Are you ready for GDPR? Penalties, that is. The General Data Protection Regulation (GDPR) from the European Union (EU) has been announced and required for ANY company that sells to or monitors European citizens, since early 2016.

GDPR is an international law that has already been enacted. This law is intended to clarify and strengthen prior privacy laws and is extremely encompassing, and global in nature. It enforces that data is used in a lawful, fair and purposeful manner. It requires companies who use personal data to do so in a minimalistic fashion, ensure the data is accurate, protected, and durable. The responsibility for the compliance focuses on the use, or processing, of the data. The scope drives responsibility from the controller of the system down to the potentially multiple processors and sub-processors, making this thorough and inescapable for most businesses.

This law requires that EU citizens be given certain rights when they use software systems. These basic privacy rights are:

• Right of Access
• Right of Rectification
• Right of Erasure
• Right of Restricted Processing
• Right of 3rd-Party Notification
• Right of Data Portability
• Right to Object

Any company that is found to be in breach of these new requirements will be subjected to a €20 Million or 4% revenue penalty, whichever is greater. For those companies that have only started their analysis or partially through their implementation may face a €10 Million or 2% revenue penalty. This law has significant risk for smaller businesses who are not in compliance or only partially compliant.

There is no doubt that GDPR is the biggest change in recent privacy law. Taking a risk-based approach to your implementation will be important. Your implementation could be large, take years and cost millions, or it could be as simple as documentation, change of process and some new technology.

Links to the specifics of this new regulation can be found on our site at https://www.americancsm.com/frameworks/gdpr/ and on the EU’s official website: http://www.eugdpr.org/

If you are unsure if GDPR applies to you, or wish to investigate with an assessment, please contact us at American Cyber Security Management today.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Privacy specialist can help you make sense of and comply with GDPR.

October is National Cyber Security Awareness Month and in keeping the National Cyber Security Alliance’s theme for week two, “cyber security in the workplace is everyone’s responsibility,” I’d like to share some thoughts from a recent interaction with a small business leader.

Last Friday, my colleague and I met with a startup CEO in Boulder to discuss her cyber risk needs. Like most executives, she had many things on her mind and was very busy – it was obvious from the two backpacks, coffee mug, notebook, and jacket she juggled as she entered the conference room. After we settled in and got into the conversation, her request was simple: how can she rationalize all the buzz about security and come up with a plan that is complete and becomes a part of her organization’s culture?

While security in the workplace is everyone’s responsibility, executives can delegate the authority to act but not the accountability. Risk reduction starts at the top and executives need to distill an ocean of hype into something reasonably actionable. But where should these leaders look to get a start?

A couple of weeks ago, I mentioned the Center for Internet Security’s (CIS) Guide for Small and Medium Size Enterprises (SMEs) as a good place to begin this journey: https://www.cisecurity.org/white-papers/cis-controls-sme-guide/ In fact, this is the very link I sent to the CEO’s tech person after the meeting. Based on our experience with SME’s and this body of work, our recommendation was that similar sized companies take the following actions:

• Create a managed list of those devices allowed on your network. Also create a list of those devices not allowed on your network. Whitelisting creates a map of devices that need to be defended on the network. Blacklisting is an easy way to quickly identify troublesome agents.
• Understand the software used by your organization. This is important to a) prevent shadow IT from creeping in and b) having a map of those packages that require security patching; patching can be the greatest defense against cyber intrusion. Additionally, this control is necessary for implementation of control number 4 below.
• Make sure your hardware and software are configured for security. Remove those default admin passwords, setup new accounts, implement role based authentication, enable multi-factor authentication, understand the security capabilities and align your use to the business needs.
• Patch, patch, patch. Implement a system to ensure your hardware and software are updated with the latest vendor patches. Equifax might have have prevented a lot of heartaches if this one control was followed.
• Create policies and a culture of least privileged access. This is probably the hardest to implement in the fast-paced environment of a small business. It’s also the control that will get you the most mileage when the bad guys get ahold of that password somehow.
  Train your team and make risk reduction a cultural tennet. Security Awareness is critical, but be sure to put it into context of your business systems in order to best educate your employees and suppliers.

These processes can be folded into everyday behavior in a small or midsized business if the corner offices are involved in creating and modeling the culture. They also provide a sound foundation for more quickly identifying threats, protecting against them, detecting when they occur, responding, and recovering. CEO’s need to recognize this is the most crucial part of their overall risk profile. It is said that “fish rots from the head”. Despite how busy our corner offices may be, best practices and a healthy environment of risk abatement starts at the head too.

I hope we helped simplify at least one of those items our CEO friend was juggling.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.

Have you moved to the cloud yet? Why not, the security is great up here?

With all of the cloud survey’s out there it is easy to see how the adoption of cloud computing has risen over the past 10 years. A hybrid cloud seems to be the most commonplace approach for most enterprises, and Amazon, Microsoft, and Google are the largest Infrastructure as a Service (IaaS) providers, in that respective market share order. We even see Docker being used by over 30% of Cloud consumers.

However, not everyone is in the cloud yet and the resistance is deep-rooted. With all the challenges to moving existing workloads off-premise such as planning, new architecture design, the actual move and downtime, explaining the change to your customers, and change management, there is still one very large challenge: Security. “Will I be as secure or more secure in the cloud?” The answer is “Yes!” and even more so if you make intelligent decisions about your controls and processes.

The Cloud, in general, is advanced enough that it enables a solid platform of control for any company. Each IaaS vendor provides a definition of responsibility and specific controls for the enterprise to manage, and are the largest enablers to security. Not only is an enterprise afforded more controls but these new controls are also transparent and auditable. Most IaaS providers are SOC1, SOC2, SOC3, and ISO-27001 certified. The controls and IT services allow for a least privileged model of implementation, which is critical for new enterprise adoption. There are services to enable network segmentation, as well as services for Disaster Recovery, DDoS mitigation, and service elasticity. The use of micro services is now commonplace, allowing for an even closer relationship between customer consumption of services and the financial models of the enterprises. Two of the most important features from IaaS providers are the ability to centralize and automate service management. By leveraging centralized management of services we gain an ability to create a homogeneous deployment footprint based on hardened templates. This then allows for an approach to manage a library of templates, which we find easier to scale the services and ensure a common baseline. Centralization also allows for easier growth and lower costs. Automation services are readily available from the top IaaS providers as well. These services can span the entire software supply chain from development, test, staging and production environments. Automation can ensure these templates are deployed correctly, specific modifications are managed, rollback with purpose and burdens to change management are eased. By coupling automation and centralization we create an extremely secure foundation which most organizations can leverage for their business agility, in a secure fashion.

We all know it is cheaper up here in the cloud, but we also now need to realize it can be safer too.

*American Cyber Security Management (AmericanCSM.com) is focused on reducing your risk of data misuse. We do this through our Security, Privacy and DevOps offerings, delivered by seasoned experts. Our Security offerings reduce your risk at the Infrastructure, Network, and Application levels.