GDPR just took effect and you’re hitting the panic button? Take a deep breath.

How security auto-testing with actionable remediation could help resolve some problematic GDPR security requirements not met to date.

Although the GDPR deadline has just passed, there is no point surrendering to scare mongering tactics. There is still an opening for making necessary security adjustments until the dust settles and the authorities sound their first warning knell. A troubleshooting game plan, using security simulation testing could offer a path to catching up with GDPR compliance, as well as realizing new opportunities. In this post we will focus on security testing automation as a vital tool, not just for making up for lost time, but for continuously complying with GDPR regulations.

Why run tests in the first place?

Security testing exercises can establish whether it’s possible for an attacker to gain access into your network and figure out what path of attacks they are likely to exploit.  Simulated tests, usually involving red team tactics, can highlight how well your security stack can withstand a real-life hacker.

From May 25, testing organization’s cyber posture regularly is not just a valuable investment that strengthens security; it is actually a requirement under GDPR.

The need for regular security testing under Article 32

GDPR Article 32 calls for regularly testing, assessing and evaluating the effectiveness of data protection measures.  Although the article starts of vaguely; “taking into account the state of the art…”, according to Article 32.1d security testing is vital for GDPR compliance. In one of the better-defined provisions, 32.1d stipulates the need for:

“A process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing.”

To date many security companies have been flagging multiple tools in a bid to align organizations with GDPR compliance. Most security solutions focused on data consolidation, visibility and risk assessment. At best they provide control, alert, and audits of unauthorized access. However very few offer automated security testing immediately followed by prioritized actionable remediation.

Ongoing attack simulation testing and remediation could also help organizations handle potential threats and avoid the tough measures of Article 33.

Measures to avoid the game-changing Article 33

Given the tepid response to date to security testing, GDPR’s Article 33, is in jeopardy of adherence. GDPR Article 33 states; “In the case of a personal data breach, the controller shall without undue delay, and where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority.” When you think of it, the timeframe is extremely short, leaving little room for maneuverers. The guideline set out multiple steps along the way to full compliance including;

  • The need to conduct an investigation into the threat
  • The need to quickly inform regulators and individuals of the breach
  • Specify what data was impacted
  • Report how the issue is addressed – all within 72 hours

The article puts on the line a very common practice of reporting months after a security incident occurred, such as in recent cases with; Uber, Orbitz, Under Armour, Rail Europe, and more. These companies are not alone when it comes to appropriating lengthy periods for managing data loss, reporting about it and working through the public relations crisis. Statistics show that:

  • It takes an average of 191 days to identify a data breach
  • Fewer than 19% of data breaches are self-detected (Ponemon Institute)

Despite growing awareness of cyber security threats, organizations routinely fail to detect major attacks until it is far too late. A lot of organizations that say they won’t be targeted will have already been attacked – they just don’t know it yet.

From the GDPR compliance perspective, the sooner a potential threat is detected, the better.

 

The surprising results of a continuous auto-testing and remediation loop

Information security hygiene, security awareness training and testing the perimeter security of an organization’s network will help identify and remediate security weak spots in a safe and controlled environment.

If an exposed threat, worthy of reporting was found, communicating about it within 72 hours would be more valuable if an organization could announce successful remediation immediately after identifying the threat. Not only would an organization be able to avoid a public relations nightmare, it could regain the trust and confidence of customers and partners.

Automated simulation testing with actionable remediation running continuously in a loop could help organizations maximize red-team – blue team exercises. Organizations could gain an unprecedented level of visibility into new weak spots, back doors and blind spots as soon as they appear, and then move to remediate them immediately, without delay.

After all, they say that it takes a thief to catch a thief. Similarly, nothing is better at stopping a hacker and mitigating damage, than another hacker. Here are two more reasons simulation testing with actionable remediation goes hand-in-hand with GDPR compliance:

Identify attack vectors 24/7

Automated red team testing is designed to more accurately replicate the approach of persistent human attackers and expose security threats.  Simulated red team attacks running automatically 24/7 enable organizations to identify threat vectors at all times, so they can continuously assess the attack surface and pinpoint where digital assets are at risk. This level of visibility encapsulates what the GDPR wants businesses to achieve.

Respond immediately to potential security gaps

Organizations must contend with threats on multiple fronts, causing a highly porous perimeter to both expand and deepen in size. The biggest cybersecurity threat is not necessarily a hacker infiltrating the network. The greater threat is a failure to discover and respond swiftly to threat vectors from breach point to critical assets. . The ability to constantly identify threats and respond immediately meets the requirements of Article 32 and 33.

In sum, fully automated testing could help resolve multiple GDPR adherence issues by identifying and responding quickly enough to potential threats to an organization’s critical assets.

While ongoing simulated cyber-attacks might seem like a daunting prospect for some organisations, the consequences are nothing compared to the damage and disruption of a genuine malicious attack. When designed properly, they have a zero impact on network availability, so they do not disrupt daily operations.

For organisations needing to accelerate GDPR readiness post May 25, automated simulation testing provides peace of mind, while demonstrating a proactive approach to data security and by doing so, avoids the costs of non-compliance.