This is not yet another article about the risks and fines of the new reglementation General Data Protection Regulation (GDPR). Just let’s try to prepare for it with a pragmatic plan.
Where to start your GDPR plan?
According to one of the last studies (2016), done by Forrester*, about companies that have had an external security breach in the last 12 months, THE top external intrusion method was software vulnerability with 42%.
Therefore, I’d say that in order to prepare for GDPR, let’s start by Vulnerability Management (disclosure: we have a vulnerability management product at SecludIT).
In spite of being a mature problem with mature solutions for the past 25 years, companies and security administrators are still struggling with vulnerability management. Furthermore, we must acknowledge that the last malware outbreaks took advantage of known vulnerabilities.
And getting back to GDPR, there are 2 obligations for companies concerning vulnerabilities:
Companies must regularly perform vulnerability assessments
Companies must have a plan and show progress on vulnerability management
The beginning of your GDPR fight
Some companies choose to outsource these obligations to MSSPs due to lack of expertise and lack of people. Others decide to perform it in house with tools. Anyway, the hard problem to solve is the remediation of vulnerabilities. Once we test for 28 new vulnerabilities daily (average in 2016, but 58 new vulnerabilities in the first half of 2017 in average) and we get the results, someone has to do the job.
And this is no easy task due to:
Lack of time and budget: as I promised, I’m not going to make yet another ROI analysis about security 🙂
Lack of power: we all know a special server and application that cannot be touched because the risk is too great
Too many vulnerabilities: risk indicators and tools can help prioritize but you need to eat the elephant one bite at a time
The business launches new applications and services too fast: the security team has no time to prepare and to follow
Developers and DevOps are using all sorts of new technology: AWS, Azure, GCE, Docker, Hadoop, the security team cannot master everything
Now that I’ve said that: get over it!
First step towards GDPR
In our point of view the answer is Automation, like DevOps are doing for deploying and launching new applications faster. You will need to concentrate your efforts in automating 1 and 2 for GDPR in spite of all these obstacles.
This is a good first step to tackle in 2017, and there is plenty more to do until May 25th, 2018 for GDPR, so stay tuned and get started!
You can perform a free vulnerability assessment here.
*Source: Forrester’s Global Business Technographics Security Survey, 2016