11 months ago


IT asset management "Key

IT asset management "Key technologies businesses said they needed to invest in are encryption, analytics and reporting, perimeter security, file sharing and mobile device management" with all the accompanying security risks. GDPR has been a long time coming," he continues. "Its implications are far from being known, but self-governance simply isn't working, as evidenced by the millions of people globally who have been impacted through no fault of their own." DATA ERASURE Clearly, with the advent of GDPR, it's critical and urgent for organisations to understand data lifecycle management and the processes and systems required at each stage - from creation of data to when it reaches end-of-life - before it becomes unmanageable. "In particular, it's important to factor in data erasure, which is one small piece of the puzzle that is frequently overlooked," cautions Richard Stiennon, chief strategy officer at Blancco Technology Group. "What companies really need is an enterprise-class, certified data erasure solution that employs legally required overwriting standards, is approved by governing bodies and provides physical proof that all data is permanently gone. If a solution doesn't meet all three of these criteria, then companies might find themselves in a situation where they are unable to verify that data has been removed - and could face serious legal action and fines from governing bodies such as the FCC, FTC and EU GDPR Supervisory Authorities. "I also think companies need to stop compartmentalising data management and customer experience into separate categories," he says. "It's not the best strategy and the two can't flourish without each other. Organisations will need to change their way of thinking about data management across the entire lifecycle so that this kind of compartmentalisation doesn't keep happening. They need to proactively plan for the secure removal of data at the same time as they're collecting, storing and analysing data." STARK FINDINGS Meanwhile, Ipswitch conducted a survey of IT professionals from the UK, France and Germany and found that one in three businesses reported not knowing how the GDPR will apply to them, while 55% claimed they were not ready as they recognised a need "Self-governance simply isn't working, as evidenced by the millions of people globally who have been impacted through no fault of their own." to invest in new technologies. In the UK, that picture is even starker - less than one in five say they are ready for the GDPR. FOCUS AREAS There are two areas that need to be focused on ahead of the implementation of the GDPR - technology and training - with 55% of those surveyed by Ipswitch saying they would need to invest in new technologies or services, according to Michael Hack, head of the company’s EMEA Field Operations. "The key technologies that businesses said they needed to invest in are encryption, analytics and reporting, perimeter security, file sharing and mobile device management, with encryption being mentioned by the most (50%)." Transferring data in motion, in use and at rest needs special consideration with GDPR, Hack adds. "Companies should allow for flexibility when deciding on the right solutions for their needs. Risk assessment is a key strategy and covers all areas of the business." One important technology for mitigating risk and ensuring compliance is managed file transfer, which manages the entire process both within and outside the business. “A comprehensive managed file transfer solution not only provides secure routes for assets, it also adds value with tools for the end users for tasks such as managing attachments and working in local folders,” states Hicks. “A managed file transfer solution also streamlines processes by automating workflows, managing performance and security, and providing reporting and analytics, so that the business is always on top of data and documents as they move through, out of and back into the business." NOT AN OPTION One of the biggest misconceptions is that non-EU based companies do not have to comply with the GDPR. "I hate to break it to them, but, if they're a global organisation that collects EU citizen data, then they must comply," says Matt Lock, director of sales engineers, Varonis. "If a US company collects data from EU citizens, it would be under the same legal obligations as though the company had headquarters in, say, France, the UK or Germany - even though they don't have any servers or offices there! This may be hard for the EU regulators to enforce, but, if you're large enough or a high-profile multinational organisation, our guesstimate is that the EU authorities will likely go after any violations. In order to meet these new regulations or even determine if they have to 24 computing security May/June 2017 @CSMagAndAwards

IT asset management "Organisations haven't taken privacy and cyber security seriously enough until now." be met, every organisation, regardless of location, should create an asset register of sensitive files, understand who has access and who is accessing them, and determine when data can and should be deleted." ADAPTING PRACTICES Clearly, companies must look to adapt their practices ahead of schedule, given the complexity and scope of the new regulation. "While it is billed as European legislation, the nature of networks and the digital economy imply that it will be far more wide-reaching than that," comments John Madelin, CEO at Reliance acsn. "Organisations must take a holistic approach to privacy and security, with their most sensitive information at the heart of it, in order to adhere to the stringent guidelines more easily, as well as manage its downfalls. "Businesses haven't taken privacy and cyber security seriously enough until now, and these higher levels of 'parental controls' will help security experts hold business leaders up to board level more accountable. Perhaps the most significant change is in notification. "In the past, a company only had a problem, if there was a breach," says Madelin. "The new legislation will require companies to demonstrate that they will detect and report a breach. Companies will have to invest in creating 24/7 alarming and reporting capabilities, integrated with their security infrastructure, which will allow them to adequately understand where the data is and protect it. At the moment, the majority of systems deployed are not fit for purpose." MASSIVE UNDERTAKING Preparing for GDPR is likely to be a crossfunctional exercise, as legal, risk and compliance, IT and security all have a part to play in its implementation. "As it is not a small amount of regulation to comprehend, with 99 Articles and 173 Recitals to trawl through, there will be numerous processes, procedures, and training required, in addition to the need for technology and services, in order to demonstrate compliance," states Samantha Humphries, international solutions marketing manager at Rapid7. "For some organisations, changes to roles and responsibilities will be required, too, such as appointing a data protection officer and nominating representatives within the EU to be necessary points of contact. Completing Privacy Impact Assessments and implementing processes for access control, incident detection and response, and breach notification will all be crucial in ensuring compliance. By introducing such processes, businesses can show that they understand where personal data physically resides, the categories of personal data they control and/or process, how and by whom it is accessed, and how it is secured," she adds. Disaster recovery should also be high on any organisation's list. "Being able to detect attackers early can ease this process. User Behaviour Analytics can provide businesses with the capabilities to detect anomalous user account activity within their environment, so they can investigate and remediate quickly." Recognising weak spots in systems and networks can also help businesses find focus. "By attacking their own systems through pen tests to demonstrate real-world scenarios, businesses can highlight potential failures and weaknesses that can be rectified to avoid the threat of a real attack," Humphries concludes. "This will aid compliance with Article 32, which states the need to have a process for regularly testing, assessing and evaluating the effectiveness of security measures." Richard Brown, Arbor Networks: documentation is often created, 'put on the shelf' and then forgotten about. Rob Norris, Fujitsu: now is the time to stop being hunted and instead become the hunter. @CSMagAndAwards May/June 2017 computing security 25