Post on 11-Jul-2020
More Than CheckboxesTackling the Overlooked Aspects of GDPR
Oleg GorobetsSenior Global Product Marketing Manager, Kaspersky Lab
THE EVOLUTION OF CYBERTHREATS
Damage from
attacks
2003 2007 2009 2013 2017
VirusesWorms
SpywarePhishingBotnets
APTsZero‐daysWipers
Nuisances
Cyber‐crime
Professional Cyber‐espionage ?
We understand global IT & Business trends and the threats they bring!
3
Consumerization & mobility
Increasingonline commerce
Critical infrastructure at risk
Machine Learning
Personal Data Cloud & virtualization
Privacy & data protection challenge
Fragmentation of the Internet
Cars become smarterConnected Cities
Mobile threatsCriminal Currency
Massive data leaks
Decreasing cost of APTs
Commercialization of APTs
Supply chain attacks
Cyber-mercenaries
“Wipers” & cyber-sabotage
Targeted attacks
Financial phishing attacksRansomware
Malware for ATMs
Attacks on PoS terminals
Merger of cybercrime and APTs
Targetinghotel networks
Internet of Things
HacktivismVulnerable connected cars
Ransomware in Targeted Attacks
Data asThreats
to Smart Cities
Attacks on Smart Cities IoT botnets
Compliance
Risk Analysis
THE ‘NEXT GEN THREATS’ MARKET PHENOMENON
Both IT and commercial advances provide
new opportunities for attackers.
The result is the booming
Threat landscape affecting so many
businesses.
THE AVERAGE FINANCIAL IMPACT OF A DATA BREACH
SMB
Enterprise
Average Total Impact:$87.8k
Average Total Impact:$992k
IT Security Risks Report 2017 Kaspersky Lab
$134K$130K
$111K$107K$104K$99K
$132K$97K
$78K
Compensation
Damage to Credit Rating/Insurance…
Lost Business
Improving Software & Infrastructure
New Staff
$13K$12K$11K
$10K$8K$8K
$10K$8K
$7K
Lost Business
Additional Internal Staff Wages
Compensation
Improving Software & Infrastructure
New Staff
Base: 1,229 SMBs/ 919 EnterprisesSuffering At Least One Data Breach
PERSONAL DATA: NO PERIMETERS, NO BORDERS
PERSONAL DATA IS EVERYWHERE
PERSONAL DATA HAS BECOME A COMMODITY FOR CYBERCRIMINALS TO STEAL AND TRADE
ITS COMPROMISE CAN GRAVELY AFFECT PEOPLES’ LIVES
THE ACUTE NEED FOR DATA PROTECTION DRIVES NEW LEGISLATIONS
THE NEED FOR COMPLIANCE DRIVES SECURITY NEEDS
GDPR is a LAW
GDPR starts in Europe 25 May, 2018GDPR is how to deal with personal data as part of a human rightsAffects all businesses over the globe dealing with the EU citizens
Get consent from data subject on data processing Locate and classify your sensitive dataCreate accountability process and establish data storage Prevent data breachesReport about data breachesControl data flow
PenaltiesUnder GDPR, in case of an incident, organizations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)
Breach NotificationUnder the GDPR, breach notification will becomemandatory in all member states where a data breach islikely to “result in a risk for the rights and freedoms ofindividuals”. This must be done within 72 hours of firsthaving become aware of the breach.
What an organization needs to do:
THE NUMBERS TALKTALK FOR THEMSELVES
Breach:
• 157,000 customers’ data stolen; multiple security issues
• The ICO has issued a £400 000 fine under the 1998’s Data Protection Act
• Under GDPR, it could become £59mln
• Sold customers’ data, fined £130 000
• Under GDPR, it would become £4mln
Source: The Register, ‘Last year's ICO fines would be 79 times higher under GDPR’
TOP IT CONCERNS
Most Concerning IT Security Related Business Issues
69%
43%
42%
39%
38%
35%
33%
Data protection
Security issues of cloudinfrastructure adoption andbusiness process outsourcing
Business continuity
Cost of securing increasinglycomplex technology
environmentsEnsuring compliance of staffwith security policies andregulatory requirements
Relationships withpartners/customers
Security issues of mobiledevices and BYOD trends
Top 3 Security Challenges Related To Each Business Issue
Base: 5,274 All Respondents
Data loss/exposure due to targeted attacks 39%
Electronic leakage of data from internal systems 32%
Physical loss of devices or media containing data 28%
Incidents affecting suppliers that we share data with 17%
Incidents affecting third party cloud services we use 17%
Incidents affecting IT infrastructure hosted by a third party 18%
Viruses & malware 19%
Loss of access to internal services 16%
Loss of access to customer-facing services 15%
Identifying / remedying vulnerabilities in IT systems we use 19%
Managing security across different computing platforms 16%
Incidents involving non-computing, connected devices 13%
Inappropriate IT resource use by employees 20%
Time and cost of enforcing security compliance among employees 18%
Fines for not maintaining compliance with security regulations 11%
N/A N/A
Managing security of users' own devices in the workplace 16%
Inappropriate sharing of data via mobile devices 16%
Physical loss of mobile devices exposing the organization to risk 15%
IT Security Risks Report 2017 Kaspersky Lab
GDPR: PERCEPTION & REALITY
10
AM I SUBJECT TO GDPR LEGISLATION?
One more set of regulationsto comply with…
I don’t have personal data, nothing to worry about!
I HAVE STRONG SECURITY!I SHOULD BE SAFE!
It’s so complex, I’ll have a hard time explaining the means & budgets to the Board..
GDPR ASPECTS FOR A COMPANY
Know your roleUnderstand your data
Train your champions
Assign a DPO
Perform GAP analysis
Conduct DPIAs
Review consents
Develop and test breachResponse frameworks
TWO KEY ASPECTS TO START WITH
Know your role Understand your data
Roles, Rules and Rights
Data Subject
Controller Processor1
Processor2
Consent
Rights:• Reviewing• Portability• Rectification• Oblivion• Objection
Rules
Processor3
National Border
• Biz.Processes• Training• Rules for Processor
DPO
Obligations
Business ITP2P
C2P
• Data storing• Breach detection• Notifications
Authority
SCCP
(logging, audit)
Data Ws: What? Where? When? Who?
File Server
Mobile Endpoint
ConnectedStorage
Endpoint
Smartphone/TabletCloud Infrastructure
PerimeterPortableStorage
User1 User2
Regulated Data Storage
HOW IT SECURITY CAN HELPKASPERKY LAB’S VISION
Knowing Your Data is Key
File Server
Mobile Endpoint
ConnectedStorage
Endpoint
Smartphone/TabletCloud Infrastructure
PerimeterPortableStorage
Mail Server
DATA PROTECTION FRAMEWORK
SensitiveData
Protection
Mitigate risks & Reduce attack surface
Encryption Security Controls
THREAT PROTECTION
DATA DISCOVERY TOOLS
Ready‐to‐use compliancedictionaries Custom dictionaries
DEFINE & DISCOVERKnow what data you haveand where you have itCONTAIN & GOVERN Know where is resides
RESPOND & REPORT Report Breaches & Contain Incidents
DLP‐based functions CASB
PREVENT
BREACH DETECTION / PREVENTION
EDR
Access Rights & Security Policies
DATA STORAGE
People & Processes
Inside Infrastructure:Endpoint Protection +
At the perimeter:Mail & Gateway
In the cloud:Cloud Security
GOVERNING THE DATA
Security Controls
File Encryption
Endpoint Detection & Response
Breach Detection &Prevention
Mailbox Data Discovery
Web Control
Mail/ChannelEncryption
Data Discovery
Mail & Gateway DLP
AccessRights
AccessRights
Encryption
CASB
Cloud DLP Breach
Detection
Data Discovery
Platform Existing New
Security Controls: Make Breaches Less Likely to Occur
• Can block launch of unsolicited apps (including malware)
• Can be configured to let only whitelisted apps run
• Can block undesired sites(and categories)
• Can be configured to allowaccess only to whitelisted sites
• Can block the use of undesired devices (e.g. USB sticks or network adapters)
• Can be configured to allow trusted devices to be connected
Threat protection is True for Avoiding BreachesHumanExpertise
Treat Intelligence / Big Data
MachineLearning
LET'S TALK?