Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
Believe it or not, a year has passed since the EU’s General Data Protection Regulation (GDPR) became law. Over that year, the impact of the legislation has spurred countries around the world to review their own privacy laws to enforce an equitable tightening up of their own data protection approach; but how effective has this year been in terms of making our personal data less at risk of being stolen and sold on the black market?
Many believe security and privacy have a similar strategic mandate, yet GDPR has demonstrated that the difference between the two is greater than most realise. The issue of keeping customer information private and the degree to which you are responsible for the collection and use of that data has become a hot topic in most businesses, since the focus of regulators, coupled with hefty fines, has seen executives and directors take note.
Privacy management, in some cases, has become the focal point of security programmes, since security certainly supports an organisation’s privacy ambitions. Security, however, is just a subset of a wider business problem, which GDPR represents well in its regulation. GDPR is undoubtedly the most stringent privacy legislation on the planet, and it’s made other jurisdictions outside of the EU act quickly (and some might say hastily) to align with its intent.
GDPR has just five cyber security clauses  buried in the total of 99 requirements organisations need to comply with:
GDPR 5 Cyber Security Clauses
With these five security requirements at the heart of GDPR, one might assume most organisations with an existing security programme could easily achieve compliance. Yet even one year on and consumer awareness at an all-time high, there still seems to be problems for companies trying to become compliant. The problem is that security is just one viewpoint of any business’s overall approach to privacy, yet some organisations focus on security rather than the requirements as laid out by GDPR and their local data protection authority.
The European Commission responsible for GDPR published some interesting statistics relating to the first year of this new legislative framework. For starters, just over half of EU citizens they surveyed know there is a country-specific data protection authority responsible for protecting their privacy rights. Furthermore, even with the half aware that there is a public authority, just twenty percent of them know which public authority they should speak to.
In this first year, the European Commission received 144,376 queries and complaints from the various data protection authorities scattered throughout Europe. The data breach notification numbers are frightening, with 89,271 lodged notifications since 28th May 2018. In this case, the definition of a data breach is when, “personal data for which a company is responsible is accidentally or unlawfully disclosed,” and that company must, “report this data breach to their national data protection authority within 72 hours of finding out about the breach.”
In terms of penalties, GDPR affords data protection authorities the power to dish out fines of up to 4 % of the company’s turnover. The European Commission provided some anonymous (but guessable) examples of the fines they have doled out since May last year:
One of the biggest issues that authorities have had to deal with, is that many of the companies they are investigating or prosecuting, such as social media platforms, offer services in more than one EU country simultaneously – and in some cases it could be all EU member states. The European Commission has mandated that in many cases, one national data protection authority takes the lead in the investigation, whilst the other provides supporting resources. Any disagreement falls back to the Commission to arbitrate.
Most notifiable breaches over the past year are still fundamental security failures, be they as a result of successful phishing campaigns, exploits used against known unpatched vulnerabilities or simply employee carelessness. We’ve seen the same set of root causes in Australia, and since more breaches than ever are being reported there are robust statistics that show Australia aligns, in terms of its susceptibility to these issues, with the rest of the world.
The five key security requirements listed earlier in this article still cause headaches for many organisations. These requirements state several specific outcomes, but there is an overarching key theme spanning them all: watch what’s going on within your enterprise and alert your security team when something doesn’t look right.
Even that first requirement, “How are you protecting against unauthorised and unlawful access, loss or damage?” is addressed by implementing robust identity and access management systems, coupled with comprehensive auditing and alerting.
Is your organisation able to fulfil the 5 cyber security clauses of GDPR? Do you have technology that can help you meet your obligations? By having a Security Information and Event Management System (SIEM) that can monitor your entire enterprise for unusual or malicious activity, you can alert your security team when suspicious patterns of activity threaten the security of your data.
You always need to know where your data is, what level of security it requires (how sensitive is it) and who should have access to it. Only by fully understanding the lifecycle of your data can you hope to be GDPR compliant or meet the requirements of your own country’s local data protection legislation.
 If you want more information on how to address these five cyber security clauses, you can refer to our whitepaper, “Fast Track your GDPR Compliance: How to Implement the 5 Essential Cyber Security Requirements of GDPR.”
 It’s important to note this is indicative and not entirely accurate. Actual numbers are not verified since they can only report on the ones they have been informed about. It’s likely a higher number with cases being handled locally.
A recent KPMG Report suggests that protecting against and dealing with cyber risks will be the major challenge for senior executives in 2024. It is clear that despite high levels of security investment, organisations continue to suffer from cyber attacks.Read more
The Australian Signals Directorate’s (ASD) recent publication of their Cyber Threat Report 2022-2023 unearthed a range of areas for concern for government departments and critical infrastructure entities at local, State and Federal level.Read more
As cyber risks increase, organisations are encountering the longer life cycle of insurance renewals and the need to demonstrate better management of security controls and their effectiveness.Read more
Highlights and insights from the recent Managed Services Summit in London & the ISACA Central Chapter Conference on Digital Trust, in Birmingham, UK. With two recent conferences in the space of three days, some interesting challenges were very evident in the topics discussed. Being very different events, the challenges were quite different, but interestingly they […]Read more
In early August 2023, the latest joint advisory on persistent vulnerabilities was issued by the intelligence and security agencies of the “Five-eyes” community. These joint advisories are becoming more common. Perhaps recognising the growing importance of shared security information and the common nature of many of the threats faced – the weight they carry makes […]Read more
The quality of your risk assessment and the security information it provides is important; if you plan to use it to actively manage your operational and cyber resilience activities. Organisations are constantly exposed to a rapidly changing threat environment, so you really need a similarly rapid evidence-based feedback system that informs you of the ongoing […]Read more
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.