SecurityBrief New Zealand - Technology news for CISOs & cybersecurity decision-makers
Story image
Tighter data regimes demand action: four steps to cyber security
Wed, 14th Mar 2018
FYI, this story is more than a year old

As China and the European Union (EU) strengthen their data protection and privacy regimes, Asia-based companies that do business across borders need to reassess their cyber security readiness.

Tougher data regulation in major markets 

When China's new national standard on personal information protection comes into effect this May, it will put strict checks on how companies manage and share user data. The new regulation is very comprehensive, applying to a wide range of sensitive personal information. It is also very exacting. Companies will need to follow specific security testing processes and other procedures, including gaining user consent to share data.

The long-awaited General Data Protection Regulation (GDPR) also begins in May, to give individuals in the EU more control over how personal data, like IP addresses, may be collected, used and stored. With heavy penalties for GDRP violations, the new law demands that entities implement measures to provide for data protection, as well as disclose personal data breaches to regulators within 72 hours of awareness.

International companies will need to comply with the new systems if they want to have access to China's 1.4 billion consumers or the EU market of 500 million people. And while the two systems have their differences, they both demand that companies do more to protect customer data.

Checklist to reassess security readiness

To safeguard your business for the long term now is the ideal time to reassess your readiness to help protect your data and meet increasingly strict regulations with this four-point checklist.

1. Conduct a cyber security risk audit

A cyber risk audit helps you to determine how to best apply your current and future cyber security investments. It is important to conduct risk assessments specific to the threats that could impact the business most and to include an evaluation of the cyber security posture of emerging technologies, such as the Internet of Things, mobility and cloud security. A gap analysis is also useful to help you understand where you are compared to where you want to be.

Regular assessments are key. Two-thirds of the organizations surveyed for the 2017 AT-T Global State of Cybersecurity review admitted they did not conduct ongoing cyber risk assessments.

2. Set up a threat alert platform

In today's distributed networks, every end-point – be it an IoT device, employee mobile device or drone – is a potential new entry point, but each has different security implications. The key lies in designing an integrated platform for all end-points with a built-in, always-on security approach, and using overarching threat analytics to study the overall ecosystem.

Automated threat detection and response processes on this platform are going to be increasingly important for meeting auditing and compliance requirements. Ideally, you will create a feedback loop between your internal cyber security operations and a flexible risk management strategy that evolves based on daily threat activity and response.

3. Get support from your service providers

To help to protect sensitive data and apps that reside on your network and move between devices, users and networks, you need to work with your service providers. You should have full visibility into your network traffic and be able to authenticate and authorize legitimate users while blocking suspicious activity.

More companies today are using artificial intelligence (AI) and blockchain technologies to support their customers. AI tools can detect anomalous behaviour and zero-day attacks and help you overcome the challenge of limited security resources. Blockchain helps you to build a trusted digital network with a high level of data integrity and operational transparency.

4. Organize ongoing staff training

People are still the weakest cyber security link. The 2017 AT-T Global State of Cybersecurity report found that a cyber security attack had negatively affected nearly 80% of surveyed organisations in the past year, but only 61% mandated security training for staff.

Every member of your team needs to be aware of new types of security threats and what to do to meet tighter regulations. Cyber security training ought to be a regular occurrence: once a year at a minimum. Building a security culture takes time and effort and this sort of ongoing conversation with a top-down approach is essential.

At the same time, threats are getting more sophisticated. From casual intruders to well-funded criminal organisations, hackers are increasingly using big data analytics to search for vulnerabilities and using AI for social engineering attacks, such as phishing, to steal sensitive data and credentials.

Daily cyber security events now number in the millions, and we should expect ransomware, malware and other attacks to continue to escalate. The focus has to be on changing user behaviour.