If affected parties, such as customers, are not notified within 72 hours, companies risk fines of up to 4% of their global revenues. This short ‘window of responsibility’ is going to be a big reality check for many companies.
The real risk comes from the potential for significant brand damage if a breach is made public without a true understanding of the nature and impact of the breach. A well-known example of this is the TalkTalk notification a couple of years ago, where executives made the morally responsible decision to make public the loss of customer data, but without a true understanding of the facts of the attack. This led to huge losses in brand value, revenue and market valuation.
To avoid this scenario, but still comply with Article 33, many will need to make serious changes to their systems, operations and procedures to be capable of accurately communicating the details of a breach within the deadline GDPR imposes.
There is no silver bullet that can completely solve the complex problem of meeting GDPR’s breach reporting obligations. However, there are things that companies can do to prepare themselves. Having the necessary tools, and collecting the right information, can ensure that when a breach occurs, analysts can investigate it quickly and conclusively and the organisation can respond appropriately.
A key asset in breach investigation is access to a packet-level history of network activity. Network History is invaluable because it shows, definitively, what happened. Moreover, access to a detailed source of Network History lets companies investigate security events more quickly, reducing the risk that an unexamined threat leads to a more serious breach.
Having access to Network History when you need it requires implementing specialised packet-capture and recording appliances – network recorders - at key points on your network. These network recorders access the network using a tap, or from the SPAN port on a switch or router – which makes them completely invisible on the network being monitored. This means the recorded data can be relied on as tamper-proof evidence of activity on the network – unlike log files and other evidence that could have been tampered with by the attacker.
These network recorders must be deployed and recording in “always on” mode in order to capture evidence of attacks. Deploying network recording after the fact is a little like turning on your CCTV camera after a burglary – it’s too late by then.
While preparation is key to preventing the preventable, it’s also key to identifying and minimising loss should a breach occur. Companies that actively monitor their networks use tools such as Intrusion Detection (IDS), Behavioural Anomaly Detection, and Artificial Intelligence (AI) to analyse traffic on the network and raise alerts when potentially malicious activity is detected.
But when it comes to investigating the alerts that are raised, these analytics tools don’t provide the level of detail needed to determine definitively what took place. They’ll tell you something happened, but you need to investigate the event much more deeply to understand what that event was and whether it’s serious or not. In the event of a breach, knowing for certain what happened, how it happened and what the impact is, and doing that quickly, is critical.
This is valuable information that can otherwise take months to compile from log files and metadata – much too slow and inconclusive a process to provide the insight needed for timely and accurate notification of the breach. With GDPR fast approaching, companies need to ensure they can get to the bottom of breaches quickly and communicate the details to affected parties within GDPR’s tight time constraints. Failure to meet these obligations could be extremely expensive – not just in fines, but in legal costs, lost customers and declining share value.
No organisation is impenetrable. Being prepared to respond to a breach is becoming increasingly critical to all businesses. 2017 has been a year of major breaches, and the media attention they have attracted has caused many companies to start to think about whether they could respond to a breach adequately or not. The looming shadow of GDPR,vand the obligations it imposes, is raising this issue even higher up the corporate agenda. Which is, of course, exactly what the regulation was designed to achieve – to get companies to take the issue of security more seriously.
With greater visibility into what is happening and what has already happened on their networks companies are far more breach ready. The evidence they need to quickly understand a breach and communicate accurately about it is at their fingertips. Which will not only help them to stay on the right side of the upcoming GDPR regulations, but also allow them to minimise the losses should they become the victim of a major breach in the future.