The intersection between cybersecurity and data privacy is making front-page news these days. The General Data Protection Regulation (GDPR), adopted by the European Union in 2016 and implemented in May 2018, represents a comprehensive regulatory effort with the objective of protecting consumer data and privacy. Organizations, or “controllers” of data in the language of the laws, must put in place “appropriate technical and organisational measures” to implement the data protection principles. There have been other legislative efforts in recent years dedicated to consumer data protection - the Dodd–Frank Wall Street Reform and Consumer Protection Act in the U.S. being one of them (though some of those regulations have since been removed or eased), but GDPR has been the most extensive.
Worldwide Security Breaches Add Up Quickly
There is good reason, of course, for the need to protect private consumer data. The last 2 years alone have seen several high-profile security breaches major global enterprises that have exposed private data of hundreds of millions of individuals. There was Equifax Data Breach of September 2017 - which exposed the sensitive personal information of 143 million Americans, including passports, driver's licenses, and Social Security numbers. The recently revealed Marriott breach potentially impacted the private information of some 500 million people worldwide. There were many other uncovered security incidents in between.
Not only security breaches though. Several media exposes of questionable practices and negligence in managing private consumer data attracted media attention - and public outrage - in recent months, evidence that data protection and privacy is more critical now than ever.
Two months prior to the GDPR's effective data of May 25, 2018, the Facebook / Cambridge Analytica scandal broke and generated new headlines around privacy concerns. An app called “thisisyourdigitallife” used a feature in the social media platform called "Facebook Login" to vacuum up personal information from those who opted in. Because of Facebook’s sprawling network, the 270,000 people who opted in opened up a treasure trove of data from 50 million users1. That number was updated in July 2018 to 87 million records breached and again in October 2018 to two billion. It wasn't the first time for Facebook. In 2013, it admitted exposing information about 6 million users. With GDPR in force, the Irish Data Protection Commission is considering opening a formal investigation into Facebook, and the social network could be fined a maximum of $1.63 billion if found to have breached GDPR. There was also news from just last month that Google faces its first GDPR challenge, as consumer groups across seven European countries have filed complaints against Google’s location tracking.
With billions of compromised records out there, forward-looking security teams are taking regulations like GDPR seriously, as a herald of legislation to come. When organizations can be fined the greater of either up to 4% of annual revenue or €20 million, the stakes are higher than ever.
GDPR Compliance - Where Deception and Cutting Down on Lateral Movement Fits
Security teams that are looking ahead can add the ability to detect lateral movement as a critical part of their data protection strategies. Coalfire recently completed a multi-faceted technical validation showing how Illusive can help organizations meet specific GDPR requirements. Illusive’s platform addresses a broad range of cyber risks by alerting teams to attackers attempting to move laterally, once they're inside the network, toward critical systems. The Illusive Attack Surface Manager empowers organizations to preemptively identify and remove unused credentials and connections that would otherwise give an attacker more tools for lateral movement. Illusive forensic data combined with Attack Surface Manager and Attacker View give teams the ability to see proximity of an attacker to crown jewels, create maps, view actions and prioritize options, and assess risk. Illusive designs solutions that are lightweight, easy to deploy, use and manage—empowering defenders of all skill levels and across industry categories.
Proactively meeting GDPR requirements offers a good starting point for the next iteration of global cybersecurity strategies. Learn more about how Illusive not only maps to GDPR, but also can significantly reduce organizational risk. Download the Coalfire assessment, How Illusive Networks Technology Supports GDPR: A Technical White Paper here.
(1) Facebook data theft exploited millions, Boston Globe, March 20, 2018
(2) The 10 Biggest Data Breaches of 2018...So Far, Barkly, July 2018