As we delve deeper into the digital world of communication, from the perspective of privacy, the impact of personal data changes in proportion to the way we examine security. As organizations chime in this world, the normal methods that were employed to protect data have now become obsolete. This forces the security professionals to shift their thinking from protecting the infrastructure to protecting the actual data.
Also, the magnitude at which we are engaged in digital business makes the traditional security tools outdated. Security teams must be equipped with real-time visibility to fathom what’s happening all the way up at the web application layer. It is a constant challenge to map all the connections we are building and the personal data that is spreading literally everywhere. This challenge must be addressed not just from the technical standpoint but also from the legal and legislative context.
With the arrival of new General Data Protection Regulation (GDPR) legislation, security professionals must become data-centric. As a result, they no longer rely on traditional practices to monitor and protect data along with the web applications that act as a front door to the user’s personal data. GDPR is the beginning of wisdom when it comes to data governance and has far-reaching implications than one might think of. It has been predicted that by the end of 2018, more than 50% of the organizations affected by GDPR, will not be in full compliance with its requirements.
As on May 25, 2018, the European Union’s (EU’s) GDPR will come into play. A single supervisory authority will be used, rather than a separate one for each EU member state. It will provide a well-needed framework that will govern the way the personal data is gathered, stored and used.
The gathering, storing and usage of data are collectively referred to as data processing. Essentially, it refers to anything concerning the user’s personal data. This is regardless of whether the personal data is stored on a paper or electronically, GDPR legalities apply.
Personal data is a broad term, which could refer to an email address, gender of the person, first/last name or even the user’s Hypertext Transfer Protocol (HTTP) cookies. Any business that has control over personal data, be it social media to information or IoT data device driven information, must now run on a compliance basis by May 25th.
The legislation sanctions control to the users over their personal data by introducing a new regulatory environment, unifying the regulation within the EU. GDPR applies only to data about “EU data subjects”, irrelevant who is processing the data, or where the data is stored. Data subjects are an identifiable natural person that can be identified directly or indirectly based on a number of defined characteristics.
It applies irrespective of organization types and locations, and forces legislation to business conducting in or with the EU, even if they are not located in the EU. This includes the UK regardless of Brexit.
The GDPR consists of 7 key components:
GDPR adds an additional layer of pressure to the organization as it leaps one-step further by introducing legality. This results in fines to the organizations that are unable to comply with the new regulation. Organizations could potentially incur fines up to 4% of the annual turnover or over 20 million dollars.
We always seem to be in a downward state when it comes to the introduction of new implied technologies. The introduction of a particular technology may certainly boost value; however, it is only a single piece of the puzzle. The other components of the puzzle are often overlooked.
For example, if you implement a new style of the web application, could you do so without upgrading its security tool set? Certainly not, but we still do. It is similar to the era of data collection and the old regulations that governed what data controllers could do with personal data.
Today’s digital world offers umpteen new approaches to data collection as compared to the previous data protection regulations. Previous data protection regulations were scanty for the new social media technologies such as Facebook. Therefore, such worn-out security tools do not stand a chance to protect today’s web applications and servers.
Almost all the websites transmit some kind of user’s personal information via inquiry forms or other forms to website interaction. So, where and how is the data being stored is of significant importance. More importantly, are we in compliance that covers component 2 of GDPR legislation – “Breach Notification”?
GDPR article 31 outlines a new requirement that organizations must notify data authorities within a 72-hour time frame after a breach of personal data has been discovered. If history is something to retrospect, oodles of data breaches have had been unnoticed for days if not months.
More recently, data breaches can be carried out with SQL injection techniques where the Domain Name System (DNS) resolution process is used to retrieve malicious SQL query results. This technique is especially useful for fast and low-under the radar data retrieval that is not easily detectable. SQL injection techniques along with exploitations in the DNS resolution process enables bad actors to smuggle data out of your administrative domain.
This signifies that the right security tools are not in place to effectively detect and provide visibility of the breach in real time.
Policy creation along with the following steps will put organizations on the right road to meet the GDPR legislative components:
Integrating with Acunetix features sets will make sure you have fulfilled the mentioned steps. A variety of scans can be automated with the results provided to the right people at the right time with zero false positives.
Especially, with GDPR on our footstep, the focus needs to be shifted from fending off attacks as they happen, to having proper tools that can identify the vulnerabilities. GDPR stretches out to cover the privacy policies on websites. This ensures that adequate cybersecurity measures are in place, which will reciprocate how your website and web applications are designed and monitored.
However, this does not symbolize that the website only needs a Secure Sockets Layer (SSL) certificate to be compliant. It boils down to how secure the data is while it is being stored, and if the database is encrypted.
When there is a breach of personal data, an attacker will look for the weakest link. The hawk’s predator gaze has always been at the web server and web application. Bad actors will always look for the weakest parts of the website to penetrate, compromising personal data and breaching GDPR regulations.
It could be as simple as a contact form submission that has been saved in your website’s database but the database is not encrypted. There are so many angles to be scrutinized. One simple and trusted way is to not get breached in the first place.
This does not mean that you should only design your website and web applications that are GDPR compliant. This is the first crucial step but since it is a new legislation, the organizations will lag and this is a fact. Why not go one-step further and ensure that your data is not breached in the first place? Hardening your web application, which acts as the front door for hackers, will negate the pains involved in becoming GDPR compliant.
GDPR is on our doorstep and there is no getting away from it. Some call it doomsday while others are busy in preparation. When the unknown is lurking the best plan of action is to tighten all areas of the infrastructure, especially at the web application level as this is the most common path of entry. Component 2 of GDPR adds a clock to breach notification. If you can’t see what’s happening in real-time you certainly can not alert in time to be in compliant with GDPR regulations.