One of the interesting aspects of the introduction of the EU General Data Protection Regulation (GDPR) is the required change in how organizations respond to breaches. It requires organizations to document publicly the fact that they have experienced a breach and the extent of it, at the time it occurred.
As well as introducing consistency in behavior in the event of a breach, I believe it can provide significant benefits to European businesses in the sense that, if embraced as a prompt for more effective collaboration and thus better security practices, it has the potential to limit the reputational and financial damage suffered when breaches occur.
Also and no less important, the EU GDPR sets the stage for businesses and government organizations to take a proactive approach to security – and secure from the inside out – to improve their overall security posture.
Too frequently, and for seemingly sound business reasons, organizations go quiet following a breach. Sometimes, as we saw with the recent MySpace and Tumblr email address compromises, the news only becomes public years later. There is a perceived need to protect a user base, or to safeguard brand image. In the long-term, this lack of openness works against businesses, users and the wider economy.
In my conversations with business executives from around the world I see a much greater degree of understanding that every business is a target. Even if some still surprise me with their assumption that their organization has nothing of value for hackers, the overall trend is a positive one.
I see a gap, however, in understanding how to craft an effective cybersecurity strategy against what can be a well-funded and smart adversary. This begins with accepting that perimeter defenses are not enough. The mindset needs to switch to assume that hackers can and will penetrate the network and so defenses must be about crippling their ability to move around the network, stopping their reconnaissance and locking down access to whatever it is they’re after. This is proactive security.
It is clear that organizations that have lived through a large scale breach are, afterwards, better informed about how such a breach happened than those which have not. They will have an understanding of what security measures were circumvented and how the hackers moved around inside their network. They will have been forced to recover quickly from the breach and deal with customer concerns, all the while under extreme pressure. It follows that they are better equipped to contain future attack attempts.
I have been impressed to see that, informally or formally, organizations are coming together to share their breach experiences and consequent hard-won knowledge with industry peers. Whether it is via formal research conducted by the Guardian or person-to-person networking, knowledge sharing is key to bolster collective levels of security savvy. There are clear benefits to even greater sharing; by starving hackers of ‘product’, we reduce their funding and thus the attractiveness of being in the breach business.
With its requirement to go public about a breach at the time of its occurrence, we should grasp the opportunity that legislation such as the EU GDPR provides to promote this greater level of sharing. Breaches are not just about email addresses in the wrong hands – as we saw in the Ukraine, the objective can be far more serious, taking down critical infrastructure across great swathes of a nation state.
So if legislation forces us to be more public about when a breach occurs, I believe we should embrace it and take it a step further, for the good of the industry and economy and to protect our customers better. Sharing, not silence, might be a better way.