GDPR requires a comprehensive approach to information security, compliance, governance and risk. Even though security tools are just one piece of the GDPR compliance puzzle, they are an important aspect of protecting consumer data privacy.
Here are eight must-have security tools for maintaining GDPR compliance:
1. Data discovery & classification
The GDPR encompasses everything about data privacy and protection. But, to protect the privacy of EU data subjects you need to know what types of data you hold within the organization. A data discovery or mapping tool will help you find any data that you have and classify it by risk.
You may have data that’s highly sensitive and could be a high risk if leaked or stolen. Sensitive personal data can include:
- Credit card numbers
- Birth dates
- Bank card numbers
- Healthcare codes
- Identification numbers
- Social security numbers/ National ID
- Names
- Addresses
- Phone numbers
- Financial fields (salary, hourly rate)
Or, you may have a lot of data that doesn’t contain personal data. Even so, non-sensitive data can be used as leverage by hackers to obtain access to your sensitive data. Under the GDPR, it’s essential to have a data discovery or mapping tool to classify your data into high, medium, and low-risk.
2. Encryption or data masking
Encryption encodes any data so that it’s only accessed by an authorized user who knows the cryptographic key specifically for access. When storing sensitive data in a database, like credit card details or personal data, many organizations are opting for encryption. Data can be encrypted when in transit or in use as well. For example, payment data processed by online merchants is often encrypted in transit using Secure Socket Layers (SSL) to protect a buyer’s personal data.
Encryption makes it much more difficult for hackers to make any connection between data and its subject. Besides, if you use encryption to protect data and encounter a data breach, the EU regulatory authorities may not view the breach as a complete GDPR compliance failure.
3. Security incident and event management (SIEM)
Under Article 30 of the GDPR, controllers and data processors must keep a record of all processing activities. A SIEM tool can help address this requirement by collecting data and log activity. The SIEM tool aggregates log data from systems, networks, and applications and allows an organization to correlate it to malicious activity.
Many SIEM tools can be aligned to GDPR requirements and your security policies. A dashboard can be created for security analysts to review and monitor. A security team also uses the SIEM logs to identify patterns, detect malicious behavior, and create actionable alerts on security incidents for your organization.
4. Vulnerability and compliance management
According to recent reports, nearly 60% of organizations that suffered a data breach in the past two years cite unpatched vulnerabilities as the main culprit. With looming GDPR penalties for data breaches involving sensitive personal data, it’s clear that vulnerability management should be a core part of your business operations.
Vulnerability and Compliance Management (VCM) tools scan your network for major vulnerabilities and create an action plan and roadmap for remediating holes within your network, applications, and data. These security tools also help you align your information security policies with well-known industry regulations, such as HIPAA, PCI DSS, GLBA, FFIEC, SOX, etc. VCM tools will also help you know what types of vulnerabilities are preventing you from meeting these regulations.
5. Next-gen endpoint protection
Endpoints, such as laptops, desktops, and workstations, account for the highest percentage of malware infections and ransomware. Employees are often tricked into opening malicious attachments from phishing schemes, opening the doors to threat actors to infiltrate your environment.
Endpoint Protection Platforms (EPP) go one-step beyond traditional anti-virus solutions with advanced machine learning to prevent malware, ransomware, and even zero-day exploits and attacks. EPP can also learn the behavior of your organization’s endpoints and identify any malicious behavior without a query to an anti-virus signature database.
6. Data loss prevention
The Ponemon Institute’s Data Protection Benchmark Study found that organizations deal with an average of 20 data loss incidents per day. The same study found that a data leak of 100,000 customer records could cost a company over $21 million.
Data loss can happen in many ways for organizations. Data can be exfiltrated by hackers but also by current and former employees that steal data. In fact, almost 85 percent of employees who quit or are fired will steal company data. Data Loss Prevention (DLP) tools help safeguard your organization from pilfered sensitive data. Like encryption, DLP tools protect your sensitive data when in transit, in use, and at rest.
Data masking is another important tool to consider under the GDPR. It masks sensitive data from insiders that have authorized access by providing the user with fictitious yet realistic data. Users can complete critical work, but the sensitive data is covered with other information.
7. Security automation & orchestration
A lack of security resources and a talent gap in cybersecurity increases the need for security automation and orchestration. Both security tools allow your organization to create efficiencies by leveraging templates and best practices. These templates are designed to match your security policies up against GDPR compliance.
For example, if you have employees handling personal data of EU data subjects, you could apply a security automation rule to check that security policies on the employees’ work devices are properly configured. Or, perhaps you have a database with personal data of EU data subjects, you can run an automation rule that checks the database configuration settings. These are just a few of the various automation workflows that can streamline your GDPR compliance in the year ahead.
8. Incident response and case management
Organizations have implemented some form of a cybersecurity framework that includes the functions of ‘protect, detect, respond, and recover.’ Response and recovery functions are key to GDPR compliance due to the breach notification requirements outlined in Article 33. Organizations must report a data breach that negatively impacts EU data subject within 72 hours.
It becomes critically important for any organization to have a well-documented and updated incident response plan and a case management tool. Incident response and case management helps to continuously record any malicious activity that occurs within your network and create a visualization of the cyber attack kill chain from start to finish. If and when you do have to report a breach to the EU authorities, it’s best that you have a systematic plan and can explain exactly what happened and how it will be addressed in the future.
Not to mention, incident response and remediation efforts will help your organization reduce the Mean-Time-to-Respond (MTTR). MTTR is where the rubber meets the road in GDPR breach response. Responding to and remediating attacks as quickly as possible means reducing the time an attacker or threat is in your environment. In 2017, the SANS Institute found in its 2017 Incident Response Survey that 82% of surveyed organizations take a month or longer to remediate a security incident. With hundreds and maybe even thousands of threats impacting the organization, it’s imperative that an organization can generate a security incident report to meet the 72-hour breach response requirement under the GDPR. Your incident response and SIEM tools should be able to quickly generate an analysis report that provides detailed information related to a breach impact.
The challenge
The GDPR’s enactment date is right around the corner, essentially less than a month away. Only a third of organizations feel as though they have adequate resources to manage GDPR security controls. You could try procuring all these solutions to assist in meeting GDPR compliance now, but you would still need to integrate your staff and processes into effectively using these security tools. This could take time and be a significant barrier to adequately meeting every GDPR requirement.
The solution
An accredited Managed Security Services Provider (MSSP) already has these security tools in-house to help you quickly and effectively meet GDPR requirements in the month ahead. Organizations should consider a security provider that offers the expertise of working with these security tools daily across a variety of customer verticals and scenarios.