If you've worked in IT or Cybersecurity for the past 5 years or so, then you've no doubt seen the trend change from criminals targeting systems, to criminals targeting people. It's simple thinking, but whether a person just hasn't had their coffee in the morning, or is rushing through emails, the potential for human error is high. In short, people are the weakest link in cyber security today! With this new way of criminal thinking, countries around the world have had to institute specific security regulations to protect enterprise data from Phishing, Spoof Emails & other scams designed to steal money and information. The US has adopted NISPOM, and the EU has adopted the GDPR for member states.
Regarding the GDPR, according to Wikipedia:
The regulation applies if the data controller or processor (organization) or the data subject (person) is based in the EU. Furthermore (and unlike the current Directive) the Regulation also applies to organizations based outside the European Union if they process personal data of EU residents. The regulation does not apply to the processing of personal data for national security activities or law enforcement ("competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties"). According to the European Commission "personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address."
We recently held a Webinar with Neira Jones, a notable cybersecurity expert from the EU, in which she addressed digital & regulatory landscape changes, and how Insider Threat Management and the GDPR work hand-in-hand to mitigate the insider threat. Here's a quick summary of the info she shared. Watch Now.
Effective Insider Threat Management is now crucial. Security must be trilateral: People, Process, Technology:
- Trust but verify (your employees are your first line of defense, but also a big risk)
- Monitor & study insider behaviors as attackers study you (think more like criminals)
- Adopt both Proactive and Reactive security strategies
- Automate! (An Insider Threat Management Solution like Proofpoint ITM will help you easily take care of many of the GDPR requirements. Try it Now, free!).
- Don't forget to look at new technologies
- Partnerships will be key
The GDPR specifies organisational and individual responsibilities for organisations responsible for the processing of personal data, the access to that data & the control of the data.
Processing:
- Transparent & easily accessible policies - Article 10.1 - Process & Governance
- Personal data is processed securely - Article 18.1 - Process & Governance
- Verify that measures are effective - Article 18.3 - Process, Monitoring & Governance
- Risk-based technical & organizational measures - Article 27.1 - Process & Governance
- Data Protection Officer - Article 32.b - responsible for application of policies, assignment of policies, staff training & audit.
Accessing:
- Equipment access control - Article 27.2.a - Deny unauthorized person access to equipment used for processing personal data
- Data media control - Article 27.2.b - Prevent unauthorized reading, copying, modification or removal of data media
- Storage control - Article 27.2.c - Prevent unauthorized input of data & inspection, modification, or deletion of personal data
- Data access control - Article 27.2.e - Ensure that authorized persons only have access to personal data according to job need
Control:
- Communication control - Article 27.2.f - Be able to monitor & verify to which bodies personal data has been or may be transmitted or made available to
- Input control - Article 27.2.g - Be able to monitor & verify which personal data have been input into systems, when, and by whom
- Transport control - Article 27.2h - Be able to prevent unauthorized copying, reading, modification or deletion of personal data during tranfer or transportation
- Incident reponse & disclosure - Article 28.4 - Document all facts surrounding breaches of personal data and remedial actions taken for subsequent disclosure
The bottom line? Managing staff to protect data will protect people. Effective Insider Threat Management will go a long way toward regulatory compliance with the GDPR. Regulations will force better behaviors from employees and help manage the Insider Threat. The GDPR shall apply from May 25, 2018.
For complete details about the GDPR, please see our Neira Jones Webinar, Phish, Spoof & Scam: Insider Threat & the GDPR. Watch Now.