Building a Security Culture in the Age of GDPR

Written by

The General Data Protection Regulation (GDPR) will come into effect on May 25, 2018. Updating and harmonizing the framework for processing personal data in the European Union, the regulation is designed to protect privacy, including measures around security.

While much of the coverage of security aspects of the GDPR focuses on the law’s technical aspects and the new 72-hour breach notification requirement it will introduce, it is as important to consider the bigger picture and how it reflects and changes the data protection and security landscapes. 

Specifically, the new regulation will present a valuable opportunity to evolve the industry approach to security from a systems-based approach to a data-driven one.

Mapping data flows is a gateway to security
At its core, the GDPR is about helping people understand their data and encouraging organizations to design their approach to privacy and security around their data practices. The regulation’s endorsement of ‘privacy by design’, centered on the principle that organizations should be thinking about privacy and data protection when systems and products are being developed, presents a valuable opportunity for IT teams to re-evaluate their existing practices around security in an environment where threats are multiplying while user expectations and awareness of data security issues are growing. 

Of course, understanding company and user data has always been the top priority for security teams - it’s at the heart of what they do. With the GDPR, understanding data flows will become an ever more important component to their work. 

Security has traditionally been a systems-driven practice, with focus directed at tools such as firewalls, intrusion detection systems and anti-virus services to protect corporate servers. While naturally this approach will remain important, as the number of threats have increased and with their nature transformed, the GDPR is accelerating the shift towards a different approach.

This begins with understanding the full lifecycle of users’ data: where it lives, how and when you store and process personal information from your customers, how it flows between the different parties, and ultimately how to ensure that it gets destroyed when it is no longer needed.

A data-driven security approach will put organizations in good stead to meet the obligations of the GDPR and give confidence to customers that their personal data is being managed with the appropriate levels of security and confidentiality.

Proportionality is writ large into Article 32 of the GDPR, which sets out the obligations for organizations around the security of processing, but it's only possible to assess potential vulnerabilities and put in place the correct safeguards if organizations understand all the places where data flows and could be exposed.

Moving to a security-aware culture
To tackle data security risks in the world of the GDPR, an organization’s chief security officer and chief information officer will now be partnering with the chief privacy officer — as well as the data protection officer in some cases. While these positions will continue to play a key role in ensuring all their security systems are up-to-date and meet the needs of their organization’s customers, their work can be supplemented by cultivating a broader culture of security within the workplace. This is especially true for smaller organizations which may have less established security processes. 

They will now have to review and likely update some of the ways they classify and manage personal data and safeguard against potential breaches. Fortunately, there are many security tools available and suppliers can assist with some changes.

A security-aware culture will help this review process and nip security issues in the bud — especially considering that a large proportion of data breaches are down to human error. A recent study by Verizon found that 25% of data breaches directly involved an internal actor, largely due to negligence, but it’s equally notable that 80% of breaches resulting from hacking were helped by stolen or weak passwords.

The road to building a data-driven security culture will be different from organization to organization, but there are certain principles to bear in mind: 

  • Tap into telemetry for tracking data flows: Telemetry allows organizations to monitor, log and audit their data flows in a way that meets the standards set out in the GDPR, particularly Articles 32 to 34. That will also need to be extended to party suppliers to ensure data processing is monitored through its whole life cycle.
  • Permission management matters: An organization needs to know who has access to the data they store and handle from start to finish. Limiting permissions to only those in an organization who need that data to carry out the service is not only good practice - it is essential.
  • Building trust is a constant dialogue: The GDPR sets out the relationship between data subjects and data controllers by requiring that any processing is preceded by ‘transparent’ communications and also requires that organizations only work with suppliers who can ensure appropriate data protection measures. The dialogue with consumers and suppliers does not end there, but should be seen as part of the ongoing conversation to ensure trust. 
  • Conduct regular tabletop data-breach exercises: Organizations should use the renewed focus on data breaches and reporting timelines in the GDPR as a motivator to conduct an end-to-end exercise simulating a large-scale data breach. This should be done at least annually, each time identifying 2-3 key areas for improvement.
  • Pay attention to upstream and downstream partners: A breach in a partner or supplier can quickly become an organization’s nightmare scenario. It’s important to understand how access into data stores and network by partners is controlled, working on the assumption that they have been breached already. A defense should be planned according to the maxim ‘the attacker is already on the inside’.

The GDPR as an opportunity for stronger security
While the GDPR focuses on protecting the personal data of people residing in the EU, it will make a global impact by changing the way companies who operate internationally approach data and privacy across different markets.

Taking the steps needed to comply with the GDPR will require time, resources and most importantly a culture shift — but the GDPR and its principle of privacy by design is also an affirmation of the data-driven approach many security teams are already starting to take.

The benefits that the GDPR creates will extend far beyond May 2018. In an age in which data will become increasingly important to our modern lives, the new framework presents a valuable opportunity for collective education about what happens to our data, where it is stored, where it goes and, most importantly, how to keep it safe at every stage. Not only does it mean security will be driven by data — it is security driven by a long-term commitment to earning users’ trust. 

What’s hot on Infosecurity Magazine?