Reducing dwell has never been more important

website_design-creating_personal_concepts-undefined

Reducing dwell has never been more important

1920 1080 Pro Web Design



Under the General Data Protection Regulation (GDPR) which will come into force on 25 May this year, an organisation has to notify the Information Commissioners Office (ICO) of a personal data breach within 72 hours of a breach being discovered, where feasible.

For the IT world this means a breach of security that allowed, or potentially allowed, the exfiltration of data that can either by itself or in combination with other data, identify individual people (note, this includes IP addresses and cookies).

The fines that can be levied by the ICO under GDPR rules can be very high (€20,000.00 or 4% of global turnover whichever is the greater) and an organisation suffering a personal data breach would also be open to civil action, which could potentially dwarf any ICO fine.
Under such circumstances, the quicker a breach is discovered and corrective action taken, the more likely it will be that the ICO will take the speed of detection and subsequent action into account (mitigation) when setting the level of a fine.
According to security firm FireEye, in 2017 the average time for organisations to detect breaches in their IT security was 175 days – an increase of some 40% over the time taken in 2016. Given that GDPR is due to come into force in May, these “time to detect” times are not good news.
How can a company improve the detection time of a security breach and investigate it sufficiently to know whether the breach involved the exfiltration of personal data? The answer is twofold where preparation and prevention is the first part while the other is detection and investigation.
Preparation and prevention is the old chestnut of a ensuring that a good information security management system (ISMS) is in place which means amongst other things a good and effective set of change management procedures coupled with a proactive patching policy and an effective granular access and authentication (AA) regime. The ISMS should, ideally, be ISO 27001 certified but as an absolute minimum, should be Cyber Essentials certified.

As far as detection and investigation are concerned, it is going to depend of the size of company and available funds for technology. As a minimum, it is recommended users should be educated to recognise and report odd behaviour of the local network (such as things taking longer than normal to complete, very slow responses or unusual timestamps on files).
Companies should also deploy network monitoring and analysis tools and there are a range of free tools that small to medium-sized enterprises (or indeed larger organisations) can use, such as Spiceworks, Nagios Core, Cacti, PRTG and Microsoft Network Monitor to mention just a few.
There is a range of paid for products, such as LogRythm or Splunk, that cater for the larger enterprise that have the advantage of being able to issue automated alerts. To be fair, some of the “free” products also offer alerting, but the paid for products generally offer better analytics and altering functions. Be aware, however, that it will take time (from a few weeks to a few months) to “tune” a monitoring tool such that any altering is meaningful and not spurious.
Where IT is outsourced, the requirements outlined above should be included in any contractual terms. Remember, while a company can outsource its IT, it cannot outsource its responsibility under GDPR (or any regulatory or legal requirement), i.e. you cannot say “I’m paying you to do my IT so security and GDPR compliance is over to you as well”.
As a company, you will need to specify what is required for compliance – albeit without getting into the nuts and bolts – but in sufficient detail to allow the outsourcer to develop appropriate mechanisms.



Source link

    How Can We
    Help You?

    Performance and Simplicity exists side by side.

    Contact Pro Web Design and tell us about your next project and we will make sure it is successful. Let us do what we do best.

    website_design-creating_personal_concepts-undefined website_design-creating_personal_concepts-undefined
    1920 1080 Pro Web Design

    The strange creatures called “Designers” – UX Collective

    Most people find the Designer to be a rather friendly looking fellow. Usually cheerful, wearing his/her stylish poplin…

    read more
    website_design-creating_personal_concepts-undefined website_design-creating_personal_concepts-undefined
    1920 1080 Pro Web Design

    OnePlus 6 release date, news and features

    The OnePlus 6 has been announced at its international launch event in London, England.Boasting the biggest screen OnePlus…

    read more
    website_design-creating_personal_concepts-undefined website_design-creating_personal_concepts-undefined
    1920 1080 Pro Web Design

    Now you can make reservations and buy movie tickets on Instagram – TechCrunch

    Instagram is unveiling new features for businesses that want to use their profiles to message with customers and…

    read more

    Creatives – Design, Marketing, Support

    Working Hours: 08:00 – 17:00

    Email: contact[at]prowebdesign.co.za

    Phone: +27 76 260 2730

    We Love Your Feedback