Preparing for GDPR

By Eldon Sprickerhoff, Chief Security Strategist and Founder, eSentire

Published: 23 April 2018

 

The General Data Protection Regulation (GDPR) comes into effect on May 25th, 2018. In anticipation of this and the changes it will mean for compliance rules, the Alternative Investment Management Association (AIMA) recently released their GDPR Implementation Guide with the purpose of assisting AIMA members in preparing for the upcoming implementation of GDPR. While this guide explores the background of GDPR and provides a summary of key rules and questions as well as a compliance checklist, the guide also discusses the ramifications of GDPR on cybersecurity—which is where we’ll focus.

What are the GDPR rules around cybersecurity?

Article 25 of the GDPR contains minimum data-protection rules for organizations that process personal data. It requires they implement technical and organisational measures to ensure the protection of personal data during processing and that data is only accessible by authorised parties.

Article 32 outlines the requirements on controllers and processors for the security of processing activities. Organisations must implement technical and organisational measures to protect personal data from accidental or unlawful destruction, loss, alteration or unauthorised disclosure. To do so would require regular testing and evaluation of controls, as well as the proven ability to recover in a timely fashion from a natural or technical disaster.

GDPR compliance considerations

The flexibility of the GDPR means that firms should evaluate and be clear in what they believe is sufficient to comply with the requisite standard of data protection and security. Firms should consider undertaking the followings steps:

  • Conduct a risk assessment to identify critical data risks – the first step is to create an inventory of critical assets (here, personal data), identify top risks (cyber threats and vulnerabilities associated with technology and processes) and determine which of these risks can be eliminated, offset, mitigated or accepted.
  • Conduct a security gap analysis – firms should conduct a security gap analysis to determine the firm’s current security posture, which GDPR requirements the organization already meets, which programs must be augmented and what systems need to be implemented to comply with the GDPR fully.
  • Develop security policies and procedures – the risk assessment and gap analysis should assist a firm in developing the policies and procedures which form the foundation of its GDPR cybersecurity program. Such a program could include:
  1. Access to data – the firm can implement controls to restrict/audit access to personal data;
  2. Encryption of data at rest and in motion – encryption can reduce the risk of negative consequences resulting from unauthorised access. This means that data must be stored on encrypted systems and, when transferred outside the network, should move through encrypted thoroughfares such as a Virtual Private Networks (VPNs);
  3. Data back-up and redundant storage locations to enhance resilience – resilience can be achieved through data back-up systems with offsite redundancy. As part of a firm’s disaster recovery plan, all data should exist in dual locations with plans for authorised personnel to access the data and conduct regular business operations from an alternative site;
  4. Real time monitoring – firms can mitigate the likelihood and damage caused by an undetected data breach through continuous (24/7) monitoring of systems to detect unauthorised activity and to respond to security events. This is known as Managed Detection and Response;
  5. Incident Response (IR) and Disaster Recovery (DR) planning and drills in the event of breaches – in addition to the above monitoring, firms should also develop an IR and DR plan that outlines: (i) triggers for the IR plan; (ii) relevant team members; (iii) notification and other legal obligations; and (iv) technical and business activities during and following a breach. The IR plan should ideally include more than just IT functions and involve legal, HR, investor relations and the executive suite. Once in place, the plan should be tested and augmented to foster continual improvement.

MDR prepares you for GDPR

Perhaps the most challenging requirement of the GDPR is the prevention of loss, alteration, unauthorized access or disclosure of sensitive personal data. Often, the prevention of unauthorised access to data involves the use of technologies, such as Intrusion Prevention Systems, Endpoint Protection and Logging. Given the complexity of these systems, organisations may choose to rely on managed security service providers (MSSPs). MSSP services provide the management of network and security technologies, with frequent reporting of performance and events. These services provide a means of managing complex security systems, but unfortunately do not typically provide firms with real-time monitoring to detect and then react to cyberattacks.

As previously mentioned, there is a new category of outsourced solution called Managed Detection and Response (MDR).[1] This service acknowledges:

  1. the shortage of in-house expertise needed to scan for threats and to take action to stop any attack before it leads to a data breach or other compliance violation;
  2. the device-management limitations and liability-averse approach of the traditional MSSP model. MDR typically provides 24/7 monitoring by security experts who use a combination of automated detection and mitigation, with human investigation of attacks that can evade technology-only defenses. Once detected, a human security analyst takes measures to halt the attack, capture forensic evidence and prevent further exploitation. Quick detection is key to mitigation, and creates the ability to respond to threats and to report material breaches within the GDPR required timeframe, while limiting potential damage caused by the breach.

When it comes to your cybersecurity provider, be proactive. Evaluate your current cybersecurity practices and consider switching to a MDR provider. As previously mentioned, MDR vendors not only detect and analyze threats, but also stop them. Cyber-attack methods will continue to increase in complexity and frequency, surpassing the capabilities of many in-house cybersecurity solutions. MDR can both protect your confidential data from being breached, while also meeting the growing compliance requirements of various regulators.

[1] Gartner: Market Guide for Managed Detection and Response Services, available online: https://www.gartner.com/doc/3314023/market-guide-managed-detection-response