Category: Infosec

How boards can prioritize cybersecurity in corporate governance

Håkon Olsen5 Comments

Boards are responsible for the health of the company and its ability to fulfill its mission on behalf of its owners. This is why most boards put a lot of effort into effective risk management with robust processes in place for compliance, financial risks and M&A activities. What they very often fail to do, is to incorporate robust controls for the cybersecurity of their company’s operations. In fact, a study surveying a large number of board directors show that risk and security is the area they feel is most challenging to cope with, yet is also an area where they feel strategic threat is lower than many other threats such as financial or compliance risks. This, in spite of the spikes in cyber attacks hitting businesses globally in 2016, and that the average cost of a data breach has been estimated to about 4 million USD (by IBM). The key to understand both the underestimation of the risk posed by cyber threats, and the lack of good processes to follow up cybersecurity risks as a corporate governance activity, are both linked to the cybersecurity skills gap – that reaches all the way to the senior leadership and board levels.

022217_1129_HowFileSilo1.jpg

Getting the cybersecurity processes in place

It is not easy to close the skills gap at any level but one should also not underestimate what can be achived through the use of good practices, eduacting the staff and integrating the approach to risk management into the operations of the company.

Where to find best practices?

Cybersecurity has come a long way, and several standards and practice documents exist, ranging from detailed technical requirements, to management processes. Building an information security management system is no easy undertaking, but using a risk based approach and following the same principles as for other governance structures help. Making ISO 27001 (an international standard) your basis for information security mangement will put you off to a good start. To get a practical how-to on building up such a system, see this post: How to build up your information security management system in accordance with ISO 27001

Metrics and Context: the link between operations and strategy

The board can not head into every aspect of security operations, nor does it (typically) have the expertise to dive into all details. That’s why it is important to develop a robust set of security metrics that can be reported ot the board, making sense of both the threat landscape, the context and the maturity of the company to deter, detect and deny cyberattacks, as well as to recover from those that inevitably will outsmart your defenses. Developing metrics should be done such that it fits with the greater strategic picture, recognizing that cybersecurity also ties into all of the firm’s operations. Viewing the metric game should thus include the financial perspective (most companies focus a lot on this), the customer perspective (tends to be forgotten in security), the learning and innovation perspective (often done only on the tactical level, not linked to strategy) and the internal process perspective (sometimes dominating, sometimes not existing at all).

In addition to developing metrics, boards should also be kept up to date on the risk context: what are our most valuable data assets and IT infrastructures? How is our standing with respect to hacker interest (scripters? hacktivitsts? nation states?). Do we have good people managment in place, and how does our internal corporate life affect the insider threat? It is the responsibility of the CISO to educate the board enough to make them able of both asking these questions and understanding why they are as important as understanding the strategic fit in a M&A transaction.

The compliance link

Compliance is already on the table, and cybersecurity regulation is taking shape in different jurisdictions. Mapping out regulatory compliance requirements to cybersecurity, as well as data privacy, is key to ensuring compliance in today’s operating environments. In the EU and EEC area a new regulation is coming into force in 2018 with strict requiremetns to most businesses dealing with customer data – yet few companies are ready to deal with this. Bringing the cybersecurity domain into the compliance picture is a necessary cornerstone of corporate governance, and for strengthening board focus. For an overview of new requirements to businesses from the General Data Protection Regulation (GDPR), see here: What does the GDPR (General Data Protection Regulation) mean for your company’s privacy protection and cybersecurity?

The people factor

Boards are no better than the people setting on it; this is why getting technical competence on boards should be a major priority for stockholders. We are living in the age of digitalization, of machine learning and of cyberthreats: believing that we can deal with this without technical competence also on the top of governance is simply superstition.

Also, for the processes to work, it is important that everyone has a feel for what secure behaviors are, and what consititues risky behaviors (without rewards). Driving security awareness in the corporate culture is also a key factor for directors, and overseeing this  as part of the risk goverannce should be a board priority. Almost every breach starts with a social engineering campaing – getting your people on the right side of the knowledge gap is probably the best investment you can make after turning on your firewalls, autopatching of computers and removing end-user’s admin rights.

To drive awareness in an effective manner, make sure it is suitable for its audience, and that it is noe a one-off e-learning module to click through. Building a security aware culture is a change process, not a simpel training event: When does cybersecurity awareness training actually work?

Take-away points

This are your talking points from this article – bring them to your next board meeting or coffee break at work:

    Insider Extraslide deck with implementation tips for your corporate governance processes. 

    Testing the cybersecurity maturity through self-reported practices

    Håkon OlsenLeave a comment

    Did you read the story about Johnny the Hunter and the publishing house, the one hit by the FileSilo hack? Well, since Johnny was tasked with ramping up their security, he decided to get some idea about their current practices, and how much the different department managers knew about how to manage their security risks. He wasn’t all that hopeful. The publishing house was a distributed operation and key decision makers were spread around the country, and some also overseas.

    Whenever he tried to talk to department managers about security, they told him it was all too technical, and one guy even got really hostile; accusing Johnny of being a paranoid security geek, proclaiming he’d rather be a dumpster diver than work with rats like him.

    Johnny the Hunter decided to create a simple web application and have the department managers click through it – basically asking them what practices they had implemented. Perhaps this was easier than talking directly to some of them – like the ones thinking he was a disease-carrying rat of some sort?

     

    johnny_app
    Screenshot of Johnny’s app for asking department managers about practices – starting with a few key processes Johnny felt should be in place.

    Johnny received a lot of answers, the managers were quite enthusiastic  about this. They had hired in a security expert from a big consulting house the year before, and he had only talked to them in technical terms (which they didn’t really understand), and left them with a large report which was too hard and too long to read. And the consulting house had charged an enormous amount per hour for doing so – and spending a lot of hours on it.

    After a few questions, Johnny’s app made some improvement suggestions for the managers. One manager, covering the publishing house’s online tech blog, where freelance writers contributed from all over the world, was thrilled with the suggestions he got.

    Here’s the suggestions the manager liked so much!

    johnnyresult

    The managers thought this was really helpful. Johnny was happy for the enthusiastic response; this could pave the way for investing in some really helpful assets – like centralized logging, better network segregation and a team to ensure they could hunt for the real threats.

    Why Johnny was dumbing it down

    If you work in IT, or in security, Johnny’s app may seem extremely simplistic and dumbed down. Johnny the Hunter, however, did not think so. Why? This is because he is not working with IT professionals, he is working with “getting my own stuff done professionals”, thinking of IT mostly as a necessary evil. Posing the questions like this, in a very simple format, allowed him to connect with the department managers without creating distance, and without forcing them to try to communicate in an unfamiliar language. Breaking down these barriers is necessary in order to get buy-in for the things that the publishing house needs to do – and Johnny the Hunter understands this.

    Test drive the cybersecurity maturity app!

    If you want to try Johnny’s app, it is available for Safecontrols Insiders – log in or sign up, and you can take it for a test drive. Comments are very welcome – either on this blog post, or in an e-mail as specified in the app’s results page.

     

     

     

    5 key success factors for dealing with ransomeware – free whitepaper

    Håkon OlsenLeave a comment

    Ransomeware is by far the fastest growing threat online. Losing your files can feel as so great a loss that paying criminals to give you your files back can seem like a reasonable thing to do. The problem with that is just that there is no guarantee they will give it back and end the blackmail against you, and you would be helping organized crime with the money you are forking over.

    cropped-20150512_122333851_ios.jpg

    Dealing with ransomeware requires preparations. Although there is no way to be 100% sure of avoiding problems – there are certain things you can do to reduce the risk of losing to the scammers. These include:

    • Keeping your software up to date
    • Denying unwanted network traffic by using a firewall
    • Knowing how to detect social engineering attempts
    • Avoiding the use of admin accounts for regular users
    • A solid backup policy using offsite and offline storage

    Register as a Safecontrols Insider today and download the free whitepaper that can help you set up the necessary defenses, and also to prepare for the actions you need to take if cybercriminals are able to get past those defenses and lock down your files anyway.

    Rita the Designer’s Ransomware Litigation Nightmare

    Håkon Olsen1 Comment

    As you are likely aware of, ransomware is the fastest growing breed of malware, and it is very profitable for the criminals who run these attacks. Rita the Designer, our fictional web designer and UX expert from the filesilo story, is running into ransomware trouble. But not of the obvious kind. 

    She’d been working long hours to finish a project for a demanding client. Still a bit shaky from the filesilo incident she was determined not to fall into any security traps. She was a great designer but not so great with contracts and liability, and she new this. It hasn’t been much on her mind previously but she was feeling more anxious lately. 

    Law firms can point fingers at you for things you never thought about. Rita the Designer was suddenly facing claims from the insurance company of her client. What the h*ll was going on?

    Monday morning a messenger was at her door with a personal delivery; she was being accused of failing to secure the app she’d made for the client, causing his users to become victims to ransomware scammers. 

    She contacted the client and asked what this was about? They met to discuss things and she learned that the infections had happened via malicious ad banners. She’d never placed any ad banners on the site. The client claimed she must have, because he’d not touched the code. 

    Rita thought to herself: – what if something was fishy with the filesilo templates she downloaded? They closed the meeting and she promised to respond to the claims within the week. 

    As she stepped out she texted Johnny the Hunter to ask him out for coffee. Johnny met with her right away – after all he was single and she was attractive enough – and heard her out. He promised to help her look into it. 

    Impact of security issues can be hard to estimate. Here a developer is being sued after a client’s end users got infected with malware. We don’t know the end of the story but we can think of some practices she could have changed to better protect her business. 

    • Never trust downloads. Particularly not from insecure sites like filesilo, with insecure authentication and no integrity checks
    • Include liability clauses in contract, to define and limit your business’ risk exposure
    • Always run security tests before deployment. Don’t allow injection vulnerabilities to live
    • Prioritize client relationship management; don’t let the first contact about trouble be a letter from your client’s lawyer delivered with your breakfast. 

    How FileSilo ruined Rita the Designer’s Weekend

    Håkon Olsen2 Comments

    Disclaimer: the story about Rita the Designer and Johnny the Hunter is fiction. The filesilo hack is not.

    Rita designer was working on a new project and was on a deadline. She was an avid reader of the magazine “Web Designer“, that has lots of great content on UX and design patterns. Usually Rita wouldn’t base her client designs on stuff from a magazine but this time she found some really nice UX effects described in the latest issue that she wanted to try out. She created an account on their fileshare “FileSilo“, and quickly found the free stuff she could download when she’d bought the latest Web Designer issue. When she signed up she used her e-mail address and the password she always used for her non-critical online accounts, which in her opinion was pretty much anything except for her banking portal and her insurance portal.

    Rita the Designer was hunting for design patterns on filesilo, and got caught in the net of hackers due to their shoddy security and her own lack of awareness and password hygiene. 

    Rita downloaded the content, opened the zip file and looked through the templates; all good. She then decided to have a latte at the nearest coffee shop while thinking about the exact transitions she wanted to build into the site. In the coffee shop, she stumbled across a friend from university, who was now a security researcher with a anti-malware company. They started talking about their latest gossip. The sec researcher, Johnny the Hunter, told her he had a new girlfriend he’d met on tinder, and that work was a bit slow now. He’d recently gotten a contract with a publishing house to help with securing their web infrastructure but he hadn’t yet started. Rita told him excitedly about the new UX transitions she’d found in Web Designer, and that she had downloaded the templates from filesilo, ready to implement. The customer was expecting the first conceptual design by end of the week, so she expected to spend a lot of time working this week.

    She got back to her studio office and started playing with the transitions; it looked very good, and she was impressed with the usability of the templates without much fudging around. On Friday, she met with the client and showed him 3 different implementations – and they were equally impressed with all, finally selecting her green design with a flip effect for their new landing page.

    Rita went back to the coffee shop to celebrate and get ready for the weekend after having worked like a maniac all week to get the design concepts done. She looked at her phone, and discovered she had two new emails. The first one was from the guy she’d met earler in the week, Johnny the hunter, urging her to check her online accounts and make sure she hadn’t reused any passwords in the filesilo site – because it had been hacked. So what, was her first thought, passwords are stored in encrypted form anyway? The other email was from the Future(!?). Stating that the passwords were stored in clear text at filesilo, that they were sorry and that she should go ahead and secure her online accounts.

    OK, at least it is good that they are telling people about the breach at once so I can secure my other accounts, she thought to herself. She should really stop using the same password everywhere. Then she got a text – somebody has logged into her Facebook account. From Kinshasa. Not good. Same password. Another text. From Microsoft: her onedrive is being accessed. From Taiwan. Worse. Ok, time to panic!

    How could this happen?

    Obviously filesilo had a very shoddy operation going, storing passwords in plain text. The Register has a story on this, with a very fitting photo to illustrate the case. And how could it happen? Complacency, lack of awareness, stupidity? It is very hard to get a grasp on, especially from a magazine in the IT sector! Obviously filesilo just did unfathomably stupid things in designing their downloads page but another question I’m sure Johnny the Hunter would have for Rita the Designer is “why didn’t you notice all the clues”? Like no https. Like accepting weak passwords.

    These things happen because knowing what to do isn’t enough – people need to make secure behaviors habits. If not it is going to slip whenever you are in a hurry. This is why one-off awareness programs aren’t that efficient. So, it looks like the publishing house learned some stuff from Johnny the Hunter. In an email sent out today, they say they’ve done the following since the hack:

    • The site now uses HTTPS meaning all user data is encrypted as it is sent to our servers
    • All site components have been updated to the latest most secure versions and functionality has been added to ensure that future security updates are applied immediately after release
    • All passwords are now fully encrypted using an updated secure algorithm
    • Minimum requirements for password strength has been added to reduce the risk of successful “brute force” attacks
    • ReCaptcha has been added to the registration process to reduce chances of automated hacker/spammer sign ups
    • All staff users with access to subscriber data require “two factor authentication” to log in. This further reduces the risk of hacks where user data could be compromised

    All good practices that should have been there for years. It probably would have been if they had installed an information security management system, as they are likely to need after the General Data Protection Regulation comes into force in 2018.

    Hackers try to trick you into paying ransome using simple javascript hijacking

    Håkon OlsenLeave a comment

    When people talk about ransomware they typically think about malware that encrypts all of your files using strong encryption, forcing you to fork over money to unlock your files again. Some of these species are quite elaborate, with reinfection routines and integrated botnets. But perhaps hackers can get higher return on investment (ROI) by using som simple browser hijacking scripts?

    ransom_fakebsod

    One of the most common and profitable scams in 2015-2016 was the FakeBsod.A malware. According to the Microsoft info page on this ransomware it accounted for 15% of ransomware infection in the period from Dec 2015 to May 2016. The way the malware works is that it hijacks your browser and displays a message that you have encountered “BLUE SCREEN ERROR 0x000000000CE” in your browser. Your browser becomes unusable, the adress bar does not work and you cannot close it unless you kill the application. The error message gives a phone number to “Microsoft” for help. If you call them, you are asked ot pay a certain amount by credit card to “fix the problem”. Of course, forcing the browser to close and then removing the js file FakeBsod.A from your system is a better choice of action. Most users don’t know this, and the js browser hijacking technique has earned cyber criminals enormous sums of money from user seeing no other option to get their browser back. Note that no files are harmed by the malware – this is an effective scareware tactic that has worked very well for the criminals, with very little upfront investment.

    This particular ransomware is not dangerous in contrast to cryptoviruses that can be in practice impossible to recover from without a good backup. It is like a robbery using a water pistol. Still – the criminals manage to steal a lot of money using this malware . It is like other phone scams – but instead of Microsoft scammers calling you they use ransomware as an inbound marketing tool – making you call their call center.

    A nice and somewhat more technical post on this time of “phonescamware” can be found here by Xavier Mertens: https://isc.sans.edu/diary.html?date=2015-10-13.

    Norwegian cyber command warning against supply chain exploitation for F35 project

    Håkon Olsen2 Comments

    The Norwegian general Inge Kampenes (chief of the Norwegian CYFOR, the cyber branch of the Norwegian armed forces) gave a speech on the evening of Monday 20.02.2017 to Oslo militære samfund, where he warned against supply chain threats to large investments in the military. He brought the F35 program forward, and stressed that threat actors may choose to target civillian and military organizations further back in the supply chain in order to threaten the integrity and confidentiality of the project. The military must therefore keep the entire value chain in mind as it is assessing the cyber threats related to procurement.

     

    Aerial refueling of F-35 Lightning II Joint Strike Fighters at Eglin AFB, Fla.
    F35 figher jets require a large number of systems on the ground, ranging from military equipment in the field to administrative IT systems. Breaches in the supply chains to these supporting systems may degrade the performance of the organizations and system supporting F35 operations. Photo by Mstr. Sgt. Donald R. Allen, US Air Force (public domain).

     

    This follows several recent media accounts of poor sourcing decisions leading to significantly reduced security for important functions in Norway. One was the Statoil case from 2014 where Indian consultants had access to the production IT systems of a refinery and managed to shut down the production of the refinery by an error. Another story that recently broke in media was that the administration of the Norwegian emergency communications network for emergency response units (police, fire departments, ambulances and the authorities) had been contracted to another Indian IT operator – with no form of background checks or security clearance checks – in breach of Norwegian security laws.

    The general is obviously right to be worried about supply chain risks. The suppliers are outside of your direct management control, and this is in particular true for large and complex value chains; the deeper you go in the web of suppliers and subsuppliers, the less influence and control you have over their practices. This has to be handled through contract requirements, auditing and a common understanding of priorities. Understanding the risk context is key to prioritizing the right controls – and this is at the core of supply chain threat management.

    Key points the general should preach to his colleagues:

    • The project needs a procurement policy covering all purchases, and also how suppliers again shall handle their own suppliers, and this policy should be made mandatory for the entire project organization: the project owner must be the one calling the shots.
    • The project needs a competence management plan for information security – that covers both internal and external interfaces
    • The project needs a risk and vulnerability study that covers supply chain effects: the suppliers may be targeted due to activity in other risk contexts, thereby damaging the project’s security by collateral damage
    • The project should plan for coordinated security monitoring in the operations phase where applicable, and plan response accordingly. Patch management should be part of the delivery plan.

    Free infosec crashcourse for insiders

    Håkon OlsenLeave a comment

    Safecontrols is now giving away free stuff – like an 88-page slide deck covering the basics of cybersecurity from networking to attack surfaces, from risk assessments to incident response and secure development. All you have to do to get your hands on this resource is to sign up as a Safecontrols Insider.

    summary_crash
    Get a crash course slide deck that covers the basics of cybersecurity – you get 88 pages of best practice and background knowledge for free. 

    More great stuff will be shared in the future, so don’t miss out!

    Sign up now, and share this blog post with your friends and colleagues. 

     

    Users: from threats to security enhancers?

    Håkon Olsen1 Comment

    Security should be an organization-wide effort. That means getting everyone to play the same game, requiring IT to stop thinking about “users as internal threats”, and start instead to think about “internal customers as security enhancers”. This can only be achived by using balanced security measures, involving the internal customers (users) through sharing the risk picture, and putting risk based thinking behind security planning to drive rational and balanced decisions. For many organiations with a pure compliance focus this can be a challenging journey – but the rewards at the end is an organization better equipped to tackle a dynamic threat landscape. 

    Users have traditionally been seen as a major threat in information security settings. The insider threat is a very real thing but this does not mean that the user is the threat as such. There has recently been much discussion about how we can achieve a higher degree of cybersecurity maturity in organizations, and whether cybersecurity awareness training really works. This post does not give you the answers but describes some downsides to the compliance oriented tradition. The challenge is to find a good balance between controls and compliance on one side, and driving a positive security culture on the other.

    wp-image-10420430jpg.jpg
    Locking down users’ tools too much may enhance security on paper – until you you consider the effect of trust erosion on the human attack surface. When knowledge workers feel they are not trusted by their organization, they also feel undervalued, something that can create hostility towards management in general, and cybersecurity policies specifically. There is no fun working in an environment where all the toys are locked down. 

    Most accidents involve “human error” as part of the accident chain, pretty much like most security breaches also involve some form of human error, typically a user failing to spot a social engineering attempt where the security technology is also inept at making good protection decisions. Email is still the most common malware delivery method, and phishing would not work without humans on the other end. This picture is what your security department is used to seeing; the user performs some action that allows the attacker to penetrate the organization. Hence, the user is a threat. The cure for this is supposed to be cyberscurity awareness training teaching users not to open attachments from sketchy sources, not to click those links, not to use weak passwords and so on. The problem is just that this only partially works. Some people have even gone so far as to say that this is completely useless.

    The other part of the story is the user that reports his or her computer is misbehaving, or that some resoures have become unavailable, or forwards spear-phishing attempts. Those users are complying with policy and allowing the organization to spot potential attempts of recon or attack before the fact, or at least realtively soon after a breach. These users are security enhancers, in the way security awareness training is trying to at least make users a little bit less dangerous.

    Because people do risky things when possible, the typical IT department answer to the insider threat is to lock down every workstation as much as possible, to “harden it”, ie making the attack surface smaller. This attack surface view, however, only considers the technology, not the social component. If you lock down the systems more than what is felt necessary by the users, they will probably start opposing company policies. They will not be reporting suspicious activities as often anymore. They will go through the motions of your awareness training but little behavioral change is seen afterwards. You risk that shadow IT starts to take a hold of your business – that employees use their private cloud accounts, portable apps or private computers to do their jobs – because the tools they feel they need to do their jobs are locked down, made inflexible or simply unavailable by the IT department in order to “reduce the attack surface”. So, not only are you risking to prime your employees for social engineering attacks (angry employees are easier to manipulate), making your staff less able to benefit from your training courses, but you may also be significantly increasing the technical attack surface through shadow IT.

    So what is the solution – to allow users to do whatever they want on the network, give the admin rights and no controls? Obviously a bad idea. Keywords are balanced measures, involvement and risk based thinking.

    • Balanced: there must be a balance between security and productivity. A full lockdown may be required for information objects of high value to the firm and with credible attack scenarios, but not every piece of data and every operation is in that category.
    • Involvement: people need to understand why security measures are in place to make sense of the measures. Most security measures are impractical to people just wanting to get the job done. Understanding the implications of a breach and the cost-benefit ratio of the measures in place greatly helps people motivate themselves to do what feels slightly impractical.
    • Risk based thinking: measures must be adequate to the risk posed to the organization and not exaggerated. The risk picture must be shared with the employees as part of the security communication – this is a core leadership responsibility and the foundation of security aware cultures.

    In the end it comes down to respect. Respect other people for what they do, and what value they bring to the organization. Think of them as customers instead of users. Only drug dealers and IT departments refer to their customers as users (quoted from somewhere forgotten on the internet).

    What does the GDPR (General Data Protection Regulation) mean for your company’s privacy protection and cybersecurity?

    Håkon Olsen4 Comments

    The EU is ramping up the focus on privacy with a new regulation that will be implemented into local legislations in the EEC area from 2018. The changes are huge for some countries, and in particular the sanctions the new law is making available to authorities should be cause for concern for business that have not adapted. Shockingly, a Norwegian survey shows that 1 in 3 business leaders have not even heard of the new legislation, and 80% of the respondents have not made any effort to learn about the new requirements and its implications for their business (read the DN article here in Norwegian: http://www.dn.no/nyheter/2017/02/18/1149/Teknologi/norske-ledere-uvitende-om-ny-personvernlov). The Norwegian Data Protection Authority says this is “shocking” and says all businesses will face new requirements and that it is the duty of business leaders to orient themselves about this and act to comply with the new rules.

    The new EU general data protection regulation (GDPR) will become law in most European countries from 2018. Make sure you have the right controls in place in time for the new regulation to become law. This even applies to non-European businesses offering services in Europe.

    Here’s a short form of key requirements in the new regulation:

    • All businesses must have a human readable privacy policy: many privacy and data protection policies today are written in legal jargon and made to be hard to understand on purpose. The new regulation will require businesses to state their policies and describe how personal data are protected in a language that is comprehensible to the user group they are working with, including children if they are in the target user group of the company.
    • You need to do a risk assessment for privacy and data protection of personal data. The risk assessment should consider the risk to the owner of the data, not only the business. If the potential consequences of a data breach are high for the data owner, the authorities should be involved in discussions on how to mitigate the risk.
    • All new solutions need to build privacy protections into the design. The highest level of data protection in a software’s settings must be used as default, meaning you can only collect a minimum of data by default unless the user actively changes the settings to allow you to collect more data. This will have large implications for many cloud providers that by default collect a lot of data. See for example here, how Google Maps is collecting location data and tracking the user’s location: https://safecontrols.blog/2017/02/18/physically-tracking-people-using-their-cloud-service-accounts/
    • All services run by authorities and most services run by private companies will require the organization to assign a data protection officer responsible for compliance with the GDPR and for communicating with the authorities. This applies to all businesses that in their operation is handling personal data on a certain scale and frequency – meaning in practice that most businesses must have a data protection officer. It is permissible to hire in a third-party for this role instead of having an employee to fill the position.
    • The new regulation also applies to non-European businesses that offer services to Europe.
    • The new rules also apply to data processing service providers, and subcontractors. That means that cloud providers must also follow these rules, even if the service is used by their customer, who must also comply.
    • There will be new rules about communication of data breaches – both to the data protection authorities and to the data subjects being harmed. All breaches that have implications for individuals must be reported to the data protection authorities within 72 hours of the breach.
    • The data subjects hold the keys to your use of their data. If you store data about a person and this person orders you to delete their personal data, you must do so. You are also required to let the person transfer personal data to another service provider in a commonly used file format if so requested.

    The new regulation also provides the authorities with the ability to impose very large fines, up to 20 million Euros or up to 4% of the global annual turnover, whichever is greater.This is, however, a maximum and not likely to be the normal sanctions. A warning letter would be the start, then audits from the data protection authorities. Fines can be issued but will most likely be within the common practice of corporate fines within the country in question.

    Implications for cybersecurity

    The GDPR has focus on privacy and the mechanisms necessary to avoid abuse of personal data. The regulation also requires you to be vigilant about cybersecurity in order to avoid data breaches. In practicular, Section 39 states (see text here: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=OJ:L:2016:119:FULL):

    “Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including for preventing unauthorised access to or use of personal data and the equipment used for the processing.”

    This means that you should implement reasonable controls for ensuring the confidentiality, integrity and availability of these data and the processing facilities (software, networks, hardware, and also the people involved in processing the data). It would be a very good idea to implement at least a reasonable information security management system, following good practices such as described in ISO 27001. If you want a roadmap to an ISO 27001 compliance management system, see this post summarizing the key aspects there: https://safecontrols.blog/2017/02/12/getting-started-with-information-management-systems-based-on-iso-27001/.

    You may also be interested in the 88-page slide deck with an overview of cybersecurity basics: it is a free download if you sign up as a Safecontrols Insider.