Story image

Tighter data regimes demand action: four steps to cyber security

14 Mar 18

Article written by AT&T regional security director for Greater China Sharon Chan.

As China and the European Union (EU) strengthen their data protection and privacy regimes, Asia-based companies that do business across borders need to reassess their cyber security readiness.

Tougher data regulation in major markets 

When China’s new national standard on personal information protection comes into effect this May, it will put strict checks on how companies manage and share user data. The new regulation is very comprehensive, applying to a wide range of sensitive personal information. It is also very exacting. Companies will need to follow specific security testing processes and other procedures, including gaining user consent to share data.

The long-awaited General Data Protection Regulation (GDPR) also begins in May, to give individuals in the EU more control over how personal data, like IP addresses, may be collected, used and stored. With heavy penalties for GDRP violations, the new law demands that entities implement measures to provide for data protection, as well as disclose personal data breaches to regulators within 72 hours of awareness.

International companies will need to comply with the new systems if they want to have access to China’s 1.4 billion consumers or the EU market of 500 million people. And while the two systems have their differences, they both demand that companies do more to protect customer data.

Checklist to reassess security readiness

To safeguard your business for the long term now is the ideal time to reassess your readiness to help protect your data and meet increasingly strict regulations with this four-point checklist.

1. Conduct a cyber security risk audit

A cyber risk audit helps you to determine how to best apply your current and future cyber security investments. It is important to conduct risk assessments specific to the threats that could impact the business most and to include an evaluation of the cyber security posture of emerging technologies, such as the Internet of Things, mobility and cloud security. A gap analysis is also useful to help you understand where you are compared to where you want to be.

Regular assessments are key. Two-thirds of the organizations surveyed for the 2017 AT&T Global State of Cybersecurity review admitted they did not conduct ongoing cyber risk assessments.

2. Set up a threat alert platform

In today’s distributed networks, every end-point – be it an IoT device, employee mobile device or drone – is a potential new entry point, but each has different security implications. The key lies in designing an integrated platform for all end-points with a built-in, always-on security approach, and using overarching threat analytics to study the overall ecosystem.

Automated threat detection and response processes on this platform are going to be increasingly important for meeting auditing and compliance requirements. Ideally, you will create a feedback loop between your internal cyber security operations and a flexible risk management strategy that evolves based on daily threat activity and response.

3. Get support from your service providers

To help to protect sensitive data and apps that reside on your network and move between devices, users and networks, you need to work with your service providers. You should have full visibility into your network traffic and be able to authenticate and authorize legitimate users while blocking suspicious activity.

More companies today are using artificial intelligence (AI) and blockchain technologies to support their customers. AI tools can detect anomalous behaviour and zero-day attacks and help you overcome the challenge of limited security resources. Blockchain helps you to build a trusted digital network with a high level of data integrity and operational transparency.

4. Organize ongoing staff training

People are still the weakest cyber security link. The 2017 AT&T Global State of Cybersecurity report found that a cyber security attack had negatively affected nearly 80% of surveyed organisations in the past year, but only 61% mandated security training for staff.

Every member of your team needs to be aware of new types of security threats and what to do to meet tighter regulations. Cyber security training ought to be a regular occurrence: once a year at a minimum. Building a security culture takes time and effort and this sort of ongoing conversation with a top-down approach is essential.

At the same time, threats are getting more sophisticated. From casual intruders to well-funded criminal organisations, hackers are increasingly using big data analytics to search for vulnerabilities and using AI for social engineering attacks, such as phishing, to steal sensitive data and credentials. 

Daily cyber security events now number in the millions, and we should expect ransomware, malware and other attacks to continue to escalate. The focus has to be on changing user behaviour.

McAfee named Leader in Magic Quadrant an eighth time
The company has been once again named as a Leader in the Gartner Magic Quadrant for Security Information and Event Management.
Symantec and Fortinet partner for integration
The partnership will deliver essential security controls across endpoint, network, and cloud environments.
Is Supermicro innocent? 3rd party test finds no malicious hardware
One of the larger scandals within IT circles took place this year with Bloomberg firing shots at Supermicro - now Supermicro is firing back.
Forcepoint and Chillisoft - “a powerful combination”
Following Chillisoft’s portfolio expansion by signing on Forcepoint, the companies’ execs explain how this is a match made in cybersecurity heaven.
25% of malicious emails still make it through to recipients
Popular email security programmes may fail to detect as much as 25% of all emails with malicious or dangerous attachments, a study from Mimecast says.
Google Cloud, Palo Alto Networks extend partnership
Google Cloud and Palo Alto Networks have extended their partnership to include more security features and customer support for all major public clouds.
Using blockchain to ensure regulatory compliance
“Data privacy regulations such as the GDPR require you to put better safeguards in place to protect customer data, and to prove you’ve done it."
A10 aims to secure Kubernetes container environments
The solution aims to provide teams deploying microservices applications with an automated way to integrate enterprise-grade security with comprehensive application visibility and analytics.