Preparation for GDPR has been underway for the last two years. Although last month’s deadline has passed and GDPR is now in effect, there are still many companies in the EU and the rest of the world for that matter, that are still not 100% compliant. A recent survey by Spiceworks revealed that only 25 percent of US companies were thought to be compliant when GDPR went into force. Many of these companies are waiting in anticipation to see the first results and the impact the new legislation will bring once a new major breach has been uncovered. As we wait for that first announcement in the news, the chances are that many new breaches have most likely already occurred post-May 25th but are still yet to be detected and disclosed. Dixons Carphone may be the first, announcing a huge data breach last week involving 5.9 million payment cards and 1.2 million personal data records, but the breach was reported to have taken place last year, pre-GDPR, so the consequences are somewhat unclear.
GDPR is unique in that it is the first major regulation to focus on the end scenario, the impact and aftermath of a breach, especially to the individual, as opposed to focusing solely on the prevention and controls put in place by organizations to prevent a breach in the first place. What seems to have caused the most confusion is that there doesn’t seem to be that “one size fits all” approach for companies to meet GDPR compliance and there have been many different interpretations. Companies must be able to prove they have carried out the necessary risk assessments and put the appropriate policies, processes, and procedures in place given all the risks involved.
Historically it has been more common to associate security controls in conjunction with breach prevention, but today cybersecurity strategies have been turned on their head and security operations teams must assume that a breach has or will occur. It is no longer the “if” scenario and focus is now fully on the “when” scenario. This change in mindset puts incident response, in particular data breach notification and reporting processes, at the forefront of reducing the risk of a data breach as opposed to being an afterthought. Organizations under GDPR now have to notify EU authorities within 72-hours and have to prove that their security programs and responses were appropriate to the situation.
If you are not quite fully GDPR compliant yet, there is no time to wait. Here are 5 steps you should take without due delay.
1. Establish Roles and Responsibilities
Data Protection Officer (DPO) is the latest new job title being created within many organizations. Main responsibilities of the DPO include providing advice on security controls, processes and procedures within the organization, as well as acting as the main point of contract for the supervisory authority. The DPO is not the only role that may be required though, as a proper incident response plan will require many additional roles including an incident response coordinator, legal and compliance resources and human resources to name a few. Stakeholders within the organization will need to be aware of how to effectively put the plans into action. If you are yet to define roles and responsibilities, this is a key first step when tackling GDPR.
Under GDPR it is important to understand what data exists, where it is located, who has access to it and for what purpose it is being used. Only the minimum amount of data to perform the task should be collected and processed and it should not be retained for longer than necessary. If data within the company is unknown then it can’t be protected, putting the company at risk. Knowing where data exists is crucial during incident response and breach notification to ensure you do a comprehensive audit of your business and the data it holds.
To respond to a security incident, a thoroughly planned and documented approach is required to maximize its effectiveness. Without structure and documented processes and procedures in place, an incident response attempt could turn into complete mayhem. The process should comprise of the appropriate tools and tasks, as well as personnel required to respond to the incident, ensuring it covers all scenarios whether large or small. It is also important to document both the high-level plan, as well as the more detailed workflows for handling specific types of security incidents (e.g. runbooks and playbooks). Having this documentation and associated processes and procedures in place will help your organization to demonstrate that a formalized, repeatable process using an appropriate response was followed during a potential breach.
4. Test the Plan Regularly
Having a documented plan is one thing, but ensuring it works and is fully tested is another. GDPR not only requires that security controls are in place but also states that they should be tested and evaluated on a regular basis. This will most likely vary from organization to organization, but we would recommend it should take place at least once a year and include exercises such as breach simulations. As well as meeting this requirement under GDPR it also helps to ensure that all stakeholders within the incident response process are up to date and familiar with their respective role and responsibilities.
5. Ensure Reporting Practices and Proficiencies
The GDPR breach reporting and notification element is probably one of the most challenging aspects to comply with, as 72 hours is a relatively short window to detect, remediate, report on and notify all parties of an incident. Organizations need to be able to gather and analyze large amounts of data from multiple sources, as well as make sense of the data before notifying stakeholders internally and externally. Implementing automated procedures for collecting data and preparing detailed reports based on incident and forensic data is essential, as well as having documented processes in place for issuing notifications to potentially hundreds of thousands of individuals.
As we already know, data breach detection and incident response are never going to be a straightforward process for any organization but GDPR has now leveled the playing field to ensure that all companies are meeting the same baseline requirements or face the possibility of hefty fine and public scrutiny. It is now a critical time for organizations to ensure they have detailed and documented incident response plans and procedures in place to deal with any incident should it occur, as well as the tools they need to help them to more easily comply with the requirements.
If your security operations team is looking for assistance with its incident response program and tools to help the organization to demonstrate GDPR compliance as well as breach notification requirements, these useful resources may help. Read our DFLabs IncMan for GDPR solution brief and whitepaper about Increasing the Effectiveness of Incident Management to learn more.
Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.
Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks. We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.
This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.
How CISOs Can Overcome Their Challenges
CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected. This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.
So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach. IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.
The Need to Harden New Technology Policies
Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.
Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA). CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.
Maximizing Resources With Technology as a Solution
With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?
They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity. Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.
Security Infrastructure and Employee Training Are Paramount
In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.
They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.
CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.
Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.
Over the past few months during the post-hoc analysis of WannaCry-Petya, we have spoken in great lengths about what should have been done during the incident. This is quite a tricky thing to do in a balanced way because we are all clever in hindsight. What hasn’t been spoken about enough is understanding more generally what we need to do when things go wrong.
This question isn’t as simple as it appears, as there are a lot of aspects to consider during an incident, and only a brief window to identify, contain and mitigate a threat. Let’s look at just a few of these:
– Response times
This is often the greatest challenge but of utmost importance. The response is not only understanding the “how” and “why” of a threat but is also about putting the chain of events into action to make sure that the “what” doesn’t spiral out of control.
– Creating an effective playbook
A playbook should be a guide on how your incident response plan must be executed. Orchestration platforms contain these playbooks/runbooks. Also, note that these are not generic plug and forget policies. They need to be optimized and mapped to your business and regulatory requirements and are often unique to your organization. Otherwise, the incident will be controlled by an incorrect playbook.
– Skills and tool availability
Do you have the correct skills and tools available and are you able to leverage these. Do you understand where your security gaps are and do you know how to mitigate them?
On paper, incident response always works. Right until the moment of truth during a data breach that shows that it doesn’t. To avoid relying on theory only, it is best to run breach simulations and simulate some of the attacks that may affect your organization to find out if your processes and playbooks also work under more realistic conditions.
We’re always playing catch‒up for many reasons—new technologies, new vulnerabilities, and new threats. Software and hardware may possibly always be at the mercy of hackers, criminal actors and other threat actors, so prevention alone is futile. We have to become more resilient and better at dealing with the aftermath of an attack.
The key summary for me is this: How do you respond? Can the response be improved? Utilize the lessons learned in breach simulations to understand how you make the response better than before.
Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.
This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.
When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.
Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.
Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.
With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.
The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.
Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.
Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.
No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.
Faced with the growing threat of cyber attacks and the challenges involved in recovering from various cyber security events, New York state’s authorities have rolled out new cyber security regulations that apply to financial institutions operating within the state. New York’s Department of Financial Services (DFS) has issued the final Cybersecurity Requirements for Financial Services Companies, affecting “Covered Entities”, defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”, establishing a set of standards that have to do with reporting cyber security breaches to regulators, in addition to implementing specific cyber security policies.
Cyber Security Programs and Incident Response Plans
The new regulation aims to protect New York’s banks and insurance providers against cyber attacks, along with protecting sensitive consumer data. To that end, the rules – that went into effect on March 1 – prescribe a wide-ranging set of requirements for financial services companies in terms of specific steps they are supposed to take to be better prepared for cyber security incidents and how and when they must notify authorities of cyber attacks on their computer systems and networks.
According to the regulations, financial services companies are required to create a cyber security program that is expected to protect their information systems against cyber attacks. A covered entity’s cyber security program should be focused on identifying internal and external cyber security risks, detecting cyber security events, responding to detected cyber security events, recovering from cyber security events, and complying with reporting obligations.
As far as cyber security policies are concerned, covered entities are required to implement them in order to be able to address systems and network security, information security, data governance, customer data privacy, risk assessment, and incident response, among other aspects of cyber security.
When it comes to incident response plans, the new rules state that reporting cyber security incidents to regulators must be a paramount part of those plans. Regulated entities are required to confirm they gathered documentation regarding cyber security events and report them to various government and supervisory bodies, as part of their previously devised incident response plans.
Compiling documentation in reference to cyber security events, creating appropriate reports, and notifying authorities can be a tedious task for any organisation’s CSIRT. Companies can face tough consequences if they don’t complete the documentation in a timely and proper manner. Companies often require the solution of a cyber incident response platform that can generate reports on cyber security incidents automatically and in various formats, and is also capable of tracking and collecting evidence, helping their cyber security teams compile the required documentation faster and effortlessly.
These types of platforms also can also help companies’ CSIRTs predict and detect cyber security breaches and respond as fast as possible, which is one of the main capabilities the new cyber security regulations require from covered entities.
Many organizations often complain about having to abide by strict regulations regarding government notification of cyber security events, claiming that such mandates only put them under an extra strain, in terms of increased expenses and unnecessary burden on their employees.
But, given that the risk of cyber attacks for many government agencies and private organizations across the world continues to grow, all activities that have to do with cyber security obviously need to be intensified, and notifying authorities, is one of the key parts of those efforts. Detailed and timely government notifications of cyber security events often play a crucial role in preventing future incidents and improving and upgrading current incident response plans and programs.
Why Notifications Are Important
While it is true that government notification of a breach can be a time-consuming and complicated process, it is safe to say that – on top of overall cyber security efforts – it is also beneficial to companies in terms of protecting themselves from potential legal liabilities and substantial financial losses, along with unimaginable damage to their reputation.
Laws that mandate reporting cyber security incidents to governmental agencies and law enforcement vary from one country to another, but what they all have in common is the requirement to notify individuals whose sensitive information has been stolen or misused, or accessed in an unauthorized manner, in addition to notifying the authorities.
Save Time and Comply with Regulations Through Playbooks
One of the best ways to make sure your company complies with data breach notification laws is to update your cyber incident response program to include an automation and orchestration platform with dynamic reporting capabilities.
You can save a lot of valuable time by utilizing such a platform, considering that reporting cyber security events involves a complicated procedure and encompasses several different processes that can take up a lot of your time if you don’t use the proper tools to do it.
A platform with reporting capabilities can take care of all reporting requirements automatically and ensure that you don’t waste time on determining what information needs to be disclosed and how to notify law enforcement in a confidential manner, without risking accidentally sharing sensitive information with the public or with a party or individual that is not supposed to have access to it.
These types of platforms are able to quickly and reliably notify authorities and affected individuals of a data breach as soon as it occurs, through a variety of secure channels. They can create automated reports of any incident, containing information that describes the incident in detail, including what type of data has been accessed by an unauthorized person, and the amount of data that has been stolen, deleted, or compromised in any way.
By relying on a cyber incident response platform that features automated playbooks for breach notifications, your organization will always be prepared for the unwanted event of falling victim to a data breach and will avoid the risk of failing to comply with regulations that have to do with reporting cyber security events to law enforcement and affected organizations or individuals.