26 May 2017

GDPR: T Minus One Year

Mark Kuhr

If we’ve learned anything about security recently, it’s that breaches are costly.

Yahoo took one for the team and taught us all the hard way. In the wake of the recent Yahoo breach(es), Verizon trimmed a handsome $350M from its Yahoo acquisition price, and Marissa Mayer was forced to give up almost 50% of her 2016 compensation. If GDPR had been in effect, Yahoo could have been forced to pay EU regulators up to $200M (4% of revenue in 2015, when the breach occurred). Based on initial investigations by Helen Dixon, the European lead for compliance with EU data protection, her office is “of the view that [the breach] could have been detected sooner and the risks mitigated sooner.” In total, these financial penalties are equivalent to approximately 12% of Yahoo revenue or 20% of gross income.

The same goes for Target. If Target Corp were subject to EU GDPR, the financial penalty of their breach could have been $2.88B, rather than the $18M they are required to pay out to 47 states.

And they’re about to get even more costly for companies doing business in Europe. Yesterday (May 25th, 2017) marks one year from GDPR taking effect across the European Union. While a year seems like a long time, overhauling and updating an organization’s entire security environment can take a lot of work. Our advice: It’s best to be prepared and start now. Pragmatism is key, and we need to redefine “the basics” of security: starting with building security programs to scale and bringing diversity into our cyber attack defenses.

The Basics. What is GDPR?

  • It’s the largest security legislation to go into effect in the EU, starting exactly one year from now.
  • The goal is to protect against the misuse of data through operational and technical directives.
  • GDPR is a heavily enforced regulation based on improving security – it is NOT about compliance checklists.
  • If a data breach occurs, the company could be fined up to €20M or 4% of global annual turnover, whichever is greater, for a large-scale breach. For more minor breaches, organizations could luck out with a more modest €10M or 2% of global turnover. Enough to kill some businesses.

TLDR; You’ve got to do whatever it takes to avoid a breach. Or else you’ll pay for it.

Implications

In check-box compliance-regulated environments, problems aren’t solved at the root; security operations aren’t run as effectively as they could be, and people generally get complacent. Why? Because the security organization is often overwhelmed with superfluous data and they aren’t funded in a way that enables them to pragmatically address business risk stemming from security issues. Understandable when traditional security testing bogs down release cycles and eats at the bottom line. GDPR legislation is a great step in moving security practices past compliance checklists and baking security “health” into the overall successes and failures of the organization as a whole. With the lack of specific guidelines or standards to follow, the responsibility falls on individual organizations to figure out – technically and operationally- how to protect data. The GDPR legislation is a kick in the C-Suite’s pants, encouraging us to figure out how to get ahead of breaches and how to beat criminal hackers.

Protect the Business

While breaches can’t be completely avoided, the risks can be mitigated. The main action item coming out of the GDPR for European organizations is to prove that they are doing their due diligence in mitigating security risks. To protect the business, decision-makers must choose to build up resilience to hackers’ threats through continuous testing of assets, knowing the entirety of their security coverage, and scaling effectively. We’ve always advocated for organizations to take a proactive and offensive approach to security and with this new legislation, the EU is affirming the same.

No longer are businesses licensed to comply with outdated and often inadequate standards, but now they have to prove that they’ve done everything in their power to protect themselves from a breach. Many security leaders realize now that best way to do that is to invite a group of highly-skilled, ethical hackers into your attack surface to probe around your assets on a continuous basis. These “white hat” hackers know how to think like criminal hackers; they have the same skillsets, and they know the targets that the adversaries are most likely after.

Obviously, you want these guys on your team, but unfortunately it’s not so easy to get them, retain them and keep their skills fresh. With a growing talent gap in the cybersecurity industry, ethical hackers with high levels of skill and experience are hard to find. Like other industries that have developed similar crowdsourced models, the security industry can crowdsource hackers to solve the niche labor shortage they face today. Synack’s model multiplies the efforts of our Red Team, comprised of highly skilled and vetted security testing experts, so that security testing can be performed with high efficacy and the ability to scale. The Synack platform ensures vulnerability prioritization through a proven triage process and provides actionable reporting and analytics helping the security teams, development teams, and business teams speak one language and execute an aligned and effective plan.

As May of 2018 comes nearer, we hope you consider partnering with Synack to help you cover all of your bases. We’ll have our Red Team hackers out there pounding your assets in no time. To learn more about our approach, visit www.synack.com/resources/ and keep tabs on our blog at www.synack.com/blog/.