This week, the U.K. Information Commissioner’s Office (ICO) announced plans to fine British Airways $230 million and Marriott $124 million under the General Data Protection Regulation (GDPR) for data breaches disclosed last year.

The British Airways breach compromised 500,000 customers’ data, while the Marriott breach involved the loss of 339 million guest records. Both companies will have an opportunity to appeal the decisions.

The total proposed fines far exceed the previous highest fine of $645,000 doled out to Facebook for serious breaches of data protection law in 2018.

Terry Ray, senior vice president and fellow at Imperva, tells us the GDPR “forgiveness window” has closed and businesses that can’t answer the following simple questions certainly can’t prevent data breaches:

Imperva’s Terry Ray

“Technology has existed for almost two decades now that answers these questions, but organizations have been much too slow to implement it,” he said. “Those that have often only implement data security in less than 10% of their actual data space. This is like installing anti-malware on only 10% of corporate laptops, hoping that the other 90% never get infected. Hope is not a plan, as they say. Neither is selective data security.”

The more an MSSP or security provider offers services around data security, the more this problem extends to them as well, Ray said. Of course, this always depends on their contract, he said.

“I once made a comment about a public data breach and the corporate owner of the data – the company that actually collected the data – expressed concern that I was not clear in my statement, that they had not, in fact, lost the data,” he said. “Instead it was a third party this corporation had hired to store and analyze the data that was breached. The fact is, both companies were at fault. Did the primary data collector exercise effective due diligence on the data storage entity? What controls did that company expect the service company to have implemented? What reporting was provided to verify effective review of data access?”

The scrutiny that businesses should be putting on third-party providers is going up and savvy businesses need to not only keep costs down often by outsourcing, but also now consider the cost of a breach at the third party as the breach impacts both entities, Ray said.

Matt Aldridge, Webroot’s senior solutions architect, tells us the key message is GDPR penalties are real and they are significant. This is good news from a privacy enforcement perspective, but companies need to take this as a wake-up call to address their data security and privacy compliance very quickly if they are not already well ahead on this, he said.

Webroot’s Matt Aldridge

“From a reputation-protection standpoint alone, being in the spotlight for data-protection transgressions and data breaches is not at all good for business,” he said. “On the enforcement side, it is likely that more clear guidance will be needed so that companies can more easily ensure they are operating in a fully compliant state before they are breached, rather than attempting to demonstrate this after a breach has occurred.”

It’s now more important than ever that compliance efforts made by organizations go hand in hand with verifiable security controls and strong processes, Aldridge said. All of these efforts need to be much more carefully scrutinized and recorded than has been the case in the past, he said.

“MSSPs and compliance specialists can play a key role in helping companies to achieve this, along with other cybersecurity service providers, but in turn those companies must ensure that they have done and recorded their due diligence when selecting …

… such partners, and that the relationship is clearly defined in terms of where the lines of responsibility lie when protecting the personal data of all customers, partners and employees,” he said.

Alastair Pooley, Snow Software‘s CIO, said the fines likely will lead to some real change.

Snow Software’s Alastair Pooley

“The eye-watering size of the fines now makes it clear that the regulator will use its powers against firms which fall short of their legal duty,” he said. “I think this will lead to renewed investment in GDPR compliance and cybersecurity to reduce the risk of such penalties.”

SMBs Especially Vulnerable to Long-Lasting Breaches

Despite sophisticated prevention security tools, SMBs continue to be especially vulnerable to long-lasting breaches due to their inability to support the level of IT staffing traditionally required to run a comprehensive detection and response function.

That’s according to Infocyte‘s inaugural “Mid-market Threat and Incident Response Report” for the second quarter of 2019. Dwell time, the time between an attack penetrating a network’s defenses and being discovered, remains a major problem for these organizations.

Chris Gerritz, Infocyte’s co-founder and chief product officer, tells us the report highlights the “dire need” for managed services focusing on detection and response.

“Dwell time for threats, vulnerabilities and issues is very high for those with purely static defenses,” he said. “Generally, if malware or an attack can bypass the protection solutions deployed in a network during the initial attack, they will stay there unless there is continuous monitoring being done.”

Infocyte’s Chris Gerritz

It’s becoming harder for organizations without experienced threat and malware analysis personnel to prioritize or communicate risk from detected attacks, Gerritz said.

“Among the detection solutions that do detect them, 61% of the malware and fileless attacks we uncovered are categorized using generic signatures or scores by all the vendors and threat intel we’ve compared them against (using VirusTotal or other antimalware engines we host),” he said. “This means the typical organization has to decipher what an alert that says ‘Generic.Trojan’ or a generic behavior labeled ‘Suspicious Powershell Use’ means to their business — this usually requires a lot more human-intensive investigation and analysis before it becomes useful to a business.”

The organizations that have things under control don’t just have the latest antivirus tool or a big security policy written up, Gerritz said. Empowerment to take action and enforce policy is often the key differentiation, he said.

“Not every org is compromised, and not every org is riddled with adware and unwanted applications; often the security teams that do have a lot of issues already know they have issues, they just struggle with what to do about it with their limited resources and power,” he said.

Barracuda Unleashes Cloud Security Guardian for MicroSoft Azure

Barracuda this week announced the general availability of Cloud Security Guardian for Microsoft Azure, an agentless SaaS solution that provides end-to-end visibility into the security of public cloud workloads, ensuring continuous compliance and automating remediation of security incidents.

Cloud Security Guardian is another example of Barracuda’s emphasis on its build-with motion with Microsoft. It uses Microsoft’s Security Graph API to provide …

… security scores and alerts to identify and prevent security policy violations that can often turn into threats. Cloud Security Guardian also integrates with Microsoft’s Azure Firewall.

Vainyak Shastri, Barracuda’s senior product manager of advanced technology, tells us Cloud Security Guardian can help partners provide an assessment of their customers’ security in the cloud.

Barracuda’s Vainyak Shastri

“For partners migrating customers’ infrastructure to cloud, they can build and migrate with security in mind as it provides the ability to generate summary and detailed reports, keep customers up to date on their cloud infrastructure and compliance posture,” he said. “Further, MSSPs can manage their customers’ cloud security operation without having to invest in expensive cloud security experts. Cloud Security Guardian provides built-in policies and leverages native cloud security tools within Azure — with an easy-to-use user interface.”

Cloud Security Guardian will provide partners with the advantage of becoming cloud security experts, Shastri said.

“By leveraging the ability to inspect the data plane and monitor the management plane and control plane, partners can provide in-depth security without having to install and manage too many point solutions,” he said.

Ingram Micro Partners Gain Critical Start MDR

Critical Start‘s new distribution agreement with Ingram Micro means the latter’s U.S. resellers can offer the former’s managed detection and response (MDR) services.

Critical Start said this agreement is further evidence of it executing its plan to rapidly expand operations and its customer base across the United States. Under the terms of the agreement, Ingram Micro’s advanced solutions
organization will market, sell and support the MDR services to its network of channel partners and end customers.

Rob Davis, Critical Start’s CEO, tells us his company is “winning the head-to-head opportunities for MDR against established MSSP and MDR players.”

Critical Start’s Rob Davis

“The primary limitation to our growth is geographic reach and sales coverage,” he said. “The agreement with Ingram Micro gives us a distribution partner with deep cybersecurity expertise and a vast network of excellent channel partners across the country to help us capitalize on more opportunities.”

Davis said the three reasons resellers are choosing to work with Critical Start are: immediate upsell opportunities to increase revenue with no additional headcount required; having the only MDR service that is mobile-first, adaptive to the differences of each client, and resolves all security events; and engaging prospects with newly expanded service offerings from a channel-first vendor.

Critical Start’s MDR service supports enterprise security technology partners including Carbon Black, Chronicle, Cylance, Microsoft, Palo Alto Networks, Splunk and more.