With the European Union General Data Protection Regulation (EU-GDPR) going into effect May 25, companies are scurrying...
to prep themselves. One aspect that could call for sweeping changes to data management processes is Article 33 of GDPR. Under this requirement, companies must notify the appropriate authorities within 72 hours after having become aware of a breach.This requires increased education and awareness among employees, investment in technologies known as user behavior analytics and the deployment of AI-powered network monitoring tools to help companies comply with the GDPR breach notification rule, according to Csaba Krasznay, security evangelist at Hungarian security firm Balabit Corp., which was recently acquired by One Identity.
In this Q&A, Krasznay explains why the 72-hour breach notification period may not be feasible in most cases, offers advice on how to accelerate an organization's breach notification process and explains why companies should align their incident response processes with GDPR specifications.
Is the 72-hour time period under the GDPR breach notification rule practical?
Csaba Krasznay: Following discussions with IT security professionals and privacy experts, we can say that the 72-hour breach period is practical, but, in most cases, not feasible. It's practical because it allows users and authorities to perform the necessary countermeasures such as a password change to prevent the breach from escalating. However, it is not always feasible, as most of the organizations under GDPR simply do not have the necessary skills and tools to reveal that a breach has even occurred.
In what ways can organizations accelerate their breach reporting process? Are there AI tools that could automate breach response processes?
Krasznay: Organizations can accelerate their breach reporting process by increasing education and awareness throughout the company. This means they will need to document and justify their management and response processes to give employees the steps for both internal incident reporting and external notifications ahead of time.
Another way to accelerate the breach reporting process is through continuous monitoring. Organizations must closely monitor IT administrators' activities in real-time to weed out any suspicious behavior that might suggest hijacked credentials.
Csaba Krasznaysecurity evangelist, Balabit Corp.
With AI-automated tools, organizations can ensure monitoring is happening continuously and in real time, putting them in a better place to shorten breach and threat discovery and, ultimately, avert or minimize breach impacts.
Lastly, organizations must be prepared to come clean. Many companies would rather pay a ransom in untraceable Bitcoins than be blamed publicly for a hack, but they won't be able to do this for long. GDPR stipulates mandatory incident reporting for companies that handle personal data.
For companies to stay compliant with the GDPR breach notification rule, IT and information security divisions must step up their game. Any tips on how that can be done?
Krasznay: For companies with a functional security team, the exercise is obvious: Sharpen the incident management process. More specifically, invest in technology such as user behavior analytics to identify breaches as soon as possible. That being said, we shouldn't forget that GDPR is applicable to all organizations managing the private data of European citizens. Therefore, even a pizzeria with an online ordering system can be fined in the case of an incident. For such companies, managed security services and secure hosted solutions can be an escape route.
Do companies need to modify their incident response plans and internal security culture to ensure they meet the GDPR breach notification rule?
Krasznay: Based on Eurostat's data, in the European Union, only 32% of organizations have a formally defined information and communication technologies security policy. Therefore, two-thirds of EU-based companies need to define their security culture and plans.
The other third should understand the importance of GDPR and align their practices to its requirements. While this requirement shouldn't cause a huge change in existing processes, for some organizations additional human resources and an investment in new technologies may be required.
How important is the implementation of strong training and awareness campaigns to speed up the breach notification process?
Krasznay: Independently from the GDPR, companywide awareness training is the key to a successful cyberdefense system. All employees should understand how cyberattacks happen and what their responsibility is in the event of an attack.
Those who are responsible for private data management need to adhere to GDPR requirements. Currently, awareness and understanding of GDPR is very low, so company trainings will be essential in ensuring that everyone is in compliance with GDPR.
Moreover, data protection authorities should publish a best practices document that employees can reference. One of the barriers to expedited reporting is a lack of knowledge of the reporting process.