Using Deception Technology To Better Prepare for GDPR
By: Carolyn Crandall
The General Data Protection Regulation (GDPR) is expected to radically change the global data usage and protection landscape when it becomes effective on May 25th. This European legal framework will hold any organization collecting, controlling or processing EU personal data accountable to safeguard it. Businesses that do not comply will risk facing potentially crippling penalties of up to $28 million or 4 percent of its annual revenue.
GDPR was established to safeguard consumer information and set a bar for organizations to demonstrate compliance with protective measures. GDPR’s arrival will require a heightened set of data security and data privacy measures for businesses of all sizes. Noting that, many organizations today remain unprepared to address these requirements. Traditional information security systems have repeatedly proven that they can be compromised, and existing security controls are unreliable in detecting threats that have by passed preventative defenses. These gaps in detection and inability to quickly and accurately disclose a breach, leave these organizations exposed to substantial violations.
Unless organizations make a material change to their information security defenses, breaches will continue to escalate in number and severity, and with GDPR, the consequences of a breach are greater than ever before. History has proven that a prevention-only approach using data loss prevention, spam filters and firewalls is simply not adequate or reliable, and to comply with these stringent standards, attention and investment must shift to an active defense that includes detection and response.
Against this backdrop, forward-looking organizations are re-evaluating their technology and processes to assess their ability to detect, audit and report breaches to ensure GDPR compliance. Many are rapidly adopting new solutions that are designed to detect attacks early, accurately, and provide a detailed analysis that can explain the magnitude of the breach, as well as the corrective actions to contain it.
Enter Deception Technology
Among these new technologies in the information security toolkit are deception-based cybersecurity solutions, which secures Personal Identifiable Information (PII) while meeting GDPR regulations.
Used by enterprises to build a proactive security posture, deception technology can play an instrumental role in turning the game against the modern-day perpetrator. It accomplishes this objective by providing a proactive in-network threat defense of traps and lures, designed to deceive attackers into revealing themselves early in an attack cycle and significantly reduce dwell time. Deception plays a unique role in that it can proactively entice an attacker into revealing themselves once they are inside the network, rather than waiting for set behaviors to attempt to discern wrongful behavior. Second, since deception is engagement-based, each alert is substantiated with attack analysis and forensic reporting that includes the full tactics, techniques, and procedures (TTP) of an attack and the indicators of compromise (IOC).
Deception technology can better prepare organizations for GDPR Article 33 – the notification of a personal data breach to the supervisory authority – by providing powerful security controls for an active defense through early and accurate threat detection. By obfuscating the attack surface with traps and lures designed to look like files and other assets within the network, deception technology makes it difficult for an attacker to decipher what assets are real and which ones are fake. It also offers integrations with 3rd party prevention tools like firewalls, SIEMs, NAC, and EDR solutions that can be set up for information sharing and the ability to automatically block, quarantine and threat hunt. This strengthens perimeter and in-network defenses and accelerates incident response.
With the growing volume and variety of attacks – and an ever-evolving attack surface – it is critical for organizations to mitigate threats by embracing tools that provide early and accurate detection as well as a better understanding of where the weakest links in their security infrastructure are.
As May 25 approaches, businesses must ask themselves some tough questions. Can I demonstrate that my organization has the necessary controls in place? Am I able to monitor user behaviors and investigate abnormalities quickly enough? Under GDPR, not only will businesses be held to these regulations, but individuals will have the ability to sue organizations that cause material or non-material damage due to a breach of personal information. In preparation for the initial launch and for ongoing compliance, organizations must objectively assess their readiness and be prepared to invest in solutions that further protect PII data across all channels, devices, location, networks and cloud storage.
By detecting breaches early, understanding attacks with threat, adversary, and counterintelligence, and adding detailed reporting and automation to demonstrate that the attack has been properly addressed, deception technology will play an increasingly active role in an organization’s GDPR compliance plan. Investing in deception technology is an easy and effective way to add detection capabilities that will deliver real and measurable results for breach response and disclosure. Ultimately, deception technology closes today’s detection and reporting gaps, further protecting organization’s business, brand reputation, and wallet from costly fines.