Most information security managers are well aware of the need to comply with GDPR – the EU’s regulations on how organisations manage, store, transfer and delete customer data
Andy Barratt, UK managing director at cybersecurity specialist, Coalfire, examines how the intense focus on compliance with these new requirements, especially at board level, could be leaving some businesses at greater risk rather than less.
The implementation of GDPR next April will undoubtedly encourage firms to tighten security around the way they gather and handle data.
And rightly so. Data breaches are a real threat to businesses’ ability to operate, as well as to the trust that consumers and customers place in them.
But compliance is never the only risk that information security managers need to control and, as companies work to deal with these new regulations, there is a risk that they will become distracted from other potential threats.
There is even a chance that some criminals have already begun looking elsewhere for an easy target.
So what can managers do to ensure that delivering success in one area doesn’t become a recipe for disaster somewhere else?
As any compliance deadline approaches, information security managers should have a plan in place on how they are going to ensure meet the new requirements in good time.
The challenge is to use what resources they have to execute those plans without neglecting any other areas of risk.
With finite budgets and pressure coming from your board of directors – many of whom are currently keenly aware of GDPR – it can be difficult to decide what work should take priority, and what can wait.
In this, the challenge is to meet the hard deadline of compliance without overlooking other everyday tasks like maintaining up-to-date security controls elsewhere.
There’s no doubt that one of the reasons GDPR is being introduced in the first place is due to the huge hype that has surrounded data in recent years.
Cybercriminals have targeted data either by stealing it for their own purposes or, more commonly, by using the theft it to extort money from their victims.
But it is not the only way that cybercriminals can profit from attacking a business.
As data becomes more difficult to steal, point of sale systems could be one such area that could be ripe for attack.
Point of sale
When cash was king, one way for criminals to make off with large sums of money was an old-fashioned heist.
Targeting businesses with high value sales – such as jewellers’ shops – criminals would use the threat of violence to persuade staff to hand over thousands, or even millions, of pounds of goods.
In today’s world of ubiquitous electronic payments, the point of sale system is now all that stands between a potential criminal and their loot.
When a customer uses a credit card to buy an expensive Rolex watch, for example, staff place all their trust in their point of sale system: a green tick on a screen denotes the transaction has been authorised, so they hand over the goods.
If a cybercriminal can manipulate this system to show that green tick even when no transaction has taken place, they can trick staff into handing over very valuable goods without payment.
And because hacking a PoS system leaves very little signature, the businesses involved often won’t know that anything untoward has even taken place until payments fail to reconcile in the usual way several hours, or even days, later.
Winning over the board
But ensuring these systems remain secure against fast-developing threats while also complying with GDPR means juggling different priorities, even if those at the top of the organisation are initially only interested in one of them.
The first step is to recognise that GDPR creates an opportunity for those with an information security remit to win their board’s wider support.
With a little skilful encouragement, most directors can be persuaded that compliance and security are interwoven.
Those who are good at managing upwards will be able to use this newfound visibility among the C-suite to show the many very real risks that they handle every day.
By speaking their language and highlighting continuing security threats, a skilful manager can win their board’s backing, and manage their resources appropriately to cover all their priorities.
Negotiating with the leadership team might seem daunting for managers who, until now, have little experience of working in the spotlight of the board of directors.
But any success in complying with new regulations on time will be short-lived if it means that the risks taken elsewhere have left you wide open to the type of cybercrime that this regulation was designed to guard against.