What will GDPR mean for cyber security: could it be the answer to unreported cyber-crime?
…And can DNS security help?
Herve Dhelin, EfficientIP
It’s estimated that two thirds of organisations have suffered a data breach in the last year but it’s safe to presume that the actual number of cyber attacks is much higher.
There are still many businesses who simply aren’t aware of incidents, or that don’t have the technology or processes to identify or respond to a breach. For example, our Global DNS Threat Survey shows that only 27 per cent of UK organisations are aware of the different types of vulnerabilities – such as DNS Tunneling, where the DNS protocol is used to steal data.
However, no one can afford to ignore the upcoming GDPR (General Data Protection Regulation), which will further strengthen the protection of EU citizens’ data. It’s coming into force on 25 May 2018, meaning organisations have less than two years to comply.
Companies will be expected to apply new measures including data protection impact assessments, high security standards or implementation of proper privacy policies. And named individuals will need to assume the official role of ‘Data Controller’ and keep records of all data processing activities.
GDPR will also impose a general data breach notification rule, and organisations will have just 72 hours to inform appointed authorities about what’s happened and how much data has been accessed. In worst case scenarios, businesses will also be required to inform the public of the data breach. Tough sanctions and significant fines for data loss are expected – up to €20 million or four per cent of annual turnover.
In order to comply, all companies will have to ensure that their departments work together on gathering, handling, processing and storing data – as well as using new tools and technologies and providing security training. Organisations wanting to be prepared for GDPR should ask themselves if they have a compliant plan to protect their networks, data, customers… and reputation.
While this could mean a lot of work for businesses, it’s good news for the security landscape. Cyber security – especially the protection of sensitive data – will play an even more critical role and must be included from the bottom-up, including the DNS layer in particular.
For instance, engineers involved in EU technology projects will have to act according to a ‘Privacy by Design’ approach – of which DNS security is a core tenet. They will have to ensure data privacy is maintained at the highest standards, and data protection settings will need to be inserted into all business processes at a high level by default.
Another example of where DNS security will be key is mobile working. When employees take home their work laptops and mobiles and connect to personal Wi-Fi networks, these devices can become infected with malware – which back at the office, can begin to exfiltrate data via the DNS protocol. However, a DNS security solution that monitors from a 360° perspective from the inside – with a purpose-built layer of in-depth-defense – can protect public and private DNS from both internal and externals threats, regardless of attack type.
While DNS filtration systems can check the reputation of links against a real-time blacklist and automatically verify whether a DNS request originated from a trusted site. But it’s difficult to maintain an accurate list. Other techniques need to be used to analyse and understand the traffic, and be sure the right counter measure is found.
Now is the time to start building a GDPR-compliant infrastructure, which is secure by design and provides sufficient security at the DNS level. Not only will this save companies money and avoid GDPR proceedings, it will – most importantly – install confidence and help protect customers, partners and employees.