The findings are contained in a new report from the Parliament Street think tank entitled GDPR: The Impact on Government, which was published yesterday. The policy paper examines the steps being taken by central government departments to ensure compliance with the new legislation, including spending on staff training and software.

The Department for Transport (DfT) has an allocated total budget of £547,000 for the GDPR.

• It has spent £147,000 to date preparing for the regulation. This figure includes some time from internal staff assisting with the preparation for the department.
• Of this figure, £23,000 was spent on staff training and £72,000 on hiring contingent labour. The remaining amount is costs associated with existing, internal, staff who have been working on GDPR preparation, where those costs have been recorded.
• The department said that for the rest of the year it estimated a further spend on GDPR of £400,000. 

The Ministry of Justice has a total allocated budget of £543,31 for the GDPR.

• It has spent £154,218 to date on GDPR preparations. This included £145,430 on software and £8,788 on GDPR-specific training for staff.
• For the rest of the calendar year, the department plans to spend a further £24,182 on GDPR training and £364,911 on software.

The Treasury has a total allocated budget of £200,783 for the GDPR.

• It has spent £90,483 in the financial year of 2017-2018 and projected £78,800 in 2018-2019.
• It had also allocated £30,000 on learning and development and £15,000 on E-Discovery tools.

Key recommendations in the policy paper include increasing staff training on the fundamentals of the GDPR, sharing best practice between departments and collaborating with external specialist companies for support during implementation of the regulation.

Peter Irikovsky, CEO, Exponea comments “It’s clear that the incoming GDPR presents significant financial and operational challenges for government departments, which are tasked with securely processing large volumes of personal data.

A major concern with this legislation is that many organisations are rushing to meet the impending deadline, hiring in external consultants and resources without being entirely certain that the changes made will deliver complete compliance. As such there is a real risk that many departments could be GDPR compliant in theory, but not in practice, due to the complex nature of their software vendors, many of which aren’t taking GDPR seriously.

With this in mind, isn’t it time that all organisations woke up to the need for independent, external certification of GDPR capabilities, that guarantee compliance? By raising standards through certification, departments can be sure they are adhering to these new regulations, protecting the organisation from financial penalties and delivering high standards of data management to the public.”

The post Department for work and pensions spending nearly £15m on GDPR appeared first on IT Security Guru.

Less than half (49 per cent) of the global organisations surveyed reported that they expect to be compliant when GDPR goes into effect May 25. The EU, UK and Ireland are slightly more prepared than the U.S., with 53 per cent of EU and 54 per cent of UK and Irish organisations surveyed expecting to meet the deadline, compared to just 30 per cent stateside.

The GDPR gives EU residents privacy rights that give them greater control over how companies handle their personal data.  Any organisation that is storing or processing data on EU residents may have GDPR compliance obligations, even if the organisation isn’t in the EU.

In February, SAS conducted a global survey of 183 business people in a wide variety of industries who have a role in preparing their organisations for GDPR. The survey highlights the biggest challenges and opportunities they face on the road to GDPR compliance. Download the complete infographic here.

“Despite the long run-up to GDPR, the vast majority of UK organisations still don’t have processes in place to manage their data in compliance with the new rules,” said David Smith, Head of GDPR Technology, SAS UK & Ireland. “At this point, senior leadership needs to take ownership of getting the whole company on board, from IT to operations, to make sure that all personal data is accurately located and appropriately handled.”

Though the survey shows that most organisations are not ready for the fast-approaching GDPR deadline, they are working to become compliant (93 per cent have a plan in place or expect to have one). And the majority of respondents anticipate benefits for their organisations that will result from their efforts to become GDPR compliant.

“There’s a great opportunity contained within the challenge of GDPR,” Smith continued. “Organisations that gain greater control and understanding of their data will be better able to provide their customers with the services they want, in the manner that they want them. Those companies that can innovate through GDPR will gain a significant advantage over competitors who get stuck in the long grass of compliance.”

In fact, 84 per cent of all respondents and 79 per cent of UK and Irish respondents, said they expect GDPR to improve their data governance. Sixty-eight per cent worldwide and 81 per cent of UK and Irish respondents also anticipate that GDPR will increase trust between them and their customers. Improved personal data quality, enhanced organisational image, and a move toward a data-driven organisation were additional benefits they expect to gain from GDPR compliance.

Additional highlights from the survey include:

• 58 per cent of global respondents have a structured plan in process to comply with GDPR and another 35 per cent are planning to have one. This is up from SAS’ 2017 survey, which found that less than half (45 per cent) of respondents had a structured plan in place to comply with GDPR.

• However, 15 per cent of U.S. respondents and four per cent of EU respondents said their organisation had no plans to develop a structured process to comply with GDPR.

• To get a GDPR compliance plan in place, organisations need help. Seventy-five per cent of respondents worldwide said that they have obtained or plan to obtain legal or consulting support.
• Sixty-three per cent globally and 69 per cent in the UK and Ireland said GDPR will have a significant effect on how their organisation conducts business.
• Identifying all sources of stored personal data, followed by acquiring the skills to manage GDPR compliance, were listed as the top challenges organisations face in preparing for GDPR.
• Additionally, almost half of respondents (49 per cent globally and 44 per cent in the UK and Ireland) reported that GDPR would have a significant impact on their organisation’s artificial intelligence projects.

• Establishing informed consent, logging and presenting profiling details to auditors, and requiring human involvement in decisions are the three compliance requirements that are most concerning to participants regarding their artificial intelligence projects.

• Seventy-five per cent of respondents also expect GDPR compliance to have a significant effect on their IT operations. That number goes up for the UK and Ireland, to 84 per cent.

Learn more about how SAS is helping customers prepare for GDPR.

The post Only 7 per cent of businesses GDPR-compliant as deadline looms, data privacy gains prominence appeared first on IT Security Guru.

Bomgar’s solutions have always focused on security at the heart of their design. This ensures that every remote access connection made by our customers—whether a privileged user connecting to a critical system or device or a help desk connecting to an end-user’s system—is secure, protecting critical systems and data and helping organisations meet the GDPR requirements.

Bomgar’s solutions include:

• GDPR Pseudonymization Support – Meet GDPR initiatives through responding to Right to Erasure requests by searching for specific criteria supplied by the requestor.
• Improved Customer Agreement Enhancements – Improve security among support teams by reassuring customers they’re dealing with the intended organization, and keep your brand front and center while presenting and capturing consent.
• Enforce Policy of Least Privilege – Only give access to data to those who need it, when they need it, with granular levels of access controls that eliminate “all or nothing” access.
• Manage Privilege ‘Sprawl’ – Identify and secure all your privileged accounts centrally across your organisation, including dormant credentials, eliminate insecure practices of employees sharing or writing down passwords, and integrate your security policies.
• Secure and Protect All Privileged Accounts – Store, rotate, and manage privileged credentials within a secure enterprise password vault, and grant access based on job roles and requirements creating a reliable “privilege on demand” workflow.

“Security must be central to an organisations’ data privacy strategy to ensure they can control and protect access to the systems that hold personal data,” said Martin Willoughby, SVP, general counsel and chief privacy officer at Bomgar. “Organizations must also ensure all remote access methods are secure to protect their data as this is the number one method of compromise. Bomgar’s Secure Access solutions enable businesses to control, monitor, and manage access to critical systems and data, while ensuring that people remain productive and are not impeded in their day to day job tasks.”

For more details about how Bomgar can help your organisation meet the new GDPR standards, download this free whitepaper and register for our upcoming webinar: GDPR and Remote Access Security: What You Need to Know.

The post Bomgar Enables GDPR Compliance for Privileged Users appeared first on IT Security Guru.

The need to be GDPR-ready may be attention-grabbing right now, but turn this on its head; would you rather be compliant or protected against breaches? If you more concerned about compliance without understanding the role of security and protection, you may face the ticking of the breach notification clock – 72 hours and counting and the related penalties associated . 

Compliance does not equal protection

Fear can be a positive emotion, preventing us from straying into dangerous situations, but it can also be crippling – stopping us from pursuing the correct course of action when required. With the looming GDPR deadline, are businesses seeing compliance as a tick box only activity, or should they be seeing the new regulations as an opportunity to improve their defences against an unprecedented rise in cyberattacks?

A ‘tick box’ mentality might help achieve compliance within the requirements of GDPR, but there is much more that they can do to abide by its spirit. What does that tick in the box really mean? When can you start to celebrate? The truth of the matter is, you are only compliant for that brief moment in time.

Businesses need to demonstrate more than mere compliance: they need to show that they are sophisticated enough to deal with any breach that occurs, and have the right processes in place to minimise the damage and effectively report the extent of the breach. Stating you were compliant when a breach happened doesn’t protect your organisation or your customer data.

Beyond compliance

One of the most high-profile recent breaches – targeting Equifax – highlighted the reputational damage that delayed breach notifications can cause. Under GDPR, any delay will come with a hefty financial cost. The penalties for non-compliance with GDPR are well-known – a fine of up to 4% of revenue or €20m, whichever is the greater. An organisation can still be compliant yet suffer serious financial and reputational consequences from a breach that goes undetected. It’s therefore incumbent upon any organisation to ensure they are not only compliant, but always prepared for any breach. And the only way to build the right defences is to take the focus away from the breach and re-direct it to stopping the malware and demonstrating that you have mature processes in place to help detect, prevent and respond.

The Role of AI in GDPR

The key to defeating cyber attackers is to master huge volumes of data about threats in real time; and this simply isn’t possible without the use of AI due to the volumes of data that need to be processed. To give you an idea of the scale of the analysis, CrowdStrike collects and analyses around 67 billion events every single day. AI is used to access and contextualise all this data in under five seconds providing a real-time view of current threats, organisations need to be protected from.

The real essence of GDPR lies in the ability to demonstrate maturity from both a technical and process perspective, to be able to deal with a breach, should it occur. Harnessing technologies that use automation to operationalise data and artificial intelligence (AI) will make a big impact and also help to approach GDPR with a proactive ‘stopping malware’ mind-set.

AI can provide the ability to scale, provide visibility and therefore protect us at speed, as time can be the enemy. Used intelligently, AI enables us to see what’s happening in the world at any given moment, and to interrogate data to identify indicators of attack (predictive methods) as well as indicators of compromise. When combined with machine learning, it’s an incredibly powerful capability in the fight against hackers; constantly collecting, analysing and adapting security algorithms. Without the ability to understand if there are indicators of compromise in real-time, you will never be able to establish IT hygiene and, more importantly, have a security posture that is ready to face any future threats.

From compliance to security hygiene

Organisations also need to invest in processes to protect data and identify how that data is being accessed. Early warning systems that detect intrusions by external threat actors or insiders trying to gain unlawful access are key – but so are established guidelines for how to respond to a breach, such as isolating infected devices, remediating the estate, and working with legal and PR to formulate the right public response.

Preventative measures are also a fundamental part of the approach. With the rise in IoT, organisations should question which devices are WiFi-enabled and if they really need to be connected. Simple measures like this can ensure that they minimise the chance that they are compromised or become vectors for an attack.

We see this as ‘security hygiene’; a posture that focuses on cross-organisational measures to combat breaches, rather than a narrow focus on point security such as AV or endpoint protection.

Conclusion

Organisations should not fear the 72-hour deadline for breach notification but use this as an opportunity to review their existing processes and security. Achieving this target might mean that an organisation protects itself from huge fines mandated under GDPR, but it also provides the opportunity to make those updates to their technology and processes that may be overdue; being able to discover indicators of attack in real-time and prevent a breach. This might sound like another impossible requirement to add to the already stringent demands of the GDPR, but in fact the right tools and processes, can achieve this easily.

Don’t let fear be your motivation for achieving GDPR compliance. Instead, focus on how your business can give itself – and its customers – the best protection possible.

The post 72 hours and counting: The role of AI in GDPR appeared first on IT Security Guru.

Semantics is rarely a matter of life and death, but a misunderstanding over a couple of words could do serious damage to your business.
When the General Data Protection Regulation (GDPR) comes into force in May 2018, businesses will need to have a precise and thorough understanding of the various terms and definitions outlined in the most stringent of privacy regulations yet devised. The GDPR outlines the acceptable use of personal data by organisations, how they should structure their approach to managing personal data, and the fines (or risk) for improperly protecting personal data. In the event of a breach the fines for non-compliance can be extensive, with the maximum penalty set at 4% of worldwide income or €20m – whichever is higher.
The intersection of technology and the law always creates a plethora of complex terms, and in the case of the GDPR, it is a lexicon that businesses must master if they are to comply fully with the letter of the regulations.
 
The definition
The GDPR is the first EU data privacy law to explicitly define a “personal data breach” and require notification when one occurs. “Personal data” is defined in the GDPR as “any information relating to an identified or identifiable natural person (‘data subject’).”
Notably, there is not a specific set of information (or data fields) that define a data subject. According to the text, a data subject is: “an identifiable natural person…one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;”
While listing common fields, the crucial piece of this definition notes relevant data can be used to identify (through whatever means) a specific individual. This requires a new way of thinking about personal data: while an unnamed person’s age and gender might not seem like personally-identifiable information, in many circumstances it could be. For example, even if the data subject’s name isn’t present but their age or gender is, this could be considered personal data if it’s enough to identify an individual. An organisation may only have a single 23-year-old or a single male in an office and someone could use the available data to work out who that is.
As you can see, the set of data that is considered controlled under the GDPR is quite a bit broader than initially expected. This challenge expands as, frequently, user data can span tables (or databases).
The GDPR lists a number of key controls and activities related to data subjects and personal data. The first two of these are Data Breach Notification and the introduction of a required role, the Data Protection Officer.
 
Data Breach Notification
Put simply, the GDPR requires that organisations who suffer a data breach report it as quickly as possible.
In more detail, under the GDPR, a “personal data breach” is “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed”. Note that this definition of personal data is as above – anything that can lead to the identification of a unique person or persons.
In the event of a personal data breach, organisations must notify the supervisory authority. The GDPR defines two separate concepts that typically (but not always) refer to organisations – Data Controller (or Controller) and Data Processor (or Processor).

• The Data Controller is the entity (in most cases, an organisation, but sometimes a person) that directs the reason why personal data is processed in the first place. For example, a ride sharing company wants to analyse its riders’ usage patterns to better allocate drivers. Note that the entity that is the controller doesn’t actually have to be the one who analyses / processes data.
• The Data Processor is the entity (again a person or organisation, etc.) that actually does the processing or analysis of data. For example, banks frequently outsource their fraud analysis to third parties. In this case, the bank is the controller (directing what’s done with data) and the third party is the processor (actually doing the analysis).

In the event of a breach, the organisation must notify the supervisory authority of the member state where the data controller has its main establishment and the affected data subjects. For example, if an organisation is based in Frankfurt and has the majority of their customers in Germany, the notification should go to the German supervisory authority. Article 51 in the GDPR covers the creation of the per-state supervisory authority.
We’ll see how this works in practice as the law comes into play, but it’s not unreasonable to assume that breaches lead to notification of multiple supervisory authorities, as business frequently exists across many EU states.
 
The notification checklist
Notice must be given “without undue delay and, where feasible, not later than 72 hours after having become aware of it”. For those familiar with the recent Equifax breach, the organisation waited six weeks before announcing it publicly. This delay in announcement seems to have only made the situation worse: executives took time to sell shares in the company and the public was prevented from taking action to protect their identities.
The notification to the supervisory authority must include “at least” the following:

1. The nature of the personal data breach, including the number and categories of data subjects and personal data records affected.
2. The Data Protection Officer’s contact information.
3. The likely consequences of the personal data breach.
4. How the controller proposes to address the breach, including any mitigation efforts.

The GDPR does provide some exceptions to the additional requirement of notifying the data subjects of the personal data breach, if:

1. The controller has implemented appropriate technical and organisational protection measures that render the data unintelligible to any person who is not authorised to access it
2. The controller takes actions subsequent to the personal data breach to “ensure threats against the rights and freedoms of data subjects are unlikely to materialise
3. Notification to each data subject would involve disproportionate effort, in which case alternative communication measures may be used

Complying with the breach notification requirements is only a part of the spirit of the regulation. Effectively doing so requires two other steps. The first, assessing which data an organisation has that is considered to be “personal data”. The second, understanding if a breach has occurred in the first place.
 
Enter DataOps
At the end, however, the major push for understanding these requirements comes down to the potential penalties. With a ceiling of 4% of worldwide income (measured by the prior year) or €20m, the impact of a breach is extreme. The implications go further, however. Not only must organisations ensure they protect individuals’ data, but they must institute organisational change across employees to truly understand what is covered and how the employees in their day-to-day operations can act in data subjects’ best interests. When we think of data protection we associate it with a company’s critical systems and the live data that sits within them. But the reality is that 90% of an organisations data sits in non-production systems like development and test environments, compliance and financial reporting systems, analytics and big data tools and archive/backup tools.
This is where DataOps can be such a powerful tool. DataOps is an approach which focuses on aligning people, process, and technology to enable the rapid, automated, and secure management of data. Its goal is to eliminate ‘data friction’ – the functional gap between the huge volumes and copies of information that we generate and our ability to use it securely and effectively.
With regards to the GDPR, DataOps can create a comprehensive library of data sources that enables users to pinpoint the exact location of sensitive data across an organisation’s entire IT estate, whether on-premises or in the cloud. What is more, with the right tools organisations can identify which data values are subject to GDPR, and adapt these to the business’ unique definitions of what is considered personal, confidential information.
Identifying personal data is only half the challenge, protecting it comes next and a big challenge to companies is masking this data for all live and non-production systems. If you can successfully mask say all your test data, then that in essence removes it from GDPR compliance. Modern dynamic data platforms can be used to apply masking policies for multiple systems at once in a matter of minutes meaning you can be GDPR compliant without inhibiting speed or agility.
With the right processes and technology in place, it’s possible for any organisation to keep track of all sensitive information, mask and pseudonymise it (or rather, hold it in a format that does not directly identify a specific individual without the use of additional information) where necessary, and control who has access to data and for how long. Like all the best technical approaches, it goes beyond mere compliance – crucial as that is – and gives organisations the best, most robust way of protecting their customers’ most valuable assets: their data and their identity.
 
By Jes Breslaw, director of strategy, EMEA at Delphix

The post GDPR in plain English appeared first on IT Security Guru.

1. DevSecOps in the age of the cloud

DevOps is an increasingly popular development practice allowing organisations to increase the speed at which they produce apps and services. An unfortunate side effect of this process is that you might also be accelerating the production of insecure code and bugs, with the potential to cause a serious financial and reputational hit if not managed correctly.
In an increasingly cloud- and mobile-first world, it will become essential to also bake in security to this process: thus, DevOps becomes DevSecOps. Embracing an application lifecycle approach in this way will end up saving organisations time and money – because problems are always easier to solve when security is addressed as far “left” in the lifecycle as possible. It will not be an easy shift for many security professionals, but third-party expertise will help overcome cultural resistance and arm organisations with the right processes and automated toolsets to drive success.
 

2. Machine learning and managed security

Machine learning, AI and automation have the potential to plug chronic security skills shortages and transform threat defence by spotting sophisticated advanced attacks and zero-day threats. Whatever the industry marketing hype might have you believe, machine learning is actually far from new – in fact, NTT Security has been using it for 15 years.
Machine learning is not a silver bullet and should instead be used as part of a layered approach to threat prevention. But it can spot patterns, which human eyes might miss. That said, it shouldn’t be seen as a replacement for human expertise. Part of the value we offer is in arming Security Operations Centre experts with machine learning tools. The automated tools find the needle in the haystack, but then it’s vital to get human eyes on that needle to analyse it further.
These kinds of capabilities are set to drive a surge in managed security services (MSS) next year and beyond. According to our Risk:Value 2017 report 30% of UK organisations are using or planning to use an MSSP, with 31% claiming this is because of lack of internal skills and 27% because they want access to better technology.
 

3. From tech- to business-driven security

Security professionals love to talk bits and bytes, sometimes even “out-geeking” the rest of the IT department. But we are already seeing a change take place, and it is a necessary change: in fact, it’s a question of digital survival. Put simply, security strategy must be aligned to business strategy or vital digital transformation projects will fail and the business will become irrelevant. Some 85% of business leaders believe they only have two years to make progress in their digital transformation programmes before they fall behind their competitors.
 
PS: Honourable GDPR mention
Finally, 2018 will be the year when the GDPR (25 May) and NIS Directive (9 May) come into force. I won’t add to the thousands of opinions already circulating about this, but suffice to say, it’s vital to get your compliance house in order asap. If organisations are having trouble getting the Board’s attention, remind them of the maximum fines for non-compliance: £17m or 4% of global annual turnover, whichever is higher.

The post Three Security Predictions appeared first on IT Security Guru.

The post Putting your head in the cloud to become GDPR compliant appeared first on IT Security Guru.

The post Can you prevent the mega breach? appeared first on IT Security Guru.

• Customers think brands know more about them then they do: Customer respondents (63%) thought brands knew their purchase history more than brand respondents said they were collecting (40%).
• Many brands struggle with existing analytics solutions: Only 18% have the ability to collect online data at an individual level, and though 58% of brands report using digital analytics software, nearly two thirds (62%) say they’re not completely satisfied with their current solution.
• Brands crave more insight about their customers: When asked what they most want in a customer intelligence solution, just over half indicate both the ability to view customers on an individual level and real-time insights into customer behaviour (both 54%), and 48% want automated responses based on customer actions.

Download the complete survey findings here, or to keep up to date with news from Sitecore Symposium 2017 happening October 16-19 in Las Vegas, visit here or follow the hashtag #SitecoreSYM.
About the research 
Contextual Intelligence research commissioned by Sitecore and conducted by Vanson Bourne from February 2017 to April 2017, consisted of interviews with 680 marketing and IT decision makers and 6,800 customers across 14 countries including the UK, France, Germany, Netherlands, Denmark, Sweden, UAE, the US, Canada, China, India, Japan, Singapore and Australia. Vanson Bourne is an independent specialist in market research for the technology sector. Their reputation for robust and credible research-based analysis is founded upon rigorous research principles and their ability to seek the opinions of senior decision makers across technical and business functions, in all business sectors and all major markets. For more information, visit www.vansonbourne.com.
About Sitecore
Sitecore is the global leader in experience management software that enables context marketing. The Sitecore® Experience Platform manages content, supplies contextual intelligence, automates communications, and enables personalised commerce, at scale. It empowers marketers to deliver content in context of how customers have engaged with their brand, across every channel, in real time—before, during, and after a sale. More than 4,900 brands––including American Express, Carnival Cruise Lines, easyJet, and L’Oréal–– have trusted Sitecore for context marketing to deliver the personalised interactions that delight audiences, build loyalty, and drive revenue.
 

The post New Study Reveals Brands Fail to Use Customer Data to Deliver Personalised Digital Experiences appeared first on IT Security Guru.

The post GDPR readiness: Education sector rivals technology industry in race towards General Data Protection Regulation compliance appeared first on IT Security Guru.