GDPR

English

Another Day, Another Significant Data Breach – What We Know About the EasyJet Cyber-attack

Significant data breaches feel like they are arriving now with ever-increasingly regularity. The latest breach to hit the headlines was with EasyJet. The budget airline announced on 19 May 2020 that it had suffered a ‘highly sophisticated cyber-attack’ that has affected approximately nine million of its customers.

Email addresses and travel details had been stolen and 2,208 customers also had their credit and debit card details ‘accessed’. EasyJet became aware of the attack in January 2020 and has informed the UK's Information Commissioner's Office (ICO). It went public now to warn affected customers that they should be on the lookout for phishing attacks.

We ask how could such a breach have occurred and what are implications for EasyJet?

What are the GDPR implications?

The last thing that the travel industry needed right now was a data breach of this size and scale and the implications for EasyJet could be significant. As we pass the second anniversary of GDPR, we expect the data breach to be the subject of regulator focus. Yet in the UK at least, some of the biggest fines announced for non-compliance with GDPR remain unpaid.

Both British Airways and Marriott International had been facing significant fines, announced in 2019. Yet the ICO has delayed the collection of the these fines and has also indicated that it is going to take a lighter touch regarding fines, given that coronavirus has caused great uncertainty and financial pressures. This is by no means a reason to reduce focus on data security however and at no stage has the ICO suggested it will let penalties slide by completely.

In a statement in response to the EasyJet breach, the ICO said:

“People have a right to expect that organizations will handle their personal information securely and responsibly. When that doesn't happen, we will investigate and take robust action where necessary.”

We’ll await the ICOs verdict.

Close the gaps in cybersecurity

Even if EasyJet is spared a sizable fine for breach of GDPR, the breach clearly shows that gaps in its cybersecurity defenses were exploited. A financial penalty is one element of GDPR, but there is also the issue of being publicly cited as an organization that failed to protect its customers’ data. As and when the travel industry returns to a more even footing, the impact of this on reputation and in turn the bottom line, is yet to be revealed.

It is highly likely that EasyJet had invested in some of the best cybersecurity solutions the market had to offer, but cybersecurity has never only been about technology. Training and processes are just as important.

Recent Clearswift research with public sector employees revealed that 77% have been given no instructions in how to recognize ransomware. 16% have had no cybersecurity training whatsoever and 13% just once. 25% had either not heard of or did not know what phishing is. It would be surprising if those figures were significantly different in the private sector.

It isn’t clear how the EasyJet breach took place but assuming that it had good cybersecurity solutions in place, then it must have been due to a failure in process at some stage, leaving it vulnerable to attack.

Cybersecurity is something all organizations need to keep under constant review. If its people, technology, or processes cannot withstand potential cyber-attacks, it needs to step up the program to compensate.

Clearswift has a proud record in helping organizations keep its customer data secure whilst in transit, ask us for a demo to find out more.

Ask us for a demo

Related resources

Lightning can strike twice: Marriott suffers second data breach

The consequences of a data breach: why fines are just the tip of the iceberg

10 Cybersecurity Tips and Best Practices

EasyJet hit with £18bn lawsuit over massive customer data breach

情報ガバナンス、コンプライアンスと GDPR

c

クリアスウィフトが「情報を見つけて守る」を強力アシスト

クリアスウィフトの GDPR ソリューションが『Info Security Products Guide 2018』のグローバル・エクセレンス・アワードで、データ セキュリティ部門の金賞を受賞しました。
見つけて、守って、管理統制。このステップを徹底することで、企業の法令順守レベルを常に高く保ちます。クリアスウィフトのソリューションには、リアルタイムの情報監視やフレキシブルなセキュリティ オプションの適用など、企業の現在の IT 環境を完全無敵にするためのノウハウが凝縮されています。組織内の機密情報、クラウド上で共有される機密情報の両方をただちに検知し、GDPR、HIPAA、PCI、SOX などのデータ プライバシーや法令にしたがう形に処理します。

Japanese

Paying the Piper: What we learned from the British Airways fine

The Breach

Truth be told it was never really a question of ‘if’ but rather ‘when’ a significant fine for GDPR non-compliance would occur. Following the announcement that British Airways has been fined £183m, we have now seen the intent of the Information Commissioners Office (ICO) in following through on promises of substantial fines if businesses are found to be in contravention of the regulation.

While there have been several breaches since enforcement of the legislation earlier last year, this is one where the business has admitted what has happened and it ticks all the boxes when it comes to personal data being compromised. Consequently, this is the first major ICO fine for a GDPR breach in the UK, which sets the precedent for future behavior. In this case, BA has been fined £183M, which amounts to, 1.5% of its worldwide turnover in 2017 and is near the 2% maximum fine. The airline will now have to redouble its efforts to prove that it has a secure infrastructure, in order to begin the process of rebuilding trust with its customers.

The Lesson

With BA still recovering from the reputational damage caused when news of the hack broke, there is now a lesson to be learned from the fine and from the breach itself. BA handled the breach well in that it was picked up relatively quickly, and the alarm was raised correctly following its internal protocols. BA has cybersecurity systems in place that could narrow down, both how the incident happened and, most importantly, who was affected as a result. Unlike the TalkTalk incident where the number of consumers impacted changed on a regular basis, the BA team did its due diligence on the event quickly and efficiently.

Furthermore, BA focused on ensuring that its network was secure from any additional breaches. When a hacker finds one vulnerability in an IT infrastructure it will be exploited to maximum effect – with similar areas being tested for the same weakness. Depending on the vulnerability, the attacker will then look at additional exploits which can be used to maximize their advantage, potentially looking at what other pieces of malware that can be introduced. Unfortunately, once malware takes hold of an environment, it often becomes easier to start from scratch to rebuild it rather than try and take out the infections one by one – if you miss one as it’s hidden, you could end up back at square one in a few weeks or months’ time. BA has seemingly taken steps to protect its network from any additional hacks.

The Takeaway

Organizations must realize that a security incident can have far greater repercussions than just the loss of data or an immediate financial impact. Reputational damage and increased costs from auditing are just two other significant items which will occur.

Businesses are now culpable for the data they share with partners as well as that they hold. With GDPR there is no finger-pointing, shared responsibility is one of the primary tenets. There is no doubt that BA’s fine will have a significant impact and damage shareholder value, leading to some difficult conversations with shareholders and operations directors. We will see what the impact is on sales, and how many people move away from online purchasing.  BA will need to spend time and money rebuilding the public’s confidence in its abilities to keep personal information safe – something every traveler needs to share before flying. For a smaller company, that doesn’t have the luxury of BA’s assets and turnover a significant fine and the other associated costs could theoretically bankrupt it.

Organizations must learn from this example, firstly that the ICO has now bared its teeth and is not afraid of handing out substantial fines to household names. Secondly, that personal data needs serious protection to ensure that it doesn’t a similar fate to BA’s – and the subsequent consequences. A defense in depth strategy is most effective, revisiting the boundary solutions and implementing more stringent policies on the gateways is a good start. Next generation web gateways such as Clearswift’s SECURE Web Gateway solution and/or SECURE ICAP Gateway can be deployed in both forward and reverse proxy modes and can be used to mitigate advanced threats on web pages. Revisiting the infrastructure to segregate public-facing systems, including the backend systems to prevent malware infections from crossing onto other pieces of production networks is also key. Moreover, firms should seek to build a culture of cybersecurity amongst their staff, and ensure that workers can recognize the warning signs of a breach and that the correct protocols for reporting a breach are in place. It’s essential that you enact these changes sooner rather than later, because if you don’t, you may end up paying the piper too.

Clearswift Solutions:

The Brexit Backlash

The Brexit Backlash: How uncertainty is prompting UK businesses to bolster cyber security defenses

The consequences of Brexit are taking up the lion’s share of the news agenda. The further we delve into the topic, the more confusion arises. And that’s not just at the in the upper echelons of Government – UK businesses are seeing the pressures mount because they cannot predict what will happen when the UK leaves the EU.

Amongst this uncertainty however, it appears that organizations are bolstering defenses to offset any potential threat from the would-be cyber-criminal. Our research, which took the views of IT decision makers from UK enterprise organizations, found that over half of those surveyed (53%), had increased their cybersecurity budgets since the announcement of Brexit. The data suggests that while we don’t know for sure where the UK will be once we leave Europe; companies are putting plans in place to deal with an increase in cyber attacks.

The data also revealed the kinds of cyber attacks organizations are preparing for, identifying   Malware (49%), Phishing attacks (40%) and Ransomware (40%) as the top three threats to businesses. While these are not new threats to UK organizations, the data suggests that firms are making a conscious effort to get ahead of cybercriminals, who often use uncertainty as a starting point for attacks. It’s positive news that businesses understand the kinds of threats that are associated with such unclear times, meaning they are likely to prepare for the worst ahead of these attacks happening.

The data also highlighted how firms are arming themselves to deal with these attacks, detailing the kinds of security solutions UK businesses are deploying as part of their IT security armory. The largest investment areas were identified as Data Loss Prevention technology (49%) regulation compliance solutions (49%) and security for the Endpoint (40%). This is highly reassuring, with businesses clearly having already evaluated the potential threats and identified which solutions are best for mitigating the risks.

It is also critical, however, for organizations to keep up with how these cyber threats are evolving so they can adjust their plans and spending accordingly. For example, images are now a high-security risk to organizations’ as malicious or sensitive content can be hidden inside of everyday image files.

Another key area to bolster the ability to combat cyber threats is investing in employee education and training to ensure that workers have the knowledge to detect threats, understand information security policy and the organization’s breach notification processes. Moreover, it is imperative that firms have software capable of addressing these evolved threats. Clearswift’s Adaptive Data Loss Prevention (A-DLP) solution, a suite of tools created to ensure compliance whilst providing automated protection from threats such as malware, phishing and illicit data transfers, helps firms to detect, identify and address the myriad threats that will arise as a direct result of the confusion that surrounds Brexit. For example, A-DLP can not only redact malicious content from email, attachments or web downloads into the corporate network, it can also ensure sensitive data is detected and prevented from leaking outside of the network. This includes the capability to scan documents, images, web links, and more, to ensure that all forms of communication and file types are safe from risks.

At times of great change, there is always confusion, and at times of great confusion, there are always opportunists seeking to exploit it. The key to securing any company from the threats that will arise because of Brexit is to be prepared, and directly increasing cybersecurity budgets to ensure an organization has the resources it needs to fight against potential threats is the first step.

Additional Information

Top Threats

Cyber Threats & Technology Tips That Your Business Can’t Ignore

As new threats are introduced into the cyberscape as well as an evolution of traditional threats, businesses need to be more prepared than ever for a data breach and have the latest tools in place to mitigate risks. 

In the current landscape, outlined below are today’s top cyber threats that your business must be prepared for as well as technology tips that can help prevent them striking.

Data Breach under the GDPR

GDPR is transforming the way businesses store, process and secure sensitive data. With fines of up to €20 million and the risk of crippling reputation damage due to the media attention being received around breaches, it’s no wonder the new regulation has had such an impact across the globe since being enforced in May this year.

Technology Tip:  The first step to a GDPR compliance strategy is understanding what sensitive data you work with, where it’s stored and how it’s flowing in and out of your network.  Following Clearswift’s Discover, Secure & Govern approach can bring you into compliance with regulations and ensure you remain compliant into the future. 

Leveraging an Adaptive Data Loss Prevention (A-DLP) solution, organizations can automatically mitigate sensitive data loss risks across all digital collaboration channels - such as email, Cloud collaboration applications, and endpoint devices - preventing data leaks, sensitive data acquisition to ensure you comply with data protection regulations.

Insider Threat    

The insider threat is in fact, the most common cyber threat of all – with 65% of security incidents being related to employees. In most cases, inside threat incidents are caused by employees making mistakes, making it clear that there needs to be a reform in the way employees think about data handling. By changing the way employees think about data – and GDPR has been integral in starting this – there will be less risk of them sharing sensitive information accidentally.

Technology Tip:  Clearswift’s Adaptive Data Loss Prevention technology and its associated redaction and sanitization features offer the greatest chance to mitigate data leaks and emails sent in error. The redaction feature ensures any sensitive information contained in the contents of an email, or a document being uploaded to the web, is automatically redacted, meaning those that do make a mistake do not compromise the compliance or security of the organization.

Phishing

Phishing is one of the most common forms of hacking, for both consumers and businesses. Therefore, all employees, including the C-suite, need to know the signs to spot a phishing email – such as email addresses and tone of voice – to ensure that the risk is minimized and cybercriminals don’t gain access to the sensitive information they’re ‘phishing’ for that often results in financial loss.

Technology Tip:  In addition to educating employees about anomalies to look out for, technology is integral to mitigating Phishing threats. As well as today’s expected standard of security features such as Dual Anti-Virus, anti-malware and active-code detection, Clearswift’s email security solution includes advanced features such as Message Sanitization and Structural Sanitization (active code removal) which disable URL’s and other active code from email and attachments, to ensure phishing attacks are thwarted at your organization’s doorstep.

Spoofing

Similar to phishing, spoofing, which is also referred to as Business Email Compromise (BEC), is when an email appears to come from the CEO or CFO asking about transactions of money. Because the email appears to come from the top of the organization, employees are more likely to act without questioning meaning sensitive information such as bank details are shared without anyone internally noticing until it’s too late.

Technology Tip:  Organizations should make sure their email security solution has SPF, DKIM and DMARC features (that can detect a spoof email) and also allows for custom rules to be applied to protect employees from BEC. Clearswift next-generation email security solution includes these special features along with Redaction functionality which works automatically to remove sensitive data in email and attachments, and protects it from being shared outside of the organization, redacting sensitive data that employees might have otherwise shared with a cybercriminal.

Ransomware

As we saw in 2017 with the WannaCry attack on the NHS, ransomware is extremely dangerous and has the ability to take any business back to ‘pen and paper’ as IT has to be shut down. Embedding malicious code and scripts within emails and documents is the most common way of being hit by ransomware.

Technology Tip:  Weaponized emails, document, and files can be made safe with Clearswift’s Adaptive Redaction technology built into its email and web security solutions. Working together with the deep content inspection engine, the Message Sanitization and Structural Sanitization features enable the automated detection and removal of hidden active code within email messages and attached files, or documents downloaded from the internet, so any malware embedded by hackers is eliminated before it has the chance to infect a network.

Social Media

There are two sides to social media as a threat to companies. An attacker can ‘phish’ the company via social media, for example, an employee may be sent a Tweet or direct message via LinkedIn containing a link that then activates harmful software. Or, social media best practices are not followed, either by employees on the corporate network or C-suites on their personal accounts, causing damage to corporate reputation.

Technology Tip:  Your web security solution should have the capability to prevent both a social media phishing attack and to prevent anything damaging being posted on social media. Clearswift’s SECURE Web Gateway has the ability to monitor content as it is being shared on social media from inside the organization and then decline or change anything that is not appropriate for posting.

Patching

A major threat to companies will always be out of date software applications. Security vendors release patches all the time and organizations need to keep up-to-date with these to ensure there are no easily-fixed vulnerabilities being exposed. Patching processes should be streamlined to make sure security flaws are caught and amended very quickly; otherwise, it’s an open door for cyber attackers to come in.

Technology Tip:  Deploying technology in that helps an organization monitor its environment to keep track of where patches have and haven’t been applied to corporate devices is a useful way to assess the company’s attack surface at any given time. This will also ensure that the IT department is on top of any known vulnerabilities and can act faster to get a patch in place.

Minimizing the risks

Having a thorough understanding of today’s cyber threats and how they can impact an organization is the first step in mitigating the risk. Making sure staff understand today’s cyber risks and how to spot them will take the pressure off IT departments constantly monitoring for (and fighting) threats as well as reducing the chance of inadvertent data breaches from happening.

Organizations also need to implement policies and processes to ensure if a data breach or cyber-attack does occur, employees know what to do. Processes around  “who do I talk to if I think I’ve clicked on a malicious link” or “what do I do if I think I have opened a suspicious attachment?” will be integral to ensuring incidents are handled in a timely and effective manner.

While technology is not a silver bullet for tackling today’s cyber threats, it provides a safety net for when mistakes happen and a defense wall for when malicious content tries to get in.

Ready to take the next steps?

With the right email security solutions in place, risks can be minimized without impacting an organization's ability to conduct business. With our guide, Six-Steps to Email Security Best Practice, you will learn how to identify what data to protect, how to establish sustainable security policies, and more.

GET MY GUIDE

Clearswift Information Governance Server

The Clearswift Information Governance Server: preventing data breaches, supporting compliance

The latest release of the Clearswift Information Governance Server (IGS) product offers new features and Data Loss Prevention (DLP) functionality, as well as the ability to track unstructured classified information and policy enactment. The Clearswift IGS integrates seamlessly with all Clearswift SECURE Gateways and ARgon for Email product, enabling our customers to detect when information registered within files is in transit internally, or externally leaving the organization.

Working with ‘information’ rather than files or file names, the IGS can detect and block based upon information fragments. This ensures that if a file changes name or even format, for example from a Word document to a PDF, or if an extract is cut and pasted into a new document, the registered information can still be discovered and a security policy applied.

The IGS contains a central repository of information checksums derived from files registered by users or document owners. Files can be easily registered using a web browser or through the improved client application which enables single or multiple file registration.

For organizations who want to automate the search their Windows fileservers, the File Server Resource Manager (FSRM) feature in Windows Server 2008R2 (and later) can be used to look for sensitive content. If found, the Clearswift IGS Client can register files automatically with the IG Server – saving time and ensuring that sensitive data doesn’t get missed.

If registered files or fragments of these files (information) are emailed to unauthorized recipients or are shared over the Web to unsanctioned sites, action is taken according to policy. For example, the transfer can be blocked and the person breaking policy, and/or the system admin and/or the document owner, can be notified of the event for further action to be taken. Extensive reporting is available to show information provenance.

Extending the use of FSRM to help with GDPR compliance

In the era of GDPR, where information shared both into and out of the organization needs to be tracked, the Clearswift Information Governance Server can be used as part of a compliance strategy through its ability to work with the Clearswift SECURE Gateways, monitoring and acting upon the sensitive information they process.

In addition, leveraging the Windows File Server Resource Manager (FSRM) interface to detect sensitive content then pass the file into the IGS for registration adds an additional layer of protection of the information in the document - either as a whole or as a part - should it be sent out via one of an organizations egress points to an unauthorized user.

FSRM can work without the IGS so rather than registering documents that contain sensitive terms such as PII or PCI data; FSRM can use another one of its features known as the File Classification Infrastructure (FCI) which can add custom properties to files. These can subsequently be read and acted upon by the Clearswift SECURE Email and SECURE Web Gateways as they are processed.

This approach is typically how data classification tools work, as the property is persisted even after the document has been edited and subsequently re-saved.

The Clearswift SECURE Gateways can have policy-based actions based on the properties, including:

  • Stop the transaction from happening (eg. don’t send the email or upload the file to the web)
  • Permit the transaction and send an alert to the Administrator or the user’s Manager
  • In the case of email, we can use the property as a trigger to encrypt the message

In the case where the properties are used internally and should not be disclosed externally, the Document Sanitization feature (part of our Adaptive Redaction solution) can automatically remove some or all of the properties that are stored in the documents.

A guide to using FSRM and FCI can be found here.

More Information:

Learn more about the Clearswift Information Governance Server

Read our PCI Best Practice Guide Whitepaper

Insider Threat

GDPR and the Insider Threat: How new regulations are changing our data handling habits

The General Data Protection Regulation (GDPR) has been covered extensively over the past year and has come to sit at the forefront of employees’ mind. Having been implemented on 25th May 2018, the stories are dying down and it is now ingrained in day-to-day operational processes.

Two months down the line, however, has GDPR made an impact on the way organizations think about data?

Our latest Clearswift Insider Threat Index (CITI) research, which surveyed 400 senior IT decision makers in organizations of more than 1,000 employees across the United Kingdom, Germany, and the United States, suggests that it has made more employees aware of handling data sensitively, with the insider threat going down to 38%, a 4% decrease, in the UK. The trend continues when looking at the extended enterprise, with our research revealing this has gone down by 8% since 2017, now sitting at 65%.

In addition to the UK insider threat falling, Germany also presents the same trend, with employees being held responsible for 75% of cyber incidents, down from 80% last year. However, in the United States, a country outside of the direct GDPR jurisdiction, the insider threat is still on the rise with 80% of cyber incidents occurring due to the extended enterprise.

These findings suggest that EU countries are more aware of the insider threat, and organizations have taken action to ensure their employees are becoming better data citizens post-GDPR. While the threat is going down, it remains to be a high figure and the top cybersecurity threat to businesses. Therefore, organizations must continue with efforts to secure data and ensure that this trend continues year-on-year.

Continued education

Employees in every department hold some form of sensitive data and GDPR has been instrumental in getting this message across. However, now the regulation has died down from the headlines, it’s important that the message does not go by the wayside and old habits start to creep back in. Regular training seminars and tailored data security workshops will help keep employees up to date about how to safeguard the data they handle and motivate them to continue to care about the ramifications of a breach.

Follow the data protection plan

All the hard work to build an information security plan in preparation for GDPR should not go to waste. Compliance is ongoing, and processes will need to change with the business. Ensure employees are continuing to follow the plan and know how to report any incidents that occur. While the plan may change as the company learns from the different security challenges, it is important to ensure that any amends are communicated to staff and all are following protocol, whether that is reporting an insider incident or how they should be handling data on a daily basis.

Invest in data protection technologies

Whilst the risk of employees handling data has reduced, human error is still inevitable and the insider threat still remains high. To protect your organization from the insider threat, Clearswift’s Adaptive Data Loss Prevention (A-DLP) solution has the ability to inspect all content coming in and going out of the organization – whether through email or the web – to prevent any sensitive information being shared or exposed unauthorized. The document sanitization and adaptive redaction features ensure that GDPR compliance is upheld by scanning all emails and documents flowing in and out of the business, detecting and removing only the critical information which could cause a data breach. With this technology, businesses can ensure that critical information isn’t being sent inadvertently – or maliciously – by staff, and that unwanted inbound data acquisition is prevented.

Additional Information

Clearswift Insider Threat Index 2018

Adaptive Data Loss Prevention (A-DLP)

Weaponizing GDPR

Weaponizing GDPR: When right to be forgotten gets ugly

It’s estimated that just 61% of UK businesses were ready for the enforcement of the General Data Protection Regulations (GDPR) on 25th May, meaning almost 40% of organizations are not compliant with the new regulations. Many of these companies are in the mindset that the authorities won’t be going after the smaller companies and will instead make an example of the big brands, so they won’t be fined for being non-compliant. However, organizations should be wary of the threat outside of official enforcers and look to the wider repercussions of GDPR.

An inadvertent and unfortunate consequence of the new GDPR rules is that the right to erasure is now free to submit, meaning it is much easier to have your data removed. With our research revealing that only 34% of organizations have actually successfully completed a ‘right to be forgotten’ (RTBF) request, there is a potential to weaponize the regulation, giving hacktivists a new opportunity to drain a company’s resources and grind the business to a halt.

One request is relatively easy to handle – as long as you know where your data is stored – and can be completed within a month of receiving the request, but if an organization is inundated with requests that come in on the same day, it becomes more difficult to manage. This turns into a backlog which in turn starts to drain resources and, ultimately, can cause any activity within the organization to be stopped or – in some cases – cause the shut down of the company because of an inability to handle the situation. This is comparable to Distributed Denial of Service (DDoS) attacks, with companies becoming overloaded with so many requests that their services stop entirely.

In order to prepare for a flurry of RTBF requests coming in, it is essential that all organizations have a plan in place which streamlines processes and makes it as easy as possible to deal with:

Education is key

  • The first thing to consider is whether or not your workforce is aware of what to do should one RTBF request comes in, let alone hundreds. Educating all employees on what to do if a request comes in – including who in the company to notify and how to respond to the request – will be essential in guaranteeing they are dealt with correctly. Once there is a clear process in place for handling one request, it will also be easier to deal with multiple coming in.

Know your data

  • In addition to knowing what to do if a request comes in, it is vital that the team that will deal with completing it is fully aware of where all the data is stored. This will be even more essential if multiple requests come in as it will ensure that valuable resources are not wasted tracking down stray data. Technologies, such as ‘data discovery’, will be invaluable in helping organizations achieve an awareness of where data is. This gives visibility of where all GDPR-relevant data is stored across the company, whether that is on desktops, notebooks, servers, networks or the cloud. Once you know where critical data is located, it will be much easier to remove all traces of a customer and complete the request.

Understand data flows

  • Once your GDPR team understands where data is stored, it will be easier to respond to a RTBF request, but it doesn’t stop there. GDPR preparation is constant and it doesn’t finish once you’ve conducted a data discovery exercise, it’s also about knowing how data is handled at all times. Adaptive email and web solutions can be used to maintain visibility of the critical data flowing in and out of the company and control what data can be shared with who. Our SECURE Email Gateway, for example, allows you to create policies which automatically redact sensitive data from any messages or files shared across a network before that data has the chance to be exposed to unauthorized recipients. Ultimately, this protects your organization from having stray data which could affect the completion of a RTBF request. This will also ensure that if multiple requests do come in at one time, further resources will not be wasted trying to track down unstructured data.

The thing to remember if your organization is attacked by hacktivists is not to panic. With all the processes and technologies in place, dealing with a request should be a straightforward process as you will have complete visibility and a handle on the data. Streamlining the data retrieval process will make it easier for your business to complete a RTBF request and ultimately defend the organization again malicious uses of GDPR.

Contact the Clearswift team to learn more about how we can help you protect your business against malicious GDPR activity.

Additional Information

Data Discovery: Critical Information Protection (CIP) Management Server and Agent

Information Governance and Compliance

Right to be forgotten requests: how to ensure your business doesn’t grind to halt

Shadow-IT

Cloud Storage, File Sharing Apps and GDPR: This Could Get Ugly Fast!

Cloud storage services and file sharing apps such as Dropbox, Box, Microsoft OneDrive and Google Drive are so widely adopted by employees—knowingly or unknowingly by their IT departments—that most don’t think twice about using them to share corporate information. A study by SkyHigh Networks found that the average enterprise uses 76 distinct file sharing cloud services and 18.1% of files uploaded contain sensitive data. While this was an issue before May 25th, 2018, that date now rings terror into the hearts of CIOs and IT departments as the date GDPR became enforceable. Although some of the services will be endorsed by the organization, many won’t and while the Shadow IT game of “hide-and-seek” continues to amuse IT teams, the implementation of GDPR ups the stakes as fines of 20 million EUR or 4% of global turnover (whichever the greater) are more than significant to all businesses.

Difficulty Mitigating GDPR Compliance

Repercussions of the European Union’s General Data Protection Regulation (GDPR) are far-reaching. One of the outcomes will require businesses to take the use of cloud storage and applications much more seriously. Not only will businesses need to know which—and how—cloud storage and file sharing apps are being used by their employees, they also must ensure that either the cloud services in use are compliant and integrated into their GDPR processes (i.e., right to erasure / forgotten) or the flows of data to them are inspected and scrubbed of personal information.

Compliance isn’t simply for companies and individuals in the EU; GDPR applies to any company anywhere in the world that processes personal data related to EU citizens.

Shadow IT: Out of Sight, Out of Mind

The majority of executives and IT managers say they are unaware of how many unauthorized cloud or shadow cloud apps and services are being used, even though Gartner has estimated that by 2020 more than 30% of successful cyber-attacks will happen through Shadow IT. Out-of-sight-out-of-mind thinking masks reality, as they simply don’t know which file sharing apps being used. Furthermore, since data is stored offsite by a cloud service provider they believe that they have nothing to worry about. But the opposite is the case, the business retains primary responsibility. Interestingly the GDPR concept of shared responsibility should mean that the cloud service provider should be more concerned with the data they store, but as yet they are not. Organizations must work with their employees and cloud service providers to ensure compliance with GDPR.

How many applications do you have on your mobile phone? How many of those are endorsed by the company? How many have access to data such as contacts or saved documents? Now multiply that by the number of employees you have, and you start to see the magnitude of the issue. Even within a small company, there could be 1000s of applications which are ‘hidden’ from IT (and compliance), but which create risk.

While some cloud and app vendors, including Google, have embraced GDPR, many others have not, and in this case ignoring those who haven’t because you do not ‘know’ about them is not a defense. Ignorance is not bliss.

Addressing the Cloud Storage and File Sharing Ugliness

All is not bleak when it comes to cloud storage and file sharing apps co-existing in a GDPR compliant environment. We have a three-step approach to GDPR compliance:

1)      Discover: Find out just how big the issue it. For Shadow IT, this is about discovering how widespread its use is.

2)      Secure: Secure the information from inappropriate sharing with unauthorized users.

3)      Govern: Compliance is an ongoing commitment to protect critical information.

When it comes to Shadow IT, leveraging a GDPR-enabled secure web gateway (or a simple GDPR ICAP add-on to your existing web proxy), businesses can:

  • Perform a Shadow IT audit for cloud services. Quickly detect all cloud storage services in use throughout the business.
  • Create a map of all web-based data flows containing personal data.  This is both into and out of the organization. Shared responsibility means you need to secure and protect sensitive information which is shared with you.
  • Track and trace GDPR data moving to the cloud. Inspect data moving to cloud storage in real-time for GDPR data. This includes often-overlooked sub-file, hidden and metadata information.
  • Automate GDPR policy enforcement. Analyze personal data to determine the appropriate GDPR policy based on data context, type, channel and sharing relationship.
  • Apply adaptive security. Institute required GDPR security measures (block, encrypt or redact) applied based on policy. Redaction removes only the GDPR personal data detected, allowing the rest of the content to go without delay, quarantines, and disruptions. This, in turn, eliminates false positives. 
  • Enable GDPR governance. Achieve transparent visibility into GDPR reports, policy violations and breach analysis to ensure compliance.

The CIO and IT department need to grab control of Shadow IT, before a compliance incident occurs. Discovering which services are used is the first step towards that control. IT should be seen as an enabler to cloud services, with recommendations of which services to use and how they can be used. They also need to stop the use of those services which put businesses at risk.

In all, when addressed with the right security processes and technologies in advance, cloud storage and file sharing applications can be controlled and become GDPR compliant, helping you to avoid an ugly mess and potentially huge fines.

Additional links:

Adaptive Security for Cloud https://www.clearswift.com/products/web-security-products#SWG

A guide to critical data protection in 2018 https://www.clearswift.com/sites/default/files/documents/Whitepapers/A_Guide_To_DLP_Whitepaper.pdf

GDPR Compliance

The GDPR deadline is here – so what next?

It’s finally here, the EU General Data Protection Regulation (GDPR) is now in full effect. Is that a sigh of relief I hear? Well, it shouldn’t be too heavy a sigh, there’s still work to be done!

The first thing to remember is that just because it’s the 25th May, doesn’t mean GDPR efforts are over. While most organizations have executed pre-enforcement date compliance preparation work including updating policies and systems, reviewing databases and going through the process of obtaining consent from EU contacts to continue holding their data, now the enforcement date has arrived, there should be a bigger push than ever to ensure your organization is remains compliant into the future.

Remember the old Scout motto of ‘Be Prepared’?  Any number of things could happen on, or after, ‘Day One’ that organizations need to be ready for. These might include a data breach, which could come from a malicious attack or an employee sending confidential information to the wrong person by mistake, or customers exercising their right to be forgotten (RTBF). Whatever happens, the main thing is to have a plan in place to deal with both formal requests as well as a non-compliance issue.

There are three main areas which need to be addressed in order to have a fully-capable plan in place:

People

While most employees are likely to be aware of GDPR, it is certainly worth sending a company-wide email today to remind everyone it’s D-Day. It's important to keep employees informed of new policies and processes, where data must be kept and who has authorized access to it, what to look for in a malicious email and who to go to should a breach happen. Ensuring that all employees, from board level down, know what processes need to be followed will be vital to continued compliance. In return, employees should be used to help make suggestions as to where improvements can be made and where additional risks may lie. Businesses requirements constantly change with new projects and initiatives starting up and being worked on. If they involve handling EU citizen data, GDPR must be a key consideration as these projects and inititiatives are executed on.

Processes

All organizations should already have processes in place and these should have been reviewed and updated as part of preparing an organization for GDPR compliance. However, as time passes and we get further into GDPR issues, it’s critical that processes are  amended to reflect what has been learned – whether that is through continual checking for unwanted data, RTBF requests or a data breach. As new products and services are introduced, processes and policies should be reviewed to reflect changes within the business and in turn, this needs to be communicated to employees.

Technology

Technology should be implemented as a safety net for an organization. No matter how well-trained staff are or how many processes are put in place, there is always going to be the threat of a slip-up that could lead to non-compliance and ultimately hefty fines. GDPR is not going to be in the headlines forever and its principles are likely to slip to the back of peoples’ minds, so it’s important the right  technology is place to help protect critical information. In addition, with the first wave of RTFB requests coming in post-May 25th, any gaps in existing security infrastructures that have not already been found during GDPR preparation, are likely to be discovered and need to be filled as soon as possible. Adaptive Data Loss Prevention technology (A-DLP) provides an organization with the control and visibility of data flowing both in and out of the company as well as automating best practice data protection processes and enforcing an information security policy. Therefore, A-DLP should be seen as an enhancement to the processes already in place, something which can run in the background as a precautionary measure.

Whatever happens post-GDPR enforcement, it’s important to keep in mind that the threat of a data breach or RTBF request does not disappear after the first day. Compliance is an ongoing task with policies and processes needing to be adjusted as business practice evolves or new services and products are introduced.

Contact the Clearswift team to learn more about how we can help you protect your organization with GDPR compliance.

 

Additional Information

Clearswift Adaptive Data Loss Prevention

Information Governance and Compliance

Data Discovery with the Clearswift Critical Information Protection (CIP) Management Server and Agent