Keep Calm and GDPR
- 1. AND A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YE AR ’S BIG CHANGES IN DATA SECURIT Y KEEP CALM GDPR
- 2. KEEP CALM AND GDPR A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YE AR ’S BIG CHANGES IN DATA SECURIT Y Buzz about the General Data Protection Regulation (GDPR) has been around for years, but with the new security rules finally going into play in May 2018, it’s time to take it seriously. Some enterprises have been panicking, some have been preparing, and most have been doing a lit- tle of both. The new GDPR law will impact all companies who work with any EU citizens or companies. What does this mean for your business?
- 3. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY WHO NEEDS TO COMPLY WITH THE GDPR? Any company that does business in any of the 28 EU mem- ber states or with any EU citizens. Whether you’ve got branches across Switzerland or just have PII on one person in Paris who signed up for your newsletter, you have to com- ply. But even if you don’t do business in Europe, the GDPR is likely to change global security standards going forward, so it might not be a bad idea to get on board anyway. Meet the GDPR The GDPR cracks down on the way companies process and store cus- tomers’ personally identifying information (PII), which includes every- thing from names, birthdays, photos, and email addresses to medical data, pseudonymised data, and IP addresses. Better protection means fewer data breaches—but it also ensures that customer information stays safe when a data breach does occur. Sure, some regulations protecting PII already exist, so the GDPR might seem like just another rule to follow. But it’s important to realize that the GDPR is far stricter and has far more severe punishments than any regula- tions we’ve seen before. Compliance is going to be vital. The GDPR contains 99 articles that lay out regulations for data storage and protection, but here are the major ones to keep in mind: • Data breaches must be reported within 72 hours, along with information about which customers’ data was breached. Today, many companies aren’t aware that a data breach has occurred until weeks, sometimes months, after the fact. The latest Fireye M-Trends report states that an average breach goes undetected for 146 days, so the new disclosure requirement calls for a seriously stepped-up game. • Customers gain more control over their data. They can ask to see which of their data a company stores and have the “right to be forgotten,” or to have their data deleted. • Companies are now liable for any breaches resulting from data (mis)management by third-party contractors. • All companies dealing with EU citizens must be able to demonstrate that they’ve adopted appropriate security measures. • Non-compliance with GDPR will result in major, unprecedented fines of €20 million or 4% of global revenues, whichever is higher. For many companies, non- compliance is not financially feasible.
- 4. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY Third-party problems We can’t stress enough the significance of one of the more onerous re- quirements of the GDPR: All companies are now responsible for data breaches that occur on their third-party contractors’ watch. In other words, even if your company has excellent security measures in place, your law/accounting firm, regulators, business partners, or consulting firms might not. And that’s a problem. Whether you grant a third party access to your database or just share a Dropbox folder with them, data and documents are out of your hands and off your company’s servers. In the past, third parties’ data breaches were third parties’ problems. No longer. With GDPR, you’re on the hook for any breached or stolen customer PII, even if it’s not necessarily your fault. So even if you’ve done all you can to make sure you’re in compliance, you must ensure that your data is still safe once it leaves the enterprise. This is a major change and is likely to require a significant adjustment and security overhaul. Don’t panic (yet), but read on for some tangible steps you can take to make sure you do this right. Devices Cloud Services Email ? ? Email ? ? ? ? ? ? ? ? ? ? ?
- 5. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY A+ steps to take now to prepare for the GDPR Assess. Take stock of your company’s current security situation. Where is customer data stored and how? What types of documents are used to store it? Who has access to it? How does it get moved between people or departments? What security measures are already in place, both in the enterprise and outside of it (i.e. in the cloud)? What processes are in place to detect and respond to a data breach? How much of your cur- rent security situation complies with the GDPR requirements? • Act. Implement security measures that comply with GDPR and protect PII, whether that means encryption, beaconization, or strict data usage guidelines. Put these rules in writing and make sure everyone at your company knows them. Assume a data breach will happen and create a response plan. Who will be responsible for reporting it, and how will that happen in the required 72-hour window? • Assemble. Make a list of every single third party your company works with in any capacity and in every department. • Agree. Ask your third-party contractors to sign agreements acknowledging that they will not outsource work without explicit approval, they will maintain a risk-based security program that is GDPR-compliant (with your guidance if necessary), and they will report any data breaches or changes to you immediately. Contractors must also return or destroy all confidential data at the end of their contract or termination. • Appoint. Select someone in your company to be the Data Protection Officer (DPO). GDPR recommends that this person is the point person regarding all data security operations and stays on top of data breach prevention and response. • Allure. Allure Security’s Novo software is specifically designed to prevent third- party data breaches and doesn’t require keeping track of any keys, passwords, or contractors’ activities. Consider adding Novo to your security line-up to ensure GDPR compliance—and peace of mind. A+ STEPS: 1. ACT 2. ASSEMBLE 3. AGREE 4. APPOINT 5. ALLURE
- 6. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY How Novo can help One of the biggest headaches with GDPR compliance is ensuring that documents and data aren’t accessed by unauthorized parties, whether they’re stolen, accidentally forwarded, or leaked with malicious intent. Allure Security’s Novo is designed to give you visibility and control over your documents and data. By embedding a beacon in every document your company uses, Novo keeps track of where sensitive documents and data are at all times. Set up a geofence around your company’s building or your contractor’s office, or authorize an employee’s personal IP address; as soon as a document is opened outside an authorized area, Novo sends an alert and lets you know exactly which documents were opened and affected. What’s more, Novo ren- ders the document unreadable outside the authorized area. In other words, not only are you instantly notified of suspicious activity, but the data itself is impenetrable if it finds itself where it doesn’t belong. The rapid alert system makes it easy to notify authorities and customers about a breach within minutes, well before 72 hours is up. “Novo’s beaconization technology can dramatically reduce risks for large enterprises and align them with the GDPR requirements to provide a reasonable risk-based security solu- tion,” says Sal Stolfo, CTO of Allure Security. “Novo is exactly that: it’s reasonable, it’s a means of detecting breaches, and it’s a means of informing a company when a breach occurs. It ensures compliance and it works.” Breaches are going to happen—there’s no getting around that fact in this day and age as hackers get increasingly savvy. And the GDPR won’t punish you for experiencing a breach. What the GDPR does ask you to do, though, is have solutions in place that mini- mize risks, monitor your data’s security in the hands of third parties, and be able to report problems when they occur. Novo makes this possible. I N T R O D U C I N G : Novo’s beaconization technology can dramatically reduce risks for large enterprises and align them with the GDPR requirements to provide a reasonable risk-based security solution
- 7. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY How it works Allure Security’s flagship Novo product is the first Data Loss Detection and Response (DDR) technology that automatically tracks document flows in and outside the enterprise network using machine-learned Document Behavior Analytics (DBA) and data-level deception to pin- point the source of exfiltration in real time and take action to prevent data loss. As documents flow through your existing network gateways, Novo tags real data with bea- cons, maps all locations where beaconized documents are accessed, and learns normal document flow and behavior. Novo alerts the moment it sees documents being opened where they shouldn’t be—outside the geofence in another country, an employee’s home computer, or any other suspicious location. If Novo detects unusual document behavior, it replaces real documents with decoys, or fake documents, to protect the data and catch attackers or insiders. Real Time Alerts Big Data Insights & Reports ENTERPRISE NETWORK Documents Network Gateway DBA ML Engine Detection Policy Engine Threat Intel Beacons DocFlows DECOY GENERATOR BEACONIZER Sonar Beacon Events
- 8. KEEP CALM AND GDPR: A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY The Novo Difference In the race to become compliant before May, your company might be looking at a number of different solutions. Most solutions out there are based on encryption, which ensures that if a document is intercepted in the cloud, for instance, the interceptor won’t have the necessary de- cryption key to understand the content. However, relying on encryption to manage thousands of employees with access to millions of docu- ments and billions of pieces of data—well, that’s a lot of decryption keys and a huge technical challenge, especially when third parties come into play. Losing even one key can lead to a loss of data, and managing and enforcing an encryption solution among contractors and others operat- ing outside the network is difficult, to say the least. Novo moves past the concepts of endpoints and keys, and it frankly doesn’t matter how your data is shared or stored. Novo makes it easy to know exactly where all your data is all the time—and if it’s not where it’s supposed to be, you’ll know right away. Novo is easy to manage, secure, and accountable—and best of all, it’s GDPR compliant from the moment you set it up. “Enterprises aren’t aware of where their documents go once they leave their network. We believe visibility is the number-one way to prevent the loss of data,” says Mark Jaffe, CEO of Allure Security. “Third parties have long been an obstacle to data security, and the GDPR is taking significant strides to improve data breach protection. Novo stands up to the task, and by making security second-nature, it lets enterprises focus on the work they care about most.” Enterprises aren’t aware of where their documents go once they leave their network. We believe visibility is the number- one way to prevent the loss of data Take Novo for a test drive and see where your document travels by visiting alluresecurity.com and requesting to schedule a demo.