On May 25, 2018, the EU General Data Protection Regulation will come into force. It is the brainchild of ENISA (the European Union Agency for Network and Information Security) to stem the increasing number of reported data breaches, especially those relating to online systems and services. As the examples in the table show, no organization is safe and the results of such a breach should not be underestimated.
|2015 - 2017||Swedish Transport Agency||The handling of classified information was outsourced to Serbia and the Czech Republic resulting in unscreened IT workers in those countries having free access to the entire Swedish driver license database as well as to information of intelligence agents, military and police, criminals and witness protection programs||· The head of the Transport Agency was fired and fined
· Two senior Swedish ministers resigned
|July 2017||Italian bank UniCredit||Data breach affected 400,000 customers||Fines could be as high as 4% of the bank’s total revenue|
|August 2017||UK National Health Service (NHS)||Hacker group Anonymous breached the patient name database of the NHS “to expose weaknesses”||Data of 1.2 million patients at risk|
|August 2017||Hertz (France)||Data of 35,000 customers was leaked||Government imposed a fine of € 40,000 ($ 47,200)|
|September 2013||Vodafone Germany||Insider stole data of 2 million customers||· Changing of the passwords and certificates of all administrators
· Wiping the affected server for security reasons
· Exposure to potential phishing attacks using the stolen email addresses
Preparing for GDPR compliance is not easy for many reasons, but Cymulate is here to assist in easing the process. The definition of a data breach under GDPR is broad, including the "accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed."
Furthermore, the threat landscape keeps changing, as the recent ransomware attack vectors WannaCry and NotPetya illustrate. Under the GDPR, if similar attacks would take place after May 2018, they would qualify as data breaches if negligence was involved and result in penalties by the European Commission. The conditions under which an incident may be considered a data breach puts even more pressure on organizations to protect their data.
A recent report of Veritas illustrates how prepared enterprises currently are. The findings show that 31% of those surveyed think their enterprise is already GDPR compliant, while only 2% of respondents are actually compliant. Half of the respondents stated that they do not have full visibility for identifying personal data loss incidents. In many cases, former employees still have access to data, while 60% of the organizations also do not monitor internal threats to personal data.
To assist organizations with their GDPR compliance, there are several sections of the legislation where Cymulate can assist organizations, in particular Provisions 74 and 76 as well as Article 24, paragraph 1, Article 32, paragraph 1, and Article 35, paragraph 1. The term “controller” refers to a data controller who defines how and why personal data is processed. Such a controller can be any organization including commercial enterprises, charities and non-profits, as well as governmental agencies. The term “processor” refers to a natural or legal person, public authority, agency or any other body which processes personal data on behalf of the controller.
Provision (74) stipulates: “The responsibility and liability of the controller for any processing of personal data carried out by the controller or on the controller's behalf should be established. In particular, the controller should be obliged to implement appropriate and effective measures and be able to demonstrate the compliance of processing activities with this Regulation, including the effectiveness of the measures. Those measures should take into account the nature, scope, context and purposes of the processing and the risk to the rights and freedoms of natural persons”. This entails that controllers have the legal obligation to conduct a Data Protection Impact Assessment. With Cymulate’s assessment platform, it is easy for controllers to automate the Data Protection Impact Assessment and conduct such an assessment at any time.
Provision (76) details what the mandatory risk assessment entails: “The likelihood and severity of the risk to the rights and freedoms of the data subject should be determined by reference to the nature, scope, context and purposes of the processing. Risk should be evaluated on the basis of an objective assessment, by which it is established whether data processing operations involve a risk or a high risk”. Cymulate’s assessment platform pinpoints weaknesses in the context of endpoint, network and cloud relationships to reveal how an actual attack could play out and how far it could go.
Article 24, paragraph 1, states: “Taking into account the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller shall implement appropriate technical and organizational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary”.
Cymulate’s breach and attack simulation platform can assist the controller with the reviewing and updating of the technical and organizational measures since it provides actionable insights without any false positives.
Article 32, paragraph 1 stipulates: “Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including inter alia as appropriate.”
Article 32, paragraph 1, sub d, details “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing”. For such testing, assessing and evaluating by the controller and processor, Cymulate’s SaaS-based, on-demand assessment platform is the perfect tool for regular testing and assessment of the organization’s security posture and true preparedness to handle cybersecurity threats.
In Article 35 (Data protection impact assessment), paragraph 1, the GDPR states: “Where a type of processing in particular using new technologies, and taking into account the nature, scope, context and purposes of the processing, is likely to result in a high risk to the rights and freedoms of natural persons, the controller shall, prior to the processing, carry out an assessment of the impact of the envisaged processing operations on the protection of personal data. A single assessment may address a set of similar processing operations that present similar high risks.” Using Cymulate’s assessment platform enables to carry out such an assessment anytime. The on-demand simulations deliver immediate results, with a full picture of an organization’s security posture.
In short, Cymulate is here to help you to become and remain GDPR compliant. This allows organizations to intelligently implement fixes to mitigate vulnerabilities in the infrastructure and to prevent actual breaches. These capabilities are especially valuable for organizations of all sizes that are preparing to meet the stringent information security and privacy standards associated with the GDPR. Having all the necessary mechanisms in place to prevent data breaches and to mitigate them on time and in an appropriate way will ensure that the organization is ready for May 25, 2018.
Want to find out if your organization is GDPR ready? Do you want to know if your security posture truly complies with the upcoming GDPR? If yes, sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so you will be GDPR compliant.
Is your orgnaization GDPR ready?