As 2018 approaches, and with it the enforcement of the General Data Protection Regulation (GDPR), it is easy for organisations to feel overwhelmed by the challenges of building effective, sustainable IT security processes to manage both compliance requirements and an evolving security threat landscape. It is that much more overwhelming for small and medium enterprises (SMEs), which must simultaneously build effective IT security processes while managing smaller budgets and less access to high quality security staff. There is a lot for them to think about, and even once processes have been put in place, the quantity of information that organisations are confronted with can be staggering.
Dashboards, alerts, agents - many sources of fatigue
The traditional IT security stack employed by smaller organisations consists of, for example, an email security solution, anti-virus, VPN, firewall, and cloud security solution. Such solutions are typically affordable for such organisations, and can be managed with more limited resources. However, they do not provide SMEs with a full toolkit to combat, or even detect, the variety of cyber-attacks that they are unfortunately likely to encounter.
With only these solutions in place, IT managers are nevertheless required to filter through a vast array of systems, dashboards and alerts to understand what is real and critical, and what is noise or false positives that can be disregarded. SMEs do not have the bandwidth, either from the point of view of resources or expertise, to navigate the multiple sources of data intended to assist them.
Enterprise organisations tend to cast their net wider in an attempt to detect and mitigate cyber-security threats. Many employ dedicated solutions including an Intrusion Detection System (IDS), Deception Technologies, Asset Mapping, Vulnerability Assessment, SIEM and Endpoint Detection and Response (EDR) solutions. Managing these solutions requires substantial expertise, and standalone solutions are often not integrated, so that separate interfaces need to be monitored and understood.
Leading IT research and technology organisation Gartner recognises the existence of ‘alert fatigue', and similarly, even best of breed EDR solutions cause ‘agent fatigue'; the cost and time necessary to install and maintain an agent on each endpoint in order for these solutions to operate effectively.
When SMEs secure a budget, they still face the challenge of managing the IT security solutions deployed in their networks without sufficient IT security staffing support. They are often unable to afford a dedicated Analyst, CISO or SOC necessary to oversee the types of security solutions aimed at enterprises.
Added to this, the staffing dichotomy needs to be taken into account; recognising that employees are often seen as the weakest link in cyber-security, while concurrently we rely on some element of human intervention to make sense of the multiple sources of information that organisations need to consider.
The GDPR - balancing compliance with flexibility
These issues are particularly pertinent in relation to the GDPR, which was adopted by the European Parliament and became law in May 2016, and which will become fully enforceable throughout the European Union from 25 May 2018.
While the GDPR, with its reporting and notification requirements around personal data and data breaches, adds to the compliance burden on organisations of all sizes, it has been drafted with an awareness of the excess of information requests and alerts facing us all. It is not highly prescriptive; allowing organisations to show accountability and demonstrate compliance with reference to industry standards and existing frameworks such as ISO 27001.
The treatment of data breach notifications to data subjects further illustrates an awareness of this issue. Per Article 34(1), data subjects must only be notified of a data breach without undue delay in the event of it causing high risk to their rights and freedoms. This is to protect the data subject from unnecessary ‘notification fatigue'.
The combination of security and compliance requirements give organisations a lot to think about and inform the ways they operate. It is apparent that organisations of all sizes, and SMEs in particular, face a significant challenge to correlate the output from various systems and interfaces, to be able to detect data breaches in a timely manner, and to produce regulation compliant reports. It is therefore important that the right tools are chosen to empower SMEs to meet these challenges; tools that can sift through the clutter and aggregate data in a meaningful and actionable way.
Contributed by David Feldman, CEO of Cybonet
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.