The European Union (EU) General Data Protection Regulation (GDPR) is set to come into force on 25 May 2018. However, many IT, security and compliance leaders in the EU and globally still have a long way to go before they can truly describe themselves as "GDPR-ready." Artificial intelligence (AI) can make valuable contributions toward GDPR preparations and operational compliance.GDPR imposes tighter sanctions on businesses when it comes to security breaches and the risk or potential loss of personal data. It also enforces breach reporting requirements and punitive sanctions. This means businesses must report any data breach within a 72-hour window or risk facing hefty fines of up to 4 percent of global turnover for failing to comply. The new regulation will affect any organisation that processes EU citizen data, regardless of whether they are based in or outside the EU.
The aim of GDPR is to give people more control over, and the assurance of greater security for, their personal data. In addition, its intention is to simplify the regulatory environment for businesses internationally. It requires businesses to put the correct sanctions in place to better protect personal data about employees and customers. With the rapid accumulation of personal data from cloud computing, the internet of things (IoT) and social networking, properly safeguarding personal data has become a non-negotiable in modern business.
As such, businesses must have the right capabilities in place to achieve full compliance. However, as many businesses discovered, it’s no small feat. Getting your data secured and putting processes in place before GDPR comes into play is crucial to avoiding fines. For businesses that don’t have visibility into what is going in and coming out of their network, the challenge lies in creating that visibility in real-time, in the most autonomous way possible.
A bumpy road ahead
With new legislation comes an entirely new set of challenges. The IT and technology sectors have long struggled to overcome persistent skills shortages and, as the compliance deadline approaches, there are rising concerns over the costs involved.
Organisations need to shift their IT infrastructure to enable effective network monitoring and encrypt personal data to ensure ongoing confidentiality, assessment and evaluation. As daunting as it may seem, the sooner these new processes and structures are in place, the easier the transition from pre-GDPR to post-GDPR. While some organisations may feel unable to cope with these new regulations, the hope is that GDPR may actually reduce legal complexity and ultimately enable businesses to expand operations across the EU more easily.
It’s not if, it’s when
Complying with GDPR requires organisations to put the appropriate technologies, IT infrastructure and processes in place, to create robust systems that provide data protection, system assurance, breach notification, and the supporting details. It’s not a case of if your organisation experiences a breach, but when. It is up to management and your security teams to ensure it is ready.
While it may well fall under the responsibility of the IT, securit, and risk and compliance teams, the onus of GDPR needs to be recognised across the board. In case of a breach, playing the internal ‘blame game’ will not only dismiss the seriousness of the situation, but also damage the corporate reputation and employees’ respect. Reputations can be fragile and trust is easily lost, so companies need to rectify the incident quickly and efficiently. Organisations that can show how they comply with the principles – for example, by documenting the decisions they take about a processing activity – will have a better chance to remediate any loss or damages.
Detecting the weak signals of cyber attacker behaviours inside the network requires real-time detection, and a robust system of behavioural analysis to highlight anything outside of what can be considered normal behaviour. While GDPR requires that appropriate technical measures are taken to protect and manage the processing of personal data, using AI can help organisation architecture and enable them to operate their GDPR solution at speed and scale.
Leveraging AI to find hidden threats
AI enables automation which helps to enforce data handling standards by alerting cybersecurity staff when data is transferred between parties in a manner that violates or is not consistent with established practices. After analysing, learning and understanding standard network behaviour, AI monitors the communications between hosts, including the volume, frequency, and cadence of data movement in the relentless hunt for hidden threats. When threats are detected, the AI can then provide insight into the host transmitting the data, including where it is transmitting the data, the volume of data involved and any specific technique used to send it.
Adopting a behavioural approach to detection supports the GDPR recommended use of data encryption and psuedonymisation (data protection by design) by focusing on network packet headers, cadence, frequency and volume, not the data payload, to negate the need for any form of data decryption, data routing or intrusive data monitoring/processing techniques. Encrypted traffic is no longer somewhere for bad actors to hide their work.
Speedy data breach detection and remediation
AI threat detection algorithms persistently watch, learn and analyse network traffic to quickly spot hidden cyber-attack that have defeated or evaded defensive capabilities. Deploying AI-based monitoring and detection within the network also provides a means to validate and strengthen the effectiveness of perimeter defences. By highlighting threats in real-time that have prevented detection or have beaten existing systems, organisations can quickly detect and address any anomalies or potential breaches.
Notifying the Supervisory Authority (SA) of a data breach
Disclosure of a data breach within the 72-hour window is critical to avoiding fines that effect the entire organisation. Using AI to automate the gathering of early detection, context and evidence of a threat, is key. If a data breach has occurred then it is likely there will be a requirement for disclosure from the local Supervisory Authority (for example, in the UK the SA will be the Information Commissioner's Office). Such disclosure needs to be comprehensive, describing the nature of the breach, the data sets compromised, contact information of persons responsible for data and the measures that the organisation intends to take to address the issue.
Whilst the need for quick identification and response to cyber-attacks is clearly evident, the unfortunate reality is that it is often a slow affair. In fact, the M-Trends report 2017 revealed that it takes an average of 99 days before a breach has been detected. The report also found that over half of those are only discovered after receiving a notification from an external party. When GDPR formally comes into effect in May 2018, these sort of time frames will be simply unacceptable.
Reducing time-intensive tasks to enable quick detection and action
Companies need to reduce threat identification and response processes from years – in the case of Yahoo! – months and weeks, to just hours and minutes. AI and automated threat detection are powerful tools that need to be leveraged by businesses if they are going to stand a chance of meeting the new requirements set out by GDPR.
By automating labour and time intensive tasks that are typically the responsibility of top- level cybersecurity analysts and incident response teams, time spent on threat investigations can be reduced significantly. This enables security teams to focus on data loss prevention and mitigation. Building real-time visibility into all network traffic, hidden spots and unknown attackers, puts security event context firmly at your fingertips.
By giving cybersecurity teams the ability to identify and act quickly against the early stages of an attack, well before a data breach has occurred, the risk of GDPR reportable data breaches, and thus fines, can be reduced. As well as this, detections and altering capabilities contribute to assessment and form part of an appropriate technical cybersecurity architecture that supports GDPR compliance.
Want to know more? Read our compliance brief, How Vectra enables compliance with the General Data Protection Regulation (GDPR).