Is your Data Covered by the EU General Data Protection Regulation?

EU GDPR Data

In May 2018, when the EU General Data Protection Regulation (GDPR) becomes effective, the definition of “privacy data” will be widened substantially. The core of the EU GDPR is the concept of “personally identifiable data.” This should be interpreted very broadly as “data, which can identify a specific person.”

Apart from name, photo and email address, the new definition of personally identifiable data also comprises, among other things, bank data, social media posts, health information, and IP addresses.

Furthermore, the EU GDPR includes a special category of particularly sensitive data. This comprises, e.g., crime registry data, fines, biometric and genetic data, as well as personal profiling data as known from social media or targeted internet advertising based on cookies.

No complete list available

There is, however, no exhaustive list of what is considered personally identifiable data according to the EU GDPR, so, if in doubt, it is highly recommended to seek legal counsel.

The EU GDPR is also very restrictive, when it comes to businesses’ compliance to the new set of regulations, and non-compliance is subject to enormous fines. To be compliant, businesses must account for who have access to privacy data, and they must be able to document the processes and technologies for internal as well as external processing of such data.

As controller, a business using personally identifiable data is required to document agreements with third party suppliers (processors). In cases where a subcontractor uses services from other third party suppliers, the business itself, in its capacity of controller, will be responsible for ensuring compliance with the EU GDPR throughout the entire supply chain.

Requirements of active consent

One of the most important changes in the EU GDPR is the requirements for explicit consent from the person granting access to his or her data. Businesses must assure that the consent is active, meaning that the person actively decides what his or her data may be used for.

This implies an extended notification duty from the businesses to specifically inform what each data set will be used for. Also, the person giving consent must be able to withdraw consent at all times.

The EU GDPR entitles each citizen to have their data transferred between service providers. This could, for instance, be the case, if a person wishes to change his or her pension or telecommunications provider.

The EU GDPR will implement the “right to be forgotten” principle, which means that a person can demand that data concerning him or her to be erased or returned. If a business has transmitted the information to a third party, the business must communicate the request for erasure to the party where the data has been transmitted to. This means that businesses must be very well prepared and able to document the presence of personally identifiable data as well as the processing of this data.

Nevertheless, there are some exceptions to this principle. This could be data transmitted to public or tax authorities, which individuals are obliged to provide. Hence, it is advisable to seek legal advice to find out whether the business is obliged to provide such information.

Tight restrictions for data profiling

As a third example, we see the EU GDPR imposing quite tight restrictions for the automated processing of personal data profiling.

As a general rule, the business cannot make a decision concerning a customer based solely on automated processing of the person’s registered data. This may comprise data about a person’s private finances, health, personal preferences, travel patterns or data related to employment conditions or recruitment. Here, the businesses must have the person’s consent to make use of his or her personal data.

Omada’s approach to continuous compliance

As described, the EU GDPR severely challenges businesses as to their knowledge of which data is being stored, just as they must control and be fully aware of how this data is stored and processed.

This is no trivial task, and in many businesses, it will have a severe impact on the employees, working processes and technologies the businesses use for their processing of personal data. So, it is important that you start working on this task now.

At Omada, we help businesses get an overview and take charge of the personal data the business is storing, who is responsible for the data, which processes must be in place, and which technologies can keep the business in control of the data and secure compliance with the EU GPDR.

Omada has developed a guide that outlines eight steps to EU GDPR Compliance which helps businesses make sure they comply with all elements of the new regulation. This guide contains a number of steps, which we believe you must complete to ensure your business adheres to the new requirements and remains compliant going forward.

The guide is available free of charge by clicking here: “Prepare for the EU GDPR”

New EU Regulations put your Business at Risk

 By Morten Boel Sigurdsson, Omada CEO

The threat of large fines in the coming EU General Data Protection Regulation (GDPR) may drive companies across industries to transfer the responsibility for protecting personal data to the companies they cooperate with.

eu-flags-blue

One of the most frequently mentioned innovative features of the EU GDPR is that companies that compromise personal data can be fined up to four per cent of their annual global turnover. This applies to all companies that are responsible for such data, and not just large companies such as Facebook and Google. For these companies, this means that they can be subject to fines of an astronomic magnitude.

In purely legal terms, companies acting as data controllers are responsible for protecting the data that is covered by the new EU rules.

Data Controllers are Transferring the Risks

There are already examples of companies – particularly large ones – attempting to protect themselves from the financial risk by transferring the full responsibility of the risk to their cooperation partners, including IT suppliers, but also other types of cooperation partners, which process the company’s personal data.

Even today, we see that many companies are expanding their data processor agreements, which they enter into with their cooperation partners and suppliers. The consequence is that a mid-sized company that cooperates with a large company can be made disproportionately financially responsible for a fine due to a data leak.

Therefore, we see that many businesses will be reluctant to sign such agreements in their existing form when they understand the risk that they actually would accept.

For example, a small IT supplier with a turnover of EUR 40 million, which might have a customer with a turnover of EUR 1 billion. In case of a data leak, the supplier could face fines corresponding to its entire annual turnover.

Thus, the regulation creates what I would call an asymmetric risk, in which the risk that the supplier is asked to cover, most often far exceeds the value of the commercial agreement.

This is a dramatic risk, for which the supplier hardly will be able to get liability insurance coverage. In many countries, it is even a principle that you cannot take out insurance against this type of fine.

The extent to which a company would sign such agreements depends on a number of things, including the company’s policies and willingness to take risks.

Strong Risk Management as a Competitive Advantage

A responsible management would want to control such a risk and the only way to reduce the risk, other than negotiate some reasonable agreements, is to be in control of security procedures and processes so they meet the regulatory requirements.

In this way, strong risk management becomes a competitive parameter, as agreements can be entered into, which others would not be able to, because the security conditions are under control.

This is because, if a company can document it has done everything that can be expected organizationally, process-wise and technologically, any fines would be dramatically reduced or be completely void.

Companies that can provide such evidence will consequently have a major competitive advantage when the EU’s new rules on the protection of personally identifiable and sensitive data come into force in just over a year.

The prospect of the coming EU regulation has already led to many companies becoming more conscious of the fact that they are not in control of their processes and security to the required degree.

Thus, companies failing to document that they take good care of their customers’ data will face a major challenge when the EU General Data Protection Regulation enters into application next year.

Establish a 100% Overview

At Omada, as a supplier of security solutions, we find that our customers would like to have a 100 per cent overview of the task they are facing within the processing of data security.

It is not just a matter of securing against malware or more-or-less ingenious attempts at hacking, but just as much that the companies ensure that only relevant employees have access to sensitive personal data.

We experience a great demand for clear instructions about how a company can be in control of its risk with regard to EU GDPR, so that it can be turned into a competitive advantage by being at the leading edge.

E-Book: Prepare for the EU GDPR

Omada has published an e-book, which provides a step-by-step guidance to get prepared for 2018 and to minimize risks. Download Omada’s new e-book: “Prepare for EU GDPR”:

 

Adhering to Security and Compliance Standards Can Save You Big Bucks on Software License Spends and Audits

Ensuring compliance and improving IT security are not the only benefits for organizations that adhere to the information security standards and regulations pertaining to access and identity control outlined in e.g. ISO27002, and in the EU GDPR[1].

By Santeri Kangas, Omada CTO

automation

Standards and regulations on identity and access management require organizations to keep a tight ship, when it comes to end-user provisioning. Allocating access rights and privileges when onboarding and off-boarding employees and contractors, and updating existing users’ rights, is – quite rightly – considered a key discipline in protecting data, users, customers and the business, from the consequences of data leaks and hacks.

From a security and compliance perspective, it is paramount to have full and updated visibility and control of who has access to data, applications and systems. With visibility and control, the organization is able to respond appropriately to security risks and incidents, prioritize remediation and mitigation efforts, and document and understand the actual state of access rights.

Keeping track and controlling access to data, systems and applications cannot be done manually, in today’s digitized business environments – it requires automated identity management and access governance tools to continuously provision users with the rights and privileges they need (or no longer need) to do their jobs.

The upside is, that while regulatory compliance and security concerns continue to drive many user-provisioning implementations, there are large efficiency and cost-saving benefits to be had, too, from automated provisioning:

Less software over-spending and true-up penalties with efficient provisioning

Where provisioning of rights and licenses can happen instantly, as it can in organizations that have a well-oiled identity and access management machine in place, no more than exactly the right amount of people will be using software to match the licenses held by the company, at any given time.

When the organization strikes a perfect balance in ensuring that just the relevant people are provided with no more than the software licenses they are entitled to, and need, in order to do their jobs, the organization wins on two fronts:

  • Over-spending is minimized – the organization always has a full and updated overview of users and software licenses in use. Software license overspending on “shelfware” – unused licenses – represents a large chunk of a company’s software spend.
  • License compliance is also made more efficient and cheaper – large software vendors’ costly and time-consuming practice of auditing customers of all sizes for software license compliance is something most organizations dread.

The audit fees and ‘true-up’ penalties organizations incur[2] for unlicensed over-usage of the vendor’s software, can be notably reduced if the organization has continuous and full visibility to the amount of users of a specific piece of software, and is able to document usage to the software vendor.

The 2016 report “The State of the (Software) Estate”[2] from software asset management leaders Flexera Software documents that that most organizations are unnecessarily wasting significant portions – as much as 25 percent – of their enterprise software budget. So looking for ways to optimize user provisioning and software licensing is a good place to start, for organizations who want to spend a little less.

Higher degree of accuracy with fewer resources

Through automated identity management, it is possible to achieve a far higher degree of accuracy and agility in software licensing processes, remove redundant practices, reduce human error, and improve the relevance and diligence of company IT procedures and policies.

Automation reduces the time-consuming and resource-intensive processes related to access to IT systems, and through business-enabling processes that facilitate and provide user provisioning and administration according to company policy, it is possible to streamline management of software licenses, and improve documentation.

By ensuring current and valid approval of all users, accounts, and access across any system – outsourced or self-managed, on premise, hosted, or in the cloud – compliance with security standards for access control is achieved.

Plus, you’ll save a pretty penny, too!

If you have questions or comments, feel free to drop me a line.

Kind regards,

Santeri Kangas

Omada CTO

 

Santeri Kangas_Omada CTO_hi res MG_7868About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises. 

 

 [1]
EU GDPR: http://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32016R0679&from=EN
 ISO27000: http://www.iso.org/iso/home/standards/management-standards/iso27001.htm
[2]
Flexera Software: “The State of the (Software) Estate: Waste Risk Running Rampant in Enterprises. A 2016 Key Trends in Software Pricing & Licensing Survey Report.”http://learn.flexerasoftware.com/SLO-WP-State-Software-Estate-Survey:
44 percent of respondents (compared to only 25 percent the year before) report that their true-up cost paid to vendors was $100,000 or more. 20 percent of enterprises (up from only 9 percent the year before) report that their true-up costs were $1,000,000 or more.”

Stolen Credentials are a Core Attack Tool in the APT Anatomy

Hackers exploit user credentials in advanced persistent threat attacks, to gain foothold and move around in the organization

By Santeri Kangas, Omada CTO

apt

Advanced Persistent Threat (APT) attacks typically target organizations in sectors with highly valuable information, and sectors that play a pivotal role in the stability of nation states – for example the financial industry, government, manufacturing and the energy and utilities industry, all of which are critical to a country’s infrastructure.

Crime, warfare, espionage and terrorism is present in the digital as much as  in the physical world, and organizations in these domains are being targeted by increasingly sophisticated attacks, as high-profile targets to criminal organizations and nation states wishing to cause damage to their critical infrastructure or steal valuable data.

How does an APT work?

The point of APTs is that they are designed to go undetected, tapping the hacked environment for information over long periods of time.

APTs are devised and executed by professionals, not by amateur hackers. Behind APT attacks are organizations that focus their time and resources on understanding how to execute attacks on specific organizations – they do their research and collect information on the targeted organization, and customize the tools best suited for the attack. Usually, the APT attack is comprised of a variety of execution tactics and tools. An APT often starts off with a fairly trite piece of social engineering – a simple PDF to the HR department, or similar – carrying an exploit for a software vulnerability (publicly known vulnerabilities and zero-day vulnerabilities in applications are popular among hackers as entry points, and as enablers of privilege escalation).

Credentials are the key to the kingdom

Once hackers are in the system, user credentials are the key to the kingdom: User credentials – particularly administrative credentials, with extensive access rights – are a core attack tool in APT attacks, and what the attackers use, to gain the initial foothold in the organization and then move further into the infrastructure.

The hackers navigate the infrastructure, identifying users with the required access rights to the data and systems from which the hackers wish to extract information. In an environment where there is none or little control, maintenance and monitoring of changes in user rights and actual usage, it is easy for the intruders to lurk undetected within the infrastructure, and manipulate privileges into gaining ever more – and more specific – access to the most sensitive and valuable corporate treasure chests.

How to minimize the damage from an APT

While there is little an organization can do to prevent being hacked, there is plenty the organization can do to make it difficult for hackers to get to their target, and to protect the data the hackers are trying to steal.

At the very top of the “What to do” list, is to ensure that no individual users have access to more data and systems than they need, and that the organization is able to respond quickly and effectively, by suspending compromised accounts, and locking down access the instant a breach is detected.

The organization needs to be able to:

  • Map all accounts and access rights and credentials to obtain visibility of data access
  • Identify the highly sensitive systems/data stores, and users that have access to these – users with access to e.g. SWIFT payment gateways or classified intellectual property
  • Detect anomalies in the account usage – if access credentials have been changed outside the governance controls, or other indications of compromise
  • Organize efficient incident response workflows and automation to respond quickly, by locking down compromised accounts or revoking access to classified systems and data stores
  • Cutting down the time required for forensics response with efficient workflows and reports that provide what the information forensics teams need, when analyzing the attack

All kinds of organizations are susceptible to attacks, and if IT security professionals do not adhere to the basic rules of how to secure an infrastructure, they are highly vulnerable in the event of a security breach. To minimize the damage from a security breach, and protect business critical data from being stolen, a multi-layered approach to security is required, at the base of which should be a good identity management strategy.

Rather than hurrying out to get the latest spectacular gadget to deter cyberattacks, you should focus on implementing good policies, procedures, tools and intelligence  – although less glamourous, these are the cornerstones of securing any IT infrastructure.

If you have questions or comments, feel free to drop me a line.

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises. 

European Companies are Unprepared for EU GDPR

The EU GDPR and exploding cybercrime costs requires Europe to get ready to get in control of data access

By Santeri Kangas, Omada CTO

SecurityBreach

Until now, spectacular news stories about security breaches have primarily exposed US companies, presumably lulling Europe into a comforting feeling that large-scale and business-crippling cyberattacks are something that happens to the proverbial “other people” – i.e. organizations in other parts of the world.

As any IT security professional is only too aware, the reality is very different. For years, European organizations have simply mitigated security breaches, largely kept quiet about it, and then carried on with business as usual. In future, the Europeans will have to address the issues that lie at the heart of the matter in security breaches, just as the Americans have been doing for years, to avoid the effects of unwanted publicity to their credibility.

 Access is what it’s all about

What lies at the heart of a security breach is the matter of access!: Access to data and systems, acquired through access to user accounts and user credentials. That’s why, as companies are forced to protect sensitive data and notify authorities about breaches, it becomes paramount for them to safeguard the data, the systems, and the users from theft and abuse.

First of all: Forget about whether you know you have been hacked, or think you won’t be hacked at all.

It is an accepted condition of modern business life that your organization will be hacked at some point, and probably already has been. It is also an acknowledged truth that size doesn’t matter – your organization is a potential target regardless of how big or small it is.

What is really important is two things: your ability to detect a breach and your ability to act on the information and deal with the damage quickly, efficiently and effectively.

In future, European organizations – just like American organizations today – will have to get used to the fact that they will be judged: not on whether they got hacked, but on how they handled the breach, and how well they are able to document that they have learned enough from their mistakes, to avoid similar damage in future. You need to be able to lock down access to data and systems, and you need to be able to prove what you have done to mitigate the situation and protect the data. If you fail to do so, you will be fined by the authorities and risk public disgrace.

Identity management and access governance are of course the foundational disciplines you must have in place, to enable you to impede unauthorized access to data and systems, through access to user accounts and user credentials – and to enable you to prove that you have done everything you’re supposed to, to keep the data protected from misuse.

The Dutch warning about what’s in store

I believe Europe will be hit hard, when the EU General Data Protection Regulation takes effect in May 2018.

Anyone doubting that European organizations are just as likely victims of cybercrime as anyone else, need only look to the Netherlands for a wake-up call:

According to Fortune Magazine and ComputerWeekly, at the start of 2016, the Dutch authorities passed a data protection act of their own, a bill which – like the EU GDPR – forces Dutch organizations to report cybersecurity incidents to the authorities and to the affected individuals. Fines for failure to report the incidents can be up to €810,000, or 10% of the company’s turnover.

Fortune Magazine reports: “In just the first 130 days since the law took effect at the start of this year, more than 1,500 cyber incidents were reported.” And, Fortune adds: “Additionally, a 2015 study by PwC reported that 90% of large UK-based businesses – and 74% of small businesses – reported being hacked in the previous year.”

I have no reason to believe that Dutch organizations are IT security laggards, compared to their European counterparts. In fact, I am quite sure that the Dutch numbers represent what to expect throughout Europe, when the EU GDPR is enforced in less than two years.

Cost of cybercrime is on a dramatic increase

While European organizations have the added challenge of public embarrassment and reputational damage to deal with from 2018, the rest of the world can’t rest on its laurels.

Cybercrime is an increasingly popular activity, and the cost of cybercrime damages is predicted to skyrocket in the coming years, requiring organizations to fortify their defenses and strengthen their mitigating capabilities:

Just look at these numbers, listed by Steve Morgan of Cybersecurity Ventures:

  • In early 2015, the British insurer Lloyd’s estimated cybercrime was costing businesses globally $400 billion annually — which included direct damage plus post-attack disruption to the normal course of business.
  • Juniper Research followed with a report in the spring of 2015, which predicted that the rapid digitization of consumers’ lives and enterprise records would increase the cost of data breaches to $2.1 trillion globally by 2019.
  • This year, the Microsoft Secure Blog reported that The World Economic Forum estimated the economic cost of cybercrime to be $3 trillion worldwide. That was a six-fold jump in cybercrime damage estimates in just one year.
  • Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021.

Of course, these are predictions, and the actual costs will be different. But I am certain the numbers are indicative of the trend.

Strengthen your security posture

What boards and executives should take away from these two factors – the increase in the cost of damages caused by cybersecurity incidents, and the increasingly strict legislation that ensures the security breaches are broadcast to the public – is that they need to up their security and compliance game.

It is vital to incorporate the increased security and compliance risk in the 2017 budgets, to have a fighting chance at being ready for the EU GPDR in particular, and to generally diminish the costly damage cyberattacks can do to the organization.

If you have questions or comments, feel free to drop me a line.

 

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868

About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises. 

Snowden and Panama teach us how lack of control with access rights is a threat to IT security

What do the Snowden files and Panama Papers have to do with identity management and access governance? Everything, actually.

1. Christian Stendevad_Executive VP_Omada_T2015

By Christian Stendevad, Executive VP, Omada

Edward Snowden – the ‘All Access’ subcontractor

The Snowden leak is arguably the most spectacular breach ever, because of

  • the drama ensuing from the publication of the leaked data
  • the victim – the National Security Agency
  • the volume of leaked data

The leak was made possible, not because of intricate hacks and spectacular exploits, but because Edward Snowden, who worked for a subcontractor to the NSA, accumulated access rights over a long period of time to a wide range of systems and data within the NSA environment.

He did this quite legitimately, by requesting and receiving access rights to data he needed to perform the tasks he was hired to do.

Eventually, he had accumulated enough access rights, to enable systematic download of information.

If the NSA had had full visibility to Snowden’s privileges, alarm bells would have gone off, and rights could have been revoked, to ensure that no one – and certainly not a contractor – had access rights and user privileges, to the extent that Snowden did.

Panama Papers – who had the wrong rights?

A contender to the “Most Spectacular Leak” title is the recent Panama Papers scandal. The 11 million documents leaked to global media have shamed corporations, politicians and celebrities and fuelled the climate of distrust between ‘the people’ and ‘the establishment’.

While we do not at this point know the details of how the leak happened, I am not afraid to make a few assumptions.

For example: The sensitive information in the documents and the sheer volume of data suggest that an autopsy of the leak will include findings about IT security…

I will go so far as to guess, that the findings will fault the IT security efforts of Mossack Fonseca.

Secondly, I think we can assume that whoever was behind the leak had extensive access rights and user privileges. Far more extensive than just about any employee should have. So presumably, the source of the leak is either very high up in the organization – or is an employee or subcontractor who, like Edward Snowden, accumulated these rights over time, and under the radar.

I am also inclined to think that the law firm has been aware that IT security is a discipline to be considered, in a business that relies heavily on digital processes and stores large amounts of highly sensitive information for customers.

That Mossack Fonseca did not have their identity management and access governance in place, may be a simple matter of risk assessment gone wrong: the cost and resources required to implement the appropriate security measures may have been deemed too high, to be worthwhile. I suspect that, in hindsight, the conclusion of said risk assessment would be different.

And if the cost of IT security solutions were the issue, perhaps a few of Mossack Fonseca’s customers would be up for a bit of crowd funding, to help pay the bill…?

And you – who has access to your data?

These two high-profile incidents illustrate why identity management and access governance is an absolutely essential discipline in IT security.

Controlling who has access to corporate data will help you prevent damage from leaks from within the organization, simply by ensuring that no one individual can access too much data.

Controlling user access will also help you control the damage done by hackers attacking from outside of the organization, making it very difficult to retrieve data once they have made their way into your infrastructure.

While most employees do not go to work with malicious intent, they do make up one big soft spot of entry points for hackers, who worm their way into systems on the back of the employees’ user access right.

Effectively, they become a risk, simply by doing their jobs.

The bottom line:

You must conduct your everyday business on
the assumption that persons with malicious intent are present in your infrastructure at all times. If that assumption is your baseline, and your organization acts accordingly, you are a long way towards healthy, security conscious policies and procedures.

Are You Equipped for Strict EU Compliance Requirements?

With the expected introduction of new data privacy regulations EU reinforces a comprehensive reform of data protection rules to strengthen data privacy rights. This initiative places protection of personal data high on the agenda and creates demands for efficient processes to support the reinforced regulations and ensure compliance.

Companies will be required to document established standards and policies throughout their business, and must prepare to meet compliance requirements. That means setting up a technical foundation that can establish efficient documentation and implement appropriate security measures.

Get a head start by mapping and documenting the current state of your access rights. Omada’s newly launched Governance as a Service delivers simple and fast insight to IT users’ access to sensitive data. The solution provides you with necessary insight in an interactive Audit Report that establishes a solid foundation for your compliance effort.

Learn more about how Omada Governance as a Service addresses legislative data privacy requirements such as the EU General Data Privacy Reform.