Edward Gately

The day before the Memorial Day weekend marks the long-anticipated and much-dreaded deadline for compliance with the EU’s General Data Protection Regulation (GDPR).

A recent report by Crowd Research Partners revealed that only 40 percent of organizations are either GDPR-compliant or well on their way to compliance by the deadline, while 60 percent are at risk of missing the deadline. Just 7 percent of surveyed organizations said they were in full compliance with requirements and 33 percent said they were well on their way to compliance.

While 80 percent confirmed GDPR is a top priority for their organization, only half said they were knowledgeable or have deep expertise, while one-quarter (25 percent) had no or only very limited knowledge of the law.

The results are based on an online survey of IT, cybersecurity and compliance professionals in the 400,000-member Information Security Community on LinkedIn.

Are you ready for the deadline or heading toward the finish line? Or are you stuck in panic mode?

SkyKick’s Gerard Doeswijk

We spoke with several cybersecurity professionals on this issue, including: Gerard Doeswijk, data protection officer at SkyKick; Lee Aber, chief information security officer at OwnBackup; and Michael Hall, global head of information security and IT services at HighQ. Theresa O’Neil, vice president of marketing at Showpad, also joined the conversation.

Not being compliant will have a big impact on businesses, such as potential reputation damage and even fines of up to 4 percent of a company’s entire revenue, or 20 million euros, whichever is greater, Doeswijk said. And it’s clear there are still quite a few businesses, particularly SMBs, that are unsure of what they need to do for GDPR compliance, he said.

“The vagueness and extensive reach of the regulation has smaller companies expressing a lot of concern around the impending deadline,” he said. “If you’re only starting or if you feel you started too late, it is probably an enormous challenge to get compliant before the deadline. It should have been a project or a program you started early, giving room for discovery of what you process, for what purpose and under what legal ground.”

The ramifications for organizations that aren’t GDPR-compliant ultimately come down to lost business, O’Neil said.

“Many companies have strict vendor-selection processes in place to protect the personal data of customers,” she said. “There have been times at Showpad that we’ve stopped having conversations with potential tech vendors due to concerns around them being GDPR-compliant. Additionally, without personal data security, customers’ trust in brands is at stake, which can impact …

… the organization’s bottom line. Ultimately, if organizations aren’t compliant, they risk losing customers, partners and revenue.”

Key steps around basic data hygiene and becoming more responsible data stewards of EU individuals’ data will go far as you prepare for GDPR’s enforcement date, Aber said. These include:

OwnBackup’s Lee Aber

“Under GDPR, organizations must have a process in place for responding to various data subject requests,” Aber said. “Don’t let this be a fire drill. You still have time to get organized and document personal data within your organization. Roll up your sleeves and dive in.”

If you have a program underway, if your leadership team is behind it, and the will and budget are there, then you’ve already won the battle, Hall said. However, once May 25 has passed, you are running at greater risk should there be a breach, he said.

Many compliance programs – whether regulatory such as GDPR, the Health Insurance Portability and Accountability Act (HIPAA), or technolog- specific such as ISO 27001 or SOC2 for information security management – often have controls that overlap, he said.

“For example, if you are already HIPAA-compliant and have to abide by particularly restrictive state laws, then you may already be 90 percent GDPR-ready,” he said. “A common pitfall is to tackle these compliance programs as separate projects, burning time and effort unnecessarily. Technology can help identify common clauses and controls, and allow a firm to save time and money by mapping one regulation against another.”

If you miss the deadline, it’s important to take action, rather than hoping for the best, Doeswijk said.

“Go to the regulator in your country, log your concerns, explain what you have done and are still doing, and what you will continue to do after the effective date,” he said. “What should be clear: the effort for GDPR compliance does not end with the effective date; you will have to continue to evolve your privacy and security measures as your business evolves.”

The best way to mitigate potential penalties is to …

… bring focus across the organization to compliance initiatives and make changes that are scalable and sustainable, O’Neil said.

Showpad’s Theresa O’Neil

“Prioritize GDPR compliance not only to prevent penalties, but – and perhaps more importantly – to protect the data of your customers,” she said. “While companies should be mindful of the compliance deadline, the important thing is that they make changes within the organization to start protecting the personal data that they collect. It must be a top organizational priority.”

SkyKick has registered with the Dutch Data Protection Authority (DPA) since its European headquarters are in Amsterdam, Doeswijk said.

“The head of the DPA has recently stated that no business is going to be made exempt, but that generally speaking, the focus will be on bigger companies and organizations that deal with lots of sensitive data (health care, minors, convicts, etc.),” he said. “It is clear, however … that any organization that has a data breach or data leak (and the definition of this is really broad as accidentally sharing email addresses without consent) will be scrutinized immediately.”

KnowBe4 Discovers Exploit Bypassing 2-Factor Authentication

Kevin Mitnick, KnowBe4‘s chief hacking officer, uncovered a new exploit that demonstrates how using two-factor authentication (2FA) does not mean a user is automatically protected.

2FA is an extra layer of security that requires something an employee has and something they know, such as a password/username and something that only the user has, such as a code that was sent to them or that they pulled from an app on their phone. This new attack is based on proxying the user through the attacker’s system with a credentials phish that uses a URL-hijacking domain.

Once the user falls for this social engineering tactic and enters their credentials, their authenticated session cookie gets intercepted and it’s easy to hack into the account.

KnowBe4’s Roger Grimes

Roger Grimes, KnowBe4’s data-driven defense evangelist, tells us he’s documented 11 different ways 2FA can be hacked and exploited, and these are only the in-the-wild attacks that already have been demonstrated in the real world.

“The challenge is that most people who use and deploy 2FA overestimate the protection that 2FA gives,” he said. “2FA does make it harder for simple phishing attacks, but as 2FA use increases around the world, hackers aren’t sitting still. They are moving up their phishing attacks with more sophisticated creations that prove that even users with 2FA credentials can be successfully phished.”

On a positive note, 2FA phishing attacks aren’t nearly as popular as traditional attacks, but that is changing, Grimes said. Expect 2FA-involved attacks to increase as 2FA use increases.

“And just like with non-2FA phishing attacks, security awareness training can significantly help,” he said. “The channel can spread the news that 2FA does not provide unhackable protection, and that 2FA has its own inherent limitations, one of which is that they can still be phished (in many different scenarios). The opportunity is a new understanding that someone with a heavy 2FA environment can …

… still be successfully phished.”

Optiv Rolls Out New Cybersecurity Assessment Services

Optiv Security recently unveiled a new portfolio of more than 60 assessment services designed to help organizations rationalize infrastructure, optimize operations, and build risk-centric cybersecurity programs that are manageable, measurable and effective.

Assessments@Optiv addresses every aspect of security and risk, with strategic guidance to help organizations prioritize the assessments that best fit specific business needs, the company said. The assessments are organized across all major industry frameworks, and security initiatives — from architecture and implementation, attack and penetration, and enterprise incident management to application security, strategy, risk and compliance, and identity and access management.

Optiv’s J.R. Cunningham

J.R. Cunningham, Optiv’s vice president of product management, tells us the assessments provide clarity on precisely what problems need to be solved and where technology is best deployed.

“Our partners appreciate this approach for two reasons: first, it enables them to not waste time trying to fit products into problems that aren’t clearly understood or identified, and our assessment activities help to ensure the security product stack is functioning properly throughout its life cycle,” he said. “This is designed to lead to more effective security technology and enable the client and technology partner to fine-tune the use of security technology throughout its life cycle.”

Optiv’s clients and partners are asking the company to provide clarity in an increasingly complex world of cybersecurity, Cunningham said

“Having a portfolio of deep and wide assessments enables us to help our clients to precisely understand their current state, which helps to simplify the road map in their individual security journey,” he said. “This simplified road map provides the client with those critical next steps and enables them to precisely approach the security technology market with specific use cases for the problems they wish to solve.”