a guide to understanding and preparing for next ... - Allure Security

KEEP CALM AND

GDPR A G U I D E T O U N D E R S TA N D I N G A N D P R E PA R I N G F O R N E X T Y E A R ’ S B I G C H A N G E S I N DATA S E C U R I T Y

KEEP CALM AND GDPR A G U I D E T O U N D E R S TA N D I N G A N D P R E PA R I N G F O R N E X T Y E A R ’ S B I G C H A N G E S I N DATA S E C U R I T Y

Buzz about the General Data Protection Regulation (GDPR) has been around for years, but with the new security rules finally going into play in May 2018, it’s time to take it seriously. Some enterprises have been panicking, some have been preparing, and most have been doing a little of both. The new GDPR law will impact all companies who work with any EU citizens or companies. What does this mean for your business?

Meet the GDPR The GDPR cracks down on the way companies process and store customers’ personally identifying information (PII), which includes everything from names, birthdays, photos, and email addresses to medical data, pseudonymised data, and IP addresses. Better protection means fewer data breaches—but it also ensures that customer information stays safe when a data breach does occur.

WHO NEEDS TO COMPLY WITH THE GDPR?

Sure, some regulations protecting PII already exist, so

Any company that does business in any of the 28 EU mem-

the GDPR might seem like just another rule to follow.

ber states or with any EU citizens. Whether you’ve got

But it’s important to realize that the GDPR is far stricter

branches across Switzerland or just have PII on one person

and has far more severe punishments than any regula-

in Paris who signed up for your newsletter, you have to com-

tions we’ve seen before. Compliance is going to be vital.

ply. But even if you don’t do business in Europe, the GDPR is

The GDPR contains 99 articles that lay out regulations

likely to change global security standards going forward, so

for data storage and protection, but here are the major

it might not be a bad idea to get on board anyway.

ones to keep in mind: •

Data breaches must be reported within 72 hours, along with information about which customers’ data was breached. Today, many companies aren’t aware that a data breach has occurred until weeks, sometimes months, after the fact. The latest Fireye M-Trends report states that an average breach goes undetected for 146 days, so the new disclosure requirement calls for a seriously stepped-up game.  

•

Customers gain more control over their data. They can ask to see which of their data a company stores and have the “right to be forgotten,” or to have their data deleted. 

•

Companies are now liable for any breaches resulting from data (mis)management by third-party contractors. 

•

All companies dealing with EU citizens must be able to demonstrate that they’ve adopted appropriate security measures. 

•

Non-compliance with GDPR will result in major, unprecedented fines of €20 million or 4% of global revenues, whichever is higher. For many companies, noncompliance is not financially feasible.

KEEP CALM AND GDPR: A G U I D E T O U N D E R S TA N D I N G A N D P R E PA R I N G F O R N E X T Y E A R ’ S B I G C H A N G E S I N DATA S EC U R I T Y

Third-party problems We can’t stress enough the significance of one of the more onerous requirements of the GDPR: All companies are now responsible for data breaches that occur on their third-party contractors’ watch. In other words, even if your company has excellent security measures in place, your law/accounting firm, regulators, business partners, or consulting firms might not. And that’s a problem. Whether you grant a third party access to your database or just share a Dropbox folder with them, data and documents are out of your hands and off your company’s servers. In the past, third parties’ data breaches were third parties’ problems. No longer. With GDPR, you’re on the hook for any breached or stolen customer PII, even if it’s not necessarily your fault. So even if you’ve done all you can to make sure you’re in compliance, you must ensure that your data is still safe once it leaves the enterprise. This is a major change and is likely to require a significant adjustment and security overhaul. Don’t panic (yet), but read on for some tangible steps you can take to make sure you do this right.

?

? Devices

?

? ? Email

?

Email

? ? Cloud Services

?

?

?

?

?


A+ steps to take now to prepare for the GDPR Assess. Take stock of your company’s current security situation. Where is customer data stored and how? What types of documents are used to store it? Who has access to it? How does it get moved between people or departments? What security measures are already in place, both in the enterprise and outside of it (i.e. in the cloud)? What processes are in place to detect and respond to a data breach? How much of your current security situation complies with the GDPR requirements?  •

Act. Implement security measures that comply with GDPR and protect PII, whether that means encryption, beaconization, A+ STEPS:

or strict data usage guidelines. Put these rules in writing and make sure everyone at your company knows them. Assume a

1. ACT

data breach will happen and create a response plan. Who will be responsible for reporting it, and how will that happen in the required 72-hour window?  •

Assemble. Make a list of every single third party your company

2. ASSEMBLE 3. AGREE

works with in any capacity and in every department.  •

Agree. Ask your third-party contractors to sign agreements acknowledging that they will not outsource work without explicit approval, they will maintain a risk-based security program that is GDPR-compliant (with your guidance if necessary), and they will report any data breaches or changes to you immediately. Contractors must also return or destroy all confidential data at

4. APPOINT 5. ALLURE

the end of their contract or termination.   •

Appoint. Select someone in your company to be the Data Protection Officer (DPO). GDPR recommends that this person is the point person regarding all data security operations and stays on top of data breach prevention and response. 

•

Allure. Allure Security’s Novo software is specifically designed to prevent thirdparty data breaches and doesn’t require keeping track of any keys, passwords, or contractors’ activities. Consider adding Novo to your security line-up to ensure GDPR compliance—and peace of mind.


INTRODUCING:

How Novo can help One of the biggest headaches with GDPR compliance is ensuring that documents and data aren’t accessed by unauthorized parties, whether they’re stolen, accidentally forwarded, or leaked with malicious intent. Allure Security’s Novo is designed to give you visibility and control over your documents and data. By embedding a beacon in every document your company uses, Novo keeps track of where sensitive documents and data are at all times. Set up a geofence around your company’s building or your contractor’s office, or authorize an employee’s personal IP address; as

Novo’s beaconization

soon as a document is opened outside an authorized area, Novo sends an alert and lets

technology can

you know exactly which documents were opened and affected. What’s more, Novo ren-

dramatically reduce risks

ders the document unreadable outside the authorized area. In other words, not only are

for large enterprises and

you instantly notified of suspicious activity, but the data itself is impenetrable if it finds

align them with the GDPR

itself where it doesn’t belong. The rapid alert system makes it easy to notify authorities

requirements to provide

and customers about a breach within minutes, well before 72 hours is up.

a reasonable risk-based security solution

“Novo’s beaconization technology can dramatically reduce risks for large enterprises and align them with the GDPR requirements to provide a reasonable risk-based security solution,” says Sal Stolfo, CTO of Allure Security. “Novo is exactly that: it’s reasonable, it’s a means of detecting breaches, and it’s a means of informing a company when a breach occurs. It ensures compliance and it works.” Breaches are going to happen—there’s no getting around that fact in this day and age as hackers get increasingly savvy. And the GDPR won’t punish you for experiencing a breach. What the GDPR does ask you to do, though, is have solutions in place that minimize risks, monitor your data’s security in the hands of third parties, and be able to report problems when they occur. Novo makes this possible.


How it works Allure Security’s flagship Novo product is the first Data Loss Detection and Response (DDR) technology that automatically tracks document flows in and outside the enterprise network using machine-learned Document Behavior Analytics (DBA) and data-level deception to pinpoint the source of exfiltration in real time and take action to prevent data loss. As documents flow through your existing network gateways, Novo tags real data with beacons, maps all locations where beaconized documents are accessed, and learns normal document flow and behavior. Novo alerts the moment it sees documents being opened where they shouldn’t be—outside the geofence in another country, an employee’s home computer, or any other suspicious location. If Novo detects unusual document behavior, it replaces real documents with decoys, or fake documents, to protect the data and catch attackers or insiders.

BEACONIZER

Documents

Network Gateway

DECOY GENERATOR

Beacons

Threat Intel

Sonar Beacon Events

DocFlows

Policy Engine DBA ML Engine

ENTERPRISE NETWORK

Detection

Real Time Alerts

Big Data Insights & Reports


The Novo Difference In the race to become compliant before May, your company might be looking at a number of different solutions. Most solutions out there are based on encryption, which ensures that if a document is intercepted in the cloud, for instance, the interceptor won’t have the necessary decryption key to understand the content. However, relying on encryption to manage thousands of employees with access to millions of documents and billions of pieces of data—well, that’s a lot of decryption keys and a huge technical challenge, especially when third parties come into play. Losing even one key can lead to a loss of data, and managing and enforcing an encryption solution among contractors and others operating outside the network is difficult, to say the least. Novo moves past the concepts of endpoints and keys, and it frankly doesn’t matter how your data is shared or stored. Novo makes it easy to know exactly where all your data is all the time—and if it’s not where it’s supposed to be, you’ll know right away. Novo is easy to

Enterprises aren’t aware

manage, secure, and accountable—and best of all, it’s GDPR compliant from the moment

of where their documents

you set it up.

go once they leave their network. We believe

“Enterprises aren’t aware of where their documents go once they leave their network.

visibility is the number-

We believe visibility is the number-one way to prevent the loss of data,” says Mark Jaffe,

one way to prevent the

CEO of Allure Security. “Third parties have long been an obstacle to data security, and the

loss of data

GDPR is taking significant strides to improve data breach protection. Novo stands up to the task, and by making security second-nature, it lets enterprises focus on the work they care about most.”

Take Novo for a test drive and see where your document travels by visiting alluresecurity.com and requesting to schedule a demo.
