Revealed: Four key challenges for data protection in the region

Organisations must be GDPR compliant or face tough penalties



Sponsored: Data security has become the new focus for businesses and corporations worldwide, as breaches increase and valuable information is lost or stolen.

According to market intelligence firm International Data Corporation (IDC), more than 1.5 billion people worldwide will be affected by data breaches by 2020.

Meanwhile, in its 2017 Data Breach Level Index, digital security firm Gemalto noted that the number of data records compromised in publicly disclosed data breaches surpassed 2.5 billion – up 88 per cent from 2016. This equates to more than seven million records lost or stolen every day, or 82 every second.

While huge investments have gone into protecting data, legal frameworks such as the Europe’s General Data Protection Regulation (GDPR) have also been enforced.

GDPR strengthens the rights of individuals to demand that companies reveal or delete the personal data they hold. It also requires organisations to report any kind of breach to the authorities within 72 hours of being aware of it.

The regulation, implemented on May 25, addresses the export of personal data outside the European Union and the European Economic Area. And while it is a law tailored to the data protection and privacy of individuals within the EU and EEA, any company that has access to the data of EU citizens must also comply with GDPR.

With a large expat workforce – many of whom are from Europe – several companies in the GCC will need to comply.

“Businesses are taking GDPR seriously, because the implications of non-compliance are quite severe,” explains Alain Penel, regional vice president – Middle East at cybersecurity firm Fortinet.

“If organisations don’t take GDPR compliance seriously enough they can be subject to substantial fines and penalties (up to 4 per cent of worldwide turnover or 20m euros, whichever is greater). Furthermore, non-compliance can lead to a substantial loss of business and revenue and negatively impact customer trust,” he adds.

According to Penel, there are four key challenges that businesses face when it comes to data protection. They include –

1. Auditing: The first challenge towards data protection and being GDPR compliant is to audit, and if necessary modify, the way the organisation collects, stores and processes personal information, he says.

“Just reaching a point where the organisation can precisely locate all instances of an individual’s personal data across the entire infrastructure is a major part of this challenge.”

2. Governance: Organisations need to be able to demonstrate compliance through appropriate governance measures, including detailed documentation, logging and continuous risk assessment.

“There is an added expectation that security should, as far as possible, be an integral part of all systems from the outset, rather than something applied in retrospect, although this clearly presents an enormous challenge where legacy systems are concerned,” explains Penel.

Such cases highlight the essential role of network level security as the first layer of defence, since until the huge number of legacy systems in use can be redesigned with inherent data protection measures, it may be their only security measure against data breach, he adds.

3. Evolving threat landscape: Keeping pace with the evolving threat landscape is a challenge even without the GDPR’s stipulation for ‘State of the Art’ defences, opines Penel.

“Part of the problem comes from the way cyber security has evolved, with the discovery of each new attack vector spawning yet another security solution to be added. This is not only hard to manage, but can easily lead to gaps and inconsistencies in the response to new threats – especially across a mult-vendor environment.

“The challenge is compounded by the adoption of trends such as mobility, cloud computing, and the Internet of Things, all of which expand the effective attack surface, exposing new vulnerabilities, and eroding the traditional concept of a network border.”

According tom him, for any solution to be ‘State of the Art’, it will not only need to overcome the challenges described, but also continually adapt to changes in the usage of technology and in the evolving threat landscape.

4. Data breaches and notifying relevant authorities: GDPR also introduces a new obligation on organisations to notify relevant authorities of any personal data breach likely to result in a risk to “the rights and freedoms of individuals” which must be made ‘without undue delay’.

“The first challenge to the GDPR’s breach notification requirement is to detect when a qualifying breach has taken place and determine which assets might be at risk. Almost by definition, any successful external security breach must have either evaded detection entirely, or was not detected quickly enough. This means its either exploited an attack mechanism unlike any previously encountered, or the flags that it did raise were missed,” states Penel.

“Fortunately, the GDPR 72-hour notification window opens at the moment of detection, not the moment of intrusion. Yet since the financial impact of a breach correlates strongly with the length of time the hacker has access, shortening the time to detection is still imperative,” he adds.

The Fortinet approach

Adherence to the GDPR regulations requires “state-of-the-art technology for comprehensive data protection and, in particular, advanced threat prevention and detection to minimise the possibility of a data breach”, stresses Penel.

“Businesses affected by GDPR need to make sure they have the right technologies in place to protect their environments and detect and mitigate data breaches quickly and effectively, which starts with getting the right security architecture in place.”

The company’s specialist product, Fortinet Security Fabric, has been created to protect borderless, high bandwidth and complex networks from the rapidly evolving menace of cyber-threats.

“The Fortinet Security Fabric is a collaborative technology vision that harnesses the collective power and intelligence of Fortinet’s portfolio of security solutions to deliver benefits greater than those of its parts. These solutions close gaps left by legacy point products and provide broad, integrated, and automated end-to-end protection demanded by today’s organisations across their physical, virtual and cloud environments,” says Penel.

Fortinet’s approach to ensure safeguarding data includes –

1. NGFW: The first line of defense against intrusions targeting PII is a Next Generation Firewall (NGFW).

2. End-point security: The Fortinet FortiClient solution enhances an organisation’s ability to stop data breaches from occurring and meet GDPR reporting requirements in the event of a breach.

3. Email security: A sophisticated SEG, FortiMail, blocks ransomware, phishing, and other threats to PI.

4. Web security: Protecting PII against threats such as SQL injection, cross-site scripting, buffer overflows, and cookie poisoning requires a multilayered approach to web application security which FortiWeb can deliver.

5. Secure the access layer: Fortinet Secure Access solutions integrate security and access on a single platform.

6. Protection and detection: To be successful in intrusion prevention and detection, as well as data breach incident response, organisations require advanced threat protection and detection capabilities. Fortinet provides threat intelligence and sandboxing solutions.