May 21, 2018

GDPR and mounting cybersecurity threats highlight the need for data protection

There has always been a need for data protection and security in business. Issues around the protection, management and security of data have always been critically important but have not always been prioritised as such. Previously, decision-makers have focused their time and resources on the core business targets to grow their business, leaving security as an afterthought and for the IT department to handle.

Failing to address security threats has never been a viable option for any business and given the current environment where the importance has been emphasised by the arrival of the GDPR and the mounting cybersecurity threats, finally, organisations are looking at security seriously and taking necessary actions to position themselves appropriately to better manage and protect the data that they hold.

The GDPR has placed direct emphasis on the protection of personal data and people’s privacy and the resultant push is a security focus at all levels. Data security and management has gained a pronounced degree of urgency.

Now, everyone is motivated and thinking very seriously about all things security (prevention, protection, defence and remediation)- at all business levels! For once, the business seems to be working as a unit, security is no longer an IT problem, instead, it has elevated to a board level and is getting the attention that it deserves.

Heightened cybersecurity threats of great sophistication

Businesses are experiencing heightened cybersecurity threats of great sophistication that is showing no sign of easing. Extremely damaging and lasting repercussions spanning financial, compliance and legal implications, as well as lasting impacts on business reputation, are all likely.

Environments are more data-driven than ever before, with organisations processing large volumes of data which holds significant value. This data is highly sought-after as we are reminded, frequently, with each occurring malicious breach. Businesses are realising that data has value and the GDPR is pushing them to protect it.

This heightened focus on data protection and the prevailing data threats means businesses are beginning to prioritise the security of their data above all else.

Major security threats still impacting data security

Predominant threats including crimeware, point-of-sale intrusions, cyber espionage, insider threats, application vulnerabilities, accidental errors, physical theft and loss of hardware/devices as well as denial of service attacks continue to impact businesses as before.

Businesses are seeing these attacks differently (as a result of the GDPR), realising that no matter the type of threat incident, all can potentially culminate in a breach of data and if that data is personal and sensitive, and is not protected, it will result in a breach of the GDPR and impact the data subject significantly.

Consider these threats…

1. Cyber espionage

Organisations processing or holding highly sensitive and valuable data are mostly targeted and a loss or compromise of this data for those organisations is very damaging.  With this type of attack, the target is usually focused and specific, rather than randomly chosen. The data that the organisation holds is the data that the attacker wants! It is Usually an endeavour to capture intellectual property or highly confidential information. Attackers have the resources and means to fulfil these attacks and persevere until they get what they want.

2. Crimeware

This involves the use of malware to compromise systems. A commonplace example and frequently used is phishing attacks and all the derivatives thereof (whaling and spear phishing). Once the attacker has control of the system they are able to go about capturing information (throughout all networked devices) and undertaking other criminal activities for their benefit.

3. Point-of-sale intrusions

A specific attack to capture payment information. If an organisation is one that works with such personal information, this highly sensitive form of data is at risk.

4. Misuse of privileges

Most of the time those employees or identities with most privileged access rights bring the highest risk. This risk is an insider risk.

The changing ways in which businesses function is making it more challenging to pick up on behavioural inconsistencies as employees are increasingly working more mobile and remotely, outside of the business constraints and outside of business operating hours.  Thus, location and time are not always a guaranteed cause for concern anymore.  Additionally, access to multiple documents, sources of content and accounts are also becoming the norm for employees to undertake their duties.

Identity and Access Management procedures is an effective way to manage this risk as well as tools that help to reduce exposure of organisations to human error.

5. Application Vulnerabilities

This type of attack tends to be one that is more opportunistic. Web applications that are not properly vetted may represent more of a risk.  Vulnerabilities within an application are found and then exploited and access is often gained through the utilisation of stolen credentials (which is becoming more easily achieved with the use of social engineering) and a breach often culminates.

6. Unintentional Mistakes (the insider threat)

Unlike a breach caused purposefully by an employee, many breaches continue to occur due to unintentional human error, often unknown to the employee responsible at the time.  This could include sending information or details to the wrong recipient, disposing of sensitive information in an incorrect manner or placing data in public view that should have remained private. Although this is done in error the repercussion of such an error, if personal information is disclosed, is the same as if it were a malicious breach. The personal data is still compromised and the data protection law still applies.

This threat may not always be intentional but even an accidental breach remains a breach.

We can’t rely solely on physical defence, the threat brought about by people is one that is often linked to human vulnerabilities and it must be addressed as such.

7. Theft and loss

The theft or loss of devices or hardware holding unencrypted personal and sensitive data is very much a concern and an incident type that, surprisingly, continues to occur. This cannot be allowed to continue and is not acceptable. This data can be easily secured and any breach resulting from a situation like this is avoidable.

What do they all have in common…data (mostly personal and sensitive)!

Yes, particular threats may pertain to some organisations more than others. However, compliance with required regulatory bodies and legal obligations, like the GDPR, expand all businesses and sectors and boil down to keeping all personal and sensitive data secure.

Each business and organisation may have unique security requirements, however, there is a fundamental requirement, shared by all businesses, to protect the data that they hold -no matter what.

This is irrelevant of the circumstances surrounding the disclosure of the data. As can be seen from the threats described above-they may vary with regards to how they unfold but data is at the centre of all of them.

Hence, the urgency to protect the data! If there is only one security control that businesses are prioritising- it’s data encryption. It may be one security control but it solves the heart of the problem.

In all these threat circumstances, securing the data itself renders it useless to the attackers (even if they get a hold of it). The data remains secure and private and there’s no possibility of a breach!

Data Protection goes beyond the GDPR

It’s important to remember, even with GDPR persisting in the headlines, that data protection and security challenges facing businesses extend beyond GDPR alone.

The GDPR has had a major influence on the changes we are seeing. Where once security was isolated to the IT department it now engulfs the entire organisation and all their subsidiaries across the globe.

The GDPR and heightened cybersecurity threats, jointly, have underlined the need for data protection. Data security issues and threats have always been present (and will persist), but the GDPR has lead businesses to realise their serious implications, encouraging them to do what’s necessary and right- protect the data!

 

Well thought out solutions, like Galaxkey, protect the data itself in transit and at rest for its entire lifecycle, no matter how it’s communicated or stored. Functionalities for granular access control, authentication, classification, authorised data distribution, integrity, anti-spoof and compliance (amongst others) allows organisations to address these security challenges and more. Moreover, Galaxkey complements other solutions so that a good multi-layered security approach can be used to tackle these security challenges that businesses are facing, head-on, today and into the future.

Leave your comment

Please enter your name.
Please enter comment.