EU data privacy changes – is your business ready?

Paul McEvatt
By , - Information Security

In March this year, hackers broke into the computer networks of some of America’s most prestigious law firms including Cravath Swaine & Moore LLP and Weil Gotshal & Manges LLP, both of which represent some of the biggest companies in the world.

The Wall Street Journal, who broke the news, reported hackers usually steal large amounts of data and then analyse it to see how it can be used. Personally identifiable information has a much longer shelf life than credit cards for cyber-criminals. This is because information rarely changes and it’s also easy to see how information stolen from a legal firm could be used to disrupt merger and acquisition activities or sold at a premium.

And while most firms will go to lengths to keep any cyber-breach a secret, the real issue is that many companies don’t realise their systems have been compromised until it’s too late.

As such, there is still uncertainty as to whether the information will be used for insider trading – a worrying thought.

Can data regulation help?

While law firms are reluctant to publicly identify themselves, soon they will have to admit to data breaches whether they like it or not. This is due to the EU General Data Protection Regulation that will come into effect in 2018. The new regulations will require any business in the EU to report a breach to their Data Protection Authority within 72 hours of becoming aware of it. This should encourage more companies to consider their security controls with more stringent security practices applied to sensitive company data.

Businesses should also provide advice and guidance on the interpretation and protection required to meet the new harmonised data protection requirements. Larger ICO fines and increased awareness should create a much better understanding what data they hold, its value to the business and the controls required to protect these assets.

But is this enough?

In a word, no. It will never be enough. It’s often said cyber security is an arms race but it’s true the threat landscape is constantly evolving, and therefore, so should defences and mind-set.

Cybercriminals can misuse data obtained through extortion, identity theft or gaining access to networks using social engineering tactics. While many attacks might be due systems not being secured correctly, others are the result of skilled, determined attackers.

We can only expect cyber-criminals to increasingly target industries that hold vast amounts of personal data like legal, education and healthcare sectors.

This means the industry needs to continually keep pace with the threat landscape by innovating and bringing to market capable defences, and organisations need to implement them. Many organisations will find they cannot do this alone and will seek to use Virtual or advanced iSOC’s to augment their existing Security personnel.

So what now?

Businesses should share threat intelligence and information with other companies, especially those in the same sector. This doesn’t mean sharing intimate details of a company’s security ecosystem, but instead sharing insight on how threats have been found and defended against. The UK Government CiSP initiative a great starting point for businesses to share and leverage threat intelligence and has specific special interest groups by sector. Fujitsu are active members of CiSP and the Government CERT UK Fusion cell as we see the importance of sharing within the cyber security community and in turn helping to protect UK PLC.

Organisations also need to take a proactive approach, they must be prepared to hunt for threats in their logs and to spot, react and defend against a breach quickly. Complimenting traditional security with next-gen threat monitoring, user behaviour and SIEM services alongside good security personnel will go a long way to deterring cyber-criminals. This should always be partnered with an effective incident response programme with regular crisis communication exercises ran in preparation for a real life cyber-attack

Finally, businesses should consider security education as part of a company’s training schedule. Each employee has their part to play in keeping assets safe so it is vital that security training and empowerment occurs from the top down.

Find out more about Fujitsu’s ‘Secure Thinking’ solutions and services offering.

Leave a Reply

Your email address will not be published. Required fields are marked *