The incoming General Data Protection Regulation (GDPR) places many demands on organisations to protect personal information relating to individuals such as employees and customers. One fundamental measure concerns the need to have appropriate network and information security controls in place to detect, respond and report data breaches.
Unfortunately, many organisations are still ill prepared to comply with this important requirement and with just one year to go until the GDPR is enforced, the need to start considering how to address it should be viewed as a foremost priority.
If your organisation is behind in its GDPR preparations, now is the time to start considering the options. Could a cost-effective managed detection and response service be the solution needed to achieve quick, hassle-free compliance and reduce the chance of suffering a damaging cyber-attack?
Why the GDPR means cyber-attacks should be treated as an operational reality
In order to prepare a successful breach detection strategy for the GDPR, it’s important to accept that suffering a cyber-attack is only a matter of time. While preventative security measures such as firewalls and antivirus software, coupled with regular vulnerability assessments and network penetration testing, are vital for reducing cyber security risk, the highly targeted and persistent approach of today’s attacks means that a well-resourced hacker is capable of breaching the defences of almost any organisation.
According to government research, two thirds of large UK businesses have been hit by a cyber breach or attack in the last year1. Evidence suggests that small and medium-sized business are increasingly vulnerable. Factoring organisations that have been compromised without even knowing it means that the reported figures are likely to be significantly worse.
When evaluating security statistics, much also depends on the definition of a breach. It’s important to recognise that the description outlined in the GDPR encompasses much more than losing personal information. Destruction, loss, unauthorised disclosure of, or access to, personal data also constitutes a breach and means that organisations must be ready to respond to many different scenarios. In all circumstances, knowing what and how personal data has been compromised is key to achieving a successful response.
The value of knowing how to respond to and remediate attacks
In the event of an attack, knowing how to respond to it is almost as important as identifying it in the first place. Among the GDPR’s breach reporting requirements is the need to report a breach to a relevant supervisory authority within 72 hours of becoming aware of it. The information necessitated is comprehensive, including a description of the breach (such as the type and quantity of data compromised), an outline of the likely consequences of the attack and plans to mitigate its adverse effects.
In such a critical scenario, providing the information mandated by the GDPR within the required timeframe is likely to prove seriously challenging, particularly for organisations that lack in-house security expertise and procedures.
Making the right moves is vital as panic measures may inadvertently lead to the consequences of an attack being aggravated. Additional personal information could be compromised and customer, partner and investor confidence shattered overnight.
To confound response efforts, the GDPR also requires, in some high-risk cases, breached organisations to notify affected individuals that their personal information is at risk.
Should an attack strike tomorrow, ask yourself whether your organisation has the capability to conduct the highly-skilled level of investigation and response needed to safely overcome it and avoid creating a regulatory and PR nightmare.
A flexible managed detection and response service for your GDPR compliance needs
Owing to the stringent demands placed on organisations by the GDPR to detect and report personal data breaches, the need to have robust breach detection, investigation, remediation and breach reporting is clearly highlighted.
ThreatDetect™, the award-winning managed threat detection and response service from Redscan, can help to alleviate the complex task of achieving compliance with the strict breach reporting requirements of the GDPR.
Offering leading security professionals, cutting-edge technology and latest global intelligence as part of one low cost monthly subscription, ThreatDetect provides the extensive capabilities needed to rapidly identify and report breaches in line with the incoming regulation.
By actively hunting for and investigating threats 24/7 and providing clear information and remediation guidance, ThreatDetect helps to foil criminal attacks, keep personal information safe and reduce the prospect of receiving a crippling GDPR fine.
Click here to learn more about how Redscan’s cyber security solutions support the breach reporting and other network and information security requirements of the GDPR.
1 https://www.gov.uk/government/publications/cyber-security-breaches-survey-2016