Data is money, and cyber-criminals are trading your customers' details every day. It's no longer a matter of if, or even when, but of what's already out there that you likely don't even know about. Every piece of personal data out there is chipping away at your and your customers' security, and the longer it's out there the more the damage accrues. Amidst this chaotic landscape comes the EU GDPR. The sweeping new privacy regulation aims to finally make organisations accountable for the personal data they hold. Monumental fines await for those that do not take their obligations seriously.
There's just one problem: no security technology is 100 percent effective. Mistakes will inevitably be made and breaches will continue to occur. So what do you do? The answer is to treat data exposure not as a threat but as a risk — and manage this risk by minimising how long sensitive data remains out there undetected. That's where dark web intelligence comes in.
A model for the world
If you've even heard of the GDPR, you're in a minority, according to the recent surveys. But in just a couple of months that will be no excuse, as the regulation comes into force for any company processing EU citizens' personal data. This is the future of data protection regulation around the globe: a long overdue attempt to limit the widespread negligence we see in the industry today.
From a security perspective, there are a few elements that should concern us, aside from those fines of up to four percent of global annual turnover (or €20 million). First, the scope of “personal” data has been expanded so far that organisations will be wide open if they fail to follow minimisation principles and encrypt the most sensitive PII. Second, it covers not only data controllers but the processors of data they contract with — no one escapes accountability.
Anyone looking for an easy checklist on what security controls to put in place will be disappointed. Instead, the GDPR talks in more general terms about implementing “state of the art” and “appropriate technical and organisational measures to ensure a level of security appropriate to the risk.”
Neutralising the threat
Most experts have interpreted this to mean organisations should follow best practice security measures. But no organisation is perfectly secure. If even larger firms like Deloitte and J.P. Morgan can't keep fraudsters out, there's even less chance that a mid-sized firm will have the time and resources to do so.
The focus should instead be on reducing the impact of breaches when they inevitably occur. For this, you need detailed insight into the dark web: the thriving underground digital economy where personal data, online credentials, and account information are traded by the millions every day. Find a way of scanning these sites for your most sensitive data and you stand a great chance of minimising the financial and reputational fall-out that can result from a data breach.
For example, if a bank spots a large trove of their customer payment card details on the dark web, they can suspend those accounts before fraudsters can cash in. The key to limiting damage is to neutralise the threat before the cyber-criminals have had a chance to monetise that all-important data.
Unfortunately, the global median time from compromise to discovery is still unacceptably high: 99 days. What's more, the majority of breaches are discovered by a third party. This is not good news considering the GDPR's strict 72-hour breach notification requirements.
Dusting the dark web for data fingerprints
Fortunately, there is a technology that allows organisations to scour the dark web looking for sensitive GDPR-regulated data, without exposing that information in the process to any third-party provider. How does it work? By allowing the organisation to create a one-way representation, in the form of fuzzy hashes, of each piece of data they want to search for. This data fingerprint can then be used to search the dark web for matching data, without those doing the searching needing to know or store the original data.
Digital fingerprinting and dark web intelligence don't hold all the answers. But in a world in which breaches are inevitable, fully private dark web monitoring hands the initiative back to organisations to regain trust and accountability.
Contributed by Danny Rogers, CEO & co-founder of Terbium Labs.
*Note: The views expressed in this blog are those of the author and do not necessarily reflect the views of SC Media UK or Haymarket Media.