Under the General Data Protection Regulation (GDPR) which will come into force on 25 May this year, an organisation has to notify the Information Commissioners Office (ICO) of a personal data breach within 72 hours of a breach being discovered, where feasible.
For the IT world this means a breach of security that allowed, or potentially allowed, the exfiltration of data that can either by itself or in combination with other data, identify individual people (note, this includes IP addresses and cookies).
The fines that can be levied by the ICO under GDPR rules can be very high (€20,000.00 or 4% of global turnover whichever is the greater) and an organisation suffering a personal data breach would also be open to civil action, which could potentially dwarf any ICO fine.
Under such circumstances, the quicker a breach is discovered and corrective action taken, the more likely it will be that the ICO will take the speed of detection and subsequent action into account (mitigation) when setting the level of a fine.
According to security firm FireEye, in 2017 the average time for organisations to detect breaches in their IT security was 175 days – an increase of some 40% over the time taken in 2016. Given that GDPR is due to come into force in May, these “time to detect” times are not good news.
How can a company improve the detection time of a security breach and investigate it sufficiently to know whether the breach involved the exfiltration of personal data? The answer is twofold where preparation and prevention is the first part while the other is detection and investigation.
Preparation and prevention is the old chestnut of a ensuring that a good information security management system (ISMS) is in place which means amongst other things a good and effective set of change management procedures coupled with a proactive patching policy and an effective granular access and authentication (AA) regime. The ISMS should, ideally, be ISO 27001 certified but as an absolute minimum, should be Cyber Essentials certified.
As far as detection and investigation are concerned, it is going to depend of the size of company and available funds for technology. As a minimum, it is recommended users should be educated to recognise and report odd behaviour of the local network (such as things taking longer than normal to complete, very slow responses or unusual timestamps on files).
Companies should also deploy network monitoring and analysis tools and there are a range of free tools that small to medium-sized enterprises (or indeed larger organisations) can use, such as Spiceworks, Nagios Core, Cacti, PRTG and Microsoft Network Monitor to mention just a few.
There is a range of paid for products, such as LogRythm or Splunk, that cater for the larger enterprise that have the advantage of being able to issue automated alerts. To be fair, some of the “free” products also offer alerting, but the paid for products generally offer better analytics and altering functions. Be aware, however, that it will take time (from a few weeks to a few months) to “tune” a monitoring tool such that any altering is meaningful and not spurious.
Where IT is outsourced, the requirements outlined above should be included in any contractual terms. Remember, while a company can outsource its IT, it cannot outsource its responsibility under GDPR (or any regulatory or legal requirement), i.e. you cannot say “I’m paying you to do my IT so security and GDPR compliance is over to you as well”.
As a company, you will need to specify what is required for compliance – albeit without getting into the nuts and bolts – but in sufficient detail to allow the outsourcer to develop appropriate mechanisms.