers in the UK, and I read somewhere last week that Europe needs 28,000. On the basis that we have a skills shortage already, I am not sure where these extra DPOs are going to come from,” said Knowles.
By outlining these steps, the RSA Field CTO is encouraging organisations to be diligent and to cover all grounds in pursuing GDPR compliance, ensuring that if the inevitable happens and a data breach is discovered, the victim will have a solid defence when facing potential GDPR punishment.
“If you follow this cycle then at least you have got proof to say these are the ten steps we are taking for GDPR. When it comes to compliance, GDPR is not just about compliance but it plays a big role, so being able to automate some of those compliance procedures is important. I think compliance management as a bigger picture of GDPR will mean you have to automate some processes,” Knowles said.