Complex Made Simple

Is GDPR an open invitation for cyber criminals to manipulate your data?

European Union’s General Data Protection Regulation (GDPR) is being implemented and on the way to revolutionize how personal information is collected and managed.

Many Middle East companies, which do business in Europe and handle Europeans’ data, also need to comply with the provisions of the GDPR.

According to security experts, change in the data protection regulations could lead to more attempts toward data breaches and at the same time could also boost the data security industry in the region.

Read GDPR: What Middle East businesses need to do to avoid cyber attack?

Massive scope for growth

There has been a huge scope for growth as from large enterprises to SMEs, many organizations are shifting their traditional business model away from physical assets in favor of a data-driven business model.

“While the combination of new technologies and the new regulation may seem an insurmountable task to manage over the next 12 months, CIOs and IT directors should look at GDPR as an opportunity,” said Tarek Jundi, Managing Director, Middle East & Turkey, McAfee.

“Rather than approaching it separately and in isolation, the new regulation has put a price on cybersecurity and secure data management — bringing it to the attention of the C-Suite. CIOs and CISOs should harness this opportunity to get the budget and procedures in place that will enable them to transform their organizations’ approaches to cybersecurity, and reposition IT as a function that enables business transformation and growth,” added Jundi.

Read Bombs away: A closer look at terror tactics used by cyber criminals on you

Potential risks

Security experts claim that with future attacks on personal data almost certain, therefore it’s time to add a new layer of security analytics and monitoring to enable fast response reporting.

“Personal information is absolute gold dust for attackers because it can quickly be sold on the Dark Web,” said Morten Illum, VP EMEA at Aruba.

“It´s almost certain that your business will see its personal data targeted in future, and attackers will appear to be a trusted user while they are carrying out their work. Without using automation tools to spot the unusual activity that’s going on, it could take months to detect what´s going on. And that´s bad news both for your customer relationships, and your GDPR strategy.”

Read: Hybrid approach needed for maximum protection against Cyber Attacks

Adding another level of security

According to a new whitepaper published by Aruba, a Hewlett Packard Enterprise company, companies risk falling foul of incoming GDPR regulations by relying on existing security framework.

It says that the majority of existing defenses, which use pattern matching techniques to find threats, are unable to detect new attacks that use legitimate user credentials to access sensitive information, meaning that companies risk not be able to detect and report a breach within the 72 hours stipulated by GDPR, says the whitepaper. The resultant fines can amount to €20 million, or four percent of annual turnover.

However far from calling for existing systems to be replaced, Aruba´s whitepaper suggests that these products remain essential as part of an effective GDPR strategy. Rather, it highlights the need to complement these defenses with an additional layer of monitoring that utilizes new types of attack detection, such as machine learning, to analyze the entire network collectively, and find the very small changes in activity that are indicative of an attack.