News broke today of a Black Hat research report which details major concerns among the Infosec community including critical infrastructure security, nation state attacks, enterprise security risks, and the implications of the NIS Directive and GDPR requirements. Almost half of the respondents cite a foreign power (terrorist organization, rogue nation or large nation-state) as the primary threat to Europe’s critical infrastructure, whilst nearly 40 percent believe that a lack of required skills is the primary reason why security strategies fail, and the shortage is only being exacerbated by GDPR requirements at many organizations. Andy Norton, Director of Threat Intelligence at Lastline commented below.
Andy Norton, Director of Threat Intelligence at Lastline:
“GDPR sets out a legal requirement for the gathering, managing, storing and disposing of personally identifiable information (PII) on European citizens. If you are holding information considered PII on European citizens, you are subject to the GDPR requirements regardless of where you are in the world or where the information is held. The NIS directive is guidance on how providers of essential services and critical infrastructure should apply security controls to their environment in order to make it resilient to attack.
GDPR in effect is ensuring the provision of privacy is treated as critical infrastructure. Many of the articles in GDPR related to securing, auditing and monitoring requirements are taken from the NIS Directive. Much of the frenzied activity to date has been spent on finding out where data is, and whether it is held in a compliant manner. What has not been addressed is the requirement for state of the art, continuous vigilance in the monitoring and auditing of the security controls.
Common place wisdom implies that “the breach is inevitable”, in which case European coffers are about swell massively; GDPR fines could even pay for Brexit. There is a 72 hour ticking clock, and once an organisation discovers a malicious infection into the internal network, they must prove before the clock runs out that the infection did not exfiltrate data considered to be PII. If at the end of the 72 hours they are uncertain about the extent of the compromise they have a decision to make. Either they don’t inform the regulatory body, and risk increased fines if further investigation uncovers PII data was involved in the compromise, or do inform the governing body (the ICO in the case of the UK), and risk customer confidence losses. Organisations need to provision an automated breach defence system, that can prevent and prove no PII data was taken, and that therefore there is no potential for harm and the ICO need not be involved.
Without a state of the art breach defense system, our best advice to organisations is: Get Denial Plans Ready.”