Written By John Titmus, Director, EMEA – Sales Engineering, CrowdStrike
The need to be GDPR-ready may be attention-grabbing right now, but turn this on its head; would you rather be compliant or protected against breaches? If you more concerned about compliance without understanding the role of security and protection, you may face the ticking of the breach notification clock – 72 hours and counting and the related penalties associated .
Compliance does not equal protection
Fear can be a positive emotion, preventing us from straying into dangerous situations, but it can also be crippling – stopping us from pursuing the correct course of action when required. With the looming GDPR deadline, are businesses seeing compliance as a tick box only activity, or should they be seeing the new regulations as an opportunity to improve their defences against an unprecedented rise in cyberattacks?
A ‘tick box’ mentality might help achieve compliance within the requirements of GDPR, but there is much more that they can do to abide by its spirit. What does that tick in the box really mean? When can you start to celebrate? The truth of the matter is, you are only compliant for that brief moment in time.
Businesses need to demonstrate more than mere compliance: they need to show that they are sophisticated enough to deal with any breach that occurs, and have the right processes in place to minimise the damage and effectively report the extent of the breach. Stating you were compliant when a breach happened doesn’t protect your organisation or your customer data.
Beyond compliance
One of the most high-profile recent breaches – targeting Equifax – highlighted the reputational damage that delayed breach notifications can cause. Under GDPR, any delay will come with a hefty financial cost. The penalties for non-compliance with GDPR are well-known – a fine of up to 4% of revenue or €20m, whichever is the greater. An organisation can still be compliant yet suffer serious financial and reputational consequences from a breach that goes undetected. It’s therefore incumbent upon any organisation to ensure they are not only compliant, but always prepared for any breach. And the only way to build the right defences is to take the focus away from the breach and re-direct it to stopping the malware and demonstrating that you have mature processes in place to help detect, prevent and respond.
The Role of AI in GDPR
The key to defeating cyber attackers is to master huge volumes of data about threats in real time; and this simply isn’t possible without the use of AI due to the volumes of data that need to be processed. To give you an idea of the scale of the analysis, CrowdStrike collects and analyses around 67 billion events every single day. AI is used to access and contextualise all this data in under five seconds providing a real-time view of current threats, organisations need to be protected from.
The real essence of GDPR lies in the ability to demonstrate maturity from both a technical and process perspective, to be able to deal with a breach, should it occur. Harnessing technologies that use automation to operationalise data and artificial intelligence (AI) will make a big impact and also help to approach GDPR with a proactive ‘stopping malware’ mind-set.
AI can provide the ability to scale, provide visibility and therefore protect us at speed, as time can be the enemy. Used intelligently, AI enables us to see what’s happening in the world at any given moment, and to interrogate data to identify indicators of attack (predictive methods) as well as indicators of compromise. When combined with machine learning, it’s an incredibly powerful capability in the fight against hackers; constantly collecting, analysing and adapting security algorithms. Without the ability to understand if there are indicators of compromise in real-time, you will never be able to establish IT hygiene and, more importantly, have a security posture that is ready to face any future threats.
From compliance to security hygiene
Organisations also need to invest in processes to protect data and identify how that data is being accessed. Early warning systems that detect intrusions by external threat actors or insiders trying to gain unlawful access are key – but so are established guidelines for how to respond to a breach, such as isolating infected devices, remediating the estate, and working with legal and PR to formulate the right public response.
Preventative measures are also a fundamental part of the approach. With the rise in IoT, organisations should question which devices are WiFi-enabled and if they really need to be connected. Simple measures like this can ensure that they minimise the chance that they are compromised or become vectors for an attack.
We see this as ‘security hygiene’; a posture that focuses on cross-organisational measures to combat breaches, rather than a narrow focus on point security such as AV or endpoint protection.
Conclusion
Organisations should not fear the 72-hour deadline for breach notification but use this as an opportunity to review their existing processes and security. Achieving this target might mean that an organisation protects itself from huge fines mandated under GDPR, but it also provides the opportunity to make those updates to their technology and processes that may be overdue; being able to discover indicators of attack in real-time and prevent a breach. This might sound like another impossible requirement to add to the already stringent demands of the GDPR, but in fact the right tools and processes, can achieve this easily.
Don’t let fear be your motivation for achieving GDPR compliance. Instead, focus on how your business can give itself – and its customers – the best protection possible.