#Cybersecurity, the protection of data, is one of the fastest growing challenges that we face in the world, and insider threat, a significant part of cybersecurity, is an increasing issue of both Governments, companies and nations. As we move closer the new European Union General Data Protection Regulation (the #GDPR) that will apply from 25 May 2018, we will see data protection becoming part of the CEO and Boardroom agenda, and move away from what was deemed an IT issue. Let’s take a closer look at GDPR and who it may impact.
GDPR Impacts Business who Provide Services in Europe
A business whose activities involve processing of personal data will need to comply with the GDPR, regardless of whether the data is processed in the EU. Therefore the GDPR applies to business’ who:
Provide goods or services to individuals in the EU (irrespective of whether a payment is required)
Monitor the behaviour of individuals in the EU
Have data processing activities within the EU
Have an office in the EU
Website enables EU customers to order goods or services in a European language (other than English) or allows payment in euros
Website mentions customers or users in the EU
Tracks individuals in the EU on the internet and uses data processing techniques to profile individuals to analyse and predict personal preferences, behaviours and attitudes
The GDPR law provides clear, uniform data protection that:
Builds legal certainty for businesses and enhances consumer trust in online services
Increases the rights of individuals
Strengthens the obligations of companies to protect personal data
Dramatically increases sanctions in case of non-compliance with powers to impose fines of up to €20,000,000 or 4% of the total worldwide annual turnover
GDPR will increase the risk of class actions, criminal sanctions and reputational damage, and regulators can impose a ban on processing or the suspension of data transfers. Therefore, complying with the New GDPR Laws is not an option.
GDPR Highlights the Need to Control Insider Threat
Organisations will be required to adopt significant new technical and organisational measures to demonstrate their GDPR #compliance, and this involves moving beyond IT protection solutions to considering the human element, Why? Because the IBM X-Force 2017 Cyber Security Intelligence Index identified that in 2016, 58 percent of attacks where instigated within the company, either by malicious or accidental intent verse 42 percent by outside hackers. It is important to note, that unless a DoS attack has taken down a website, outside hackers gain access through internal human error, be it, IT not patching software to staff members accessing malicious websites. Thus #insiderthreat statistics are often a lot higher.
Taking a closer look at the 2016 Investigation Report on Data Breaches by Verizon will show how their results also link to insider threat.
Continued to trend upward, the image below provides some interesting information. Phishing attacks are successful when an employee clicks on the malicious link. This is what we refer to as an Insider Threat.
The data also shows 916 confirmed data loses in 2016, and 63% of #databreaches involved weak, default or stolen passwords. These are accidental insider threats that pose a threat to the protection of data and GDPR compliance.
Insider and Privilege Misuse
The image below shows the percentage of these breaches where multiple Actors are present of which 77% lies within the business.
Often referred to as the disgruntled current or former employee, contractor or business associate. The access and privilege level of the individual correlates with the damage caused. For example, they may have access to intellectual property, designs, information security practices, data and computer systems. The threat may involve #fraud, the #theft of confidential or commercially valuable information, intellectual property, stolen design and database and sabotage of computer systems.
Verizon’s investigation on insider and privilege misuse shows 10,489 total incidences with 172 confirmed #datadisclosures. When we consider the top 3 industries of public, Healthcare and Finance and equate this to GDPR fines.
These are just two examples of cybersecurity issues and data breaches that involve insider threat. It is critical that any company who has to comply with GDPR pay equal attention to the danger that lies within the company, and until such time that they begin to tackle the people element of cybersecurity in alignment with IT solutions, data breaches will continue with increasing prevalence.
Consider the following to add additional security for data protection :
1. Use the NIST framework to build a Cyber Risk Management Program
2. Implement IS compliance, risk management and data protection impact assessments to identify and mitigate risk
3. Improve your recruitment and vetting process, to ensure high quality of staff
4. Build a motivating onboarding process to reduce turnover and potential loss of IP
5. Measure the effectiveness of cyber processes and procedures training to mitigate accidental attacks
6. Actively assist leaders to reduce the number of disgruntled employees to mitigate malicious attacks
7. Encouraging reporting of cyber breaches
8. Classify and encrypt sensitive data
9. Gain visibility and remote control over who can access confidential files
Universal Data Protection assists small to medium size enterprise to protect their data through audits, awareness training, insider threat technologies and providing data protection officers #DPO as a service.
Author: Tanya Harris
Follow Us On Twitter
Connect on Linkedin