CS Nov-Dec 2022
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
GDPR<br />
Dan Middleton, Veeam: Businesses must<br />
place data integrity, security and<br />
resilience at the heart of their operations.<br />
facilitate the transfer of personal data from<br />
the EU to a third country or international<br />
organisation, while ensuring that the data<br />
continues to benefit from a high level of<br />
protection. "This continuity of protection<br />
is important, given that in today's world<br />
data moves easily across borders and the<br />
protections guaranteed by the GDPR would<br />
be incomplete, if they were limited to<br />
processing inside the EU. The toolbox<br />
includes actively engaging with key partners<br />
with a view to reaching an adequacy<br />
finding and yielded important results such<br />
as the creation between the EU and Japan<br />
of the world's largest area of free and safe<br />
data flows. Ongoing work also concerns<br />
other transfer mechanisms, such as<br />
standard contractual clauses and<br />
certification, to harness the full potential of<br />
the GDPR rules on international transfers."<br />
What is all too clear from the sizeable fines<br />
that were imposed on Instagram and others<br />
is that data protection authorities are<br />
making use of a wide range of corrective<br />
powers provided by the GDPR, such as<br />
administrative fines, warnings and<br />
reprimands, orders to comply with data<br />
subject's requests, orders to bring processing<br />
operations into compliance with the<br />
Regulation, to rectify, erase or restrict<br />
processing. Nor is it all about fines as a<br />
means to keep businesses in line. As the<br />
EC states: "The GDPR also provides for a<br />
broader palette of corrective powers. For<br />
example, the effect of a ban on processing<br />
or the suspension of data flows can be<br />
much stronger than a financial penalty."<br />
CHANNEL 4 - TOTAL VISIBILITY<br />
One organisation intent on ensuring it<br />
meets its GDPR obligations is Channel 4,<br />
which is said to be saving its security<br />
department thousands each year after<br />
partnering with Invicti Security to gain<br />
complete visibility into its web assets.<br />
As part of protecting the information it<br />
collects, in line with regulations such as<br />
GDPR, Channel 4 - which operates the UK's<br />
biggest free streaming service, All 4, plus a<br />
network of 12 television channels - needs<br />
to secure vast amounts of information,<br />
including the data of 24 million All 4<br />
subscribers, as well as staff details, and all<br />
of its intellectual property and be able to<br />
demonstrate that this data is safe and<br />
secure.<br />
As a large organisation with thousands<br />
of web assets, security was previously a<br />
complex and expensive task, involving<br />
numerous penetration tests with multiple<br />
third parties, costing significant sums to the<br />
business. "We would perform a penetration<br />
test and after getting the results, we'd have<br />
to fix the issue and then pay for another<br />
penetration test," says Channel 4 CISO Brian<br />
Brackenborough. "That could be quite a<br />
cycle depending on how complicated the<br />
particular project was."<br />
Channel 4 now uses Invicti to gain visibility<br />
into whether websites are collecting<br />
personally identifiable information (PII). It<br />
can then perform vulnerability scans and<br />
penetration tests on those websites. The<br />
efficiency gains and cost savings are clear:<br />
partnering with Invicti saved Channel 4<br />
thousands in the first year alone. "The<br />
budget, which we were spending every<br />
year on penetration testing, decreased<br />
approximately 60%. The following year,<br />
it decreased close to 80%," he adds.<br />
Using Invicti, Channel 4 can start<br />
performing automated and continuous<br />
penetration tests or vulnerability scans<br />
against systems at certain milestones of<br />
a project to make sure it stays on track. It<br />
allows Channel 4 to catch any issues early<br />
on in the process, prioritising vulnerabilities<br />
that put the organisation at risk, so it can<br />
fix them with less manual effort.<br />
"That makes our lives a lot easier and allows<br />
us to ensure we are delivering projects on<br />
budget and on time," says Brackenborough.<br />
40<br />
computing security <strong>Nov</strong>/<strong>Dec</strong> <strong>2022</strong> @<strong>CS</strong>MagAndAwards www.computingsecurity.co.uk