CS1907

More documents

Recommendations

Info

GDPR Rob Allen, Kingston Technology Europe: GDPR is rewarding organisations that already had solid data management measures in place. Wim Nauwelaerts, Sidley Austin: even if a company is not established in the EU, the GDPR can still apply. networks and technologies could bring data processing under the scope of the GDPR, as long as the monitored behaviour takes place within EU territory. "The guidelines provide the example of an Indian pharmaceutical company without a business presence or establishment in the EU, which sponsors clinical trials carried out by sites in Belgium, Luxembourg, and the Netherlands. Since trial participants in these EU countries are being 'monitored', the sponsor in India is arguably subject to the GDPR." It's a highly complex issue, no better demonstrated than by the fact that the guidelines were open for public consultation until January 18, 2019 and expected to be finalised shortly afterwards. "However, during the public consultation, many stakeholders raised questions about the interaction between the provisions in the GDPR around territorial scope and Chapter V of the GDPR, which deals with data transfers outside of the EU," explains Nauwelaerts. "For instance, whether data transfer safeguards, such as model contracts that have been pre-approved by the European Commission, should be put in place vis-à-vis controllers/processors outside the EU that are subject to the GDPR, because the targeting or monitoring criterion is met. The guidelines currently fail to address these questions. At this point, it is still unclear when the EDPB will publish its finalised guidelines and to what extent they will include guidance on the GDPR's data transfer restrictions." ABOVE AND BEYOND GDPR alone will not keep personal data secure, of course, as Richard Blanford, chief executive, Fordway, emphasises. "GDPR may be part of every organisation's business practices, but has it really made personal data more secure? In my view, the answer is no. I believe GDPR is a business issue. It has ensured organisations know where they hold Personally Identifiable Information (PII), and have controls in place for how they store, use and delete that data through what should be a clearly defined and well-understood policy, with appropriate business processes to ensure compliance. "However, GDPR does not address the actual security of an organisation's networks and the devices on which they store and access PII. So, if their perimeter is breached, GDPR is meaningless. And with data increasingly going outside an organisation as employees and partners tunnel through or bypass network perimeters, good cyber security discipline is more vital than ever." KEY DISCIPLINES According to Blanford, data security really requires four key disciplines: identity and authentication management; information lifecycle management; network security; and business continuity planning. "To develop an effective data security policy, organisations need to take a holistic look at their entire infrastructure, from how data is created or acquired to how it is valued, stored, accessed and disposed of," he advises. "This includes data that comes in from customers, partners and suppliers as well as data created internally. They also need to consider their users. No technology or regulation will be effective, unless all employees adhere to security procedures. "This means educating users on why security matters, the consequences of getting it wrong and what to do, if the worst happens. They are much more likely to comply, if they understand the risks, rather than simply seeing security as a set of annoying rules which prevent them working as they wish. Achieving recognised security standards such as Cyber Essentials, ISO27001 and ISO20000, will help an organisation improve its security and, importantly, reassure its customers that it has done so." See page 20 for another expert take on GDPR and its impact. 14 computing security July/August 2019 @CSMagAndAwards www.computingsecurity.co.uk
product review WEBROOT BUSINESS ENDPOINT PROTECTION Webroot takes data security to the next level, as its Business Endpoint Protection teams up multi-vector protection with cloud-based machine learning. It delivers real-time threat detection and prevention for physical and virtual endpoints, while its SaaS (software as a service) model allows multiple sites to be cloud managed from a single pane of glass. Deployed as a small-footprint agent, it uses embedded deep learning intelligence to analyse end user activity to detect threats and block them. The agent functions as a sensor and sends back all information to the cloud service as data points, allowing it to adapt instantly to zero-day threats. It's very easy to install and we had no problem deploying it in the lab on our physical and virtual Windows workstations and Windows Server systems. The agent is preconfigured for your account and we found it could be installed and providing full protection in minutes. The agent runs an initial endpoint scan, links up with your cloud account and takes its settings from the default policy, so there's nothing more to do on each one. Other features we like are that the agent can be run transparently and it won't conflict with other endpoint security solutions - many competing products insist on uninstalling them before their agent can run. The cloud console is well designed and MSPs will approve of its site view, as they can manage all their customers from one console. It provides a complete overview of all detected threats, along with direct access to Webroot's optional DNS protection and security awareness training services. The endpoint protection console is equally informative and presents a status overview, clearly showing detected threats and the affected endpoints where you can drill down deeper for more information. The left pane provides a quick link to all current threats where we could view associated endpoints and run quick one-click clean up jobs. If the agent detects a new executable, it'll class it as unknown, track all the changes it makes and send back data points to the cloud where the results are analysed in real-time. A valuable feature is Webroot's journaling as, if it determines the threat is real, it'll roll back all changes made on the endpoints automatically. Custom polices can be easily created and even a quick glance at their features shows where Webroot's strengths are, as they offer remarkable levels of protection. Along with setting agent behaviour and self-protection, these provide access to scan schedules, automatic remediation, threat analysis heuristics, real-time, behaviour and core system shields, and much more. The web shield protects against malicious and phishing web sites, while the identity shield offers features such as denial of malicious tracking cookies, DNS verification to prevent man-in-the middle attacks and even screen capture prevention. We created custom policies for our Windows workstations and an agent is also available for Mac systems, which uses the same policies, so there's no need to create separate ones. Groups allowed us to organise our various endpoints for easier management, and policies can be assigned to groups or individual endpoints on-demand. Threat detection alerts are assigned to email distribution lists, which can also be used to send out regular threat summaries. Webroot provides a good range of reporting tools and MSPs will love its web-based API, as they can extract endpoint protection information and use it in other third-party remote management tools. Webroot's Business Endpoint Protection gets our vote of confidence, as it is easy to deploy and delivers the toughest of security measures. Its slick cloud management console is perfect for MSPs and SMEs alike, while its flexible per-device monthly and yearly subscriptions offer unbeatable value. Product: Business Endpoint Protection Supplier: Webroot Website: webroot.com/ComputingSecurity Tel: +44 (0)800 804 7016 www.computingsecurity.co.uk @CSMagAndAwards July/August 2019 computing security 15
Page 1 and 2: Computing Security Secure systems,
Page 3 and 4: comment NATION IN TRANSFORMATION In
Page 5 and 6: p ent est INFORMATION SECURITY ASSU
Page 7 and 8: editor's focus from the public and
Page 9 and 10: True multi-factor authentication wi
Page 11 and 12: GDPR fine is preliminary," states A
Page 13: case study "Equally, it does not he
Page 17 and 18: financial focus an online banking u
Page 19 and 20: inside track EDUCATION, EDUCATION,
Page 21 and 22: Webroot empowers businesses with pr
Page 23 and 24: threat intelligence have seen an im
Page 25 and 26: 12th edition of the most recognized
Page 27 and 28: cyber espionage a "sobering story"
Page 29 and 30: CYBER SECURITY europe 9-10 October
Page 31 and 32: industrial cyber security MULTIPLE
Page 33 and 34: endpoint detection and response GET
Page 36: Brookcourt Solutions (A Shearwater

CS1907

Create successful ePaper yourself

Delete template?

Save as template?