fotogestoeber - Fotolia

European Union GDPR data rules prompt cyber security review

Isolated legacy security systems are a big cyber security risk – but the EU General Data Protection Regulation (GDPR) could change that, says Palo Alto Networks

The European Union’s General Data Protection Regulation (GDPR) provides an opportunity to rethink information security, according to Palo Alto Networks.

“Hopefully the new regulation expected to be in force by spring 2018 will prove to a catalyst for change,” said Greg Day, the security firm’s chief security officer for Europe.

“It is time for most organisations to bite the bullet, to let go of what has worked in the past, and to transition to a more modern approach to information security.” 

According to Day, most organisations are still trying to address a “digital problem” with “analogue solutions”.

What worked in the past, he said, simply no longer scales, because many attacks are automated and work at computer speed.

“Organisations need to move to security systems that respond in near real time and eliminate multiple alerts relating to the same thing and False positive alerts,” he said.

A survey commissioned by Palo Alto Networks revealed that around 64% of security alerts are duplicates and around 52% are false positives.

The security firm said organisations have to stop looking at security alerts in isolation and it has developed technologies that work together to give organisations a composite view of security.

Read more about the GDPR

The benefits of automated security

“One of the things that attracted me to Palo Alto Networks was the approach of applying multiple security technologies in parallel to get a single, integrated security picture,” said Day.

The company is aims to make security technologies more intelligent and interoperable, to enable greater levels of automation.

“Our goal is to take the human out of the equation as much as possible to create a digital solution to a digital problem,” said Day.

“The approach of accepting that organisations will be breached and focusing on discovery and recovery feels a lot like giving up,” he said.

Palo Alto Networks believes that a lot more can be done to prevent breaches in the first place through innovation around the automation and integration of security systems.

Most organisations still have multiple security point systems that were introduced to solve problems as they arose – but they typically do not work well together, if at all.

“The biggest challenge is isolated legacy security systems, but the GDPR could change all that by requiring organisations to have state-of-the-art security and disclose data breaches,” said Day.

“At the very least, the new rules will make organisation take a step back and consider what they need to do to bring their security architecture up to date,” he said.

GDPR fines motivate security upgrades

The biggest incentive is the substantial fines provided by the GDPR, with the current version allowing for fines of up to €10m or 2% of turnover for failure to implement appropriate security controls.

The GDPR provides for even greater fines for serious data breaches of up to €20m or 4% of worldwide annual turnover, whichever is greater.  

According to Day, organisations need to discard what has gone before and go back to first principles – as advocated by entrepreneur Elon Musk – to find the most appropriate approach to security.

“Organisations need to start building systems to meet their particular requirements, by asking themselves what problem they are trying to solve and what they are trying to achieve,” he said.

This is also a useful approach, he said, in identifying and eliminating the least effective of existing information security systems.

As organisations build out their capabilities to report data breaches, Day said they should also work to get past seeing data breaches as failures.

“There is still the mentality of blaming CISOs for breaches – but organisation should be gearing their processes and technologies to ensure they are opportunities for finding ways of preventing similar breaches in future,” he said.

Read more on Hackers and cybercrime prevention