The illusion of being in control-part 2-an ounce of prevention is worth a pound of response activity

If you don’t know where you are going any road can take you there” ― Lewis Carroll,Alice in Wonderland

Processing, transporting, administrating or destroying  EU citizens data is asking for new demands on identity and governance compliancy.Only 6.5% of businesses saying that they are ‘very prepared’ for the changes ahead.

With the current General Data Protection Regulation(GDPR) getting into force on May 2018 a lot of processes currently in place will need to get an overhaul. This will be in time of writing 586 days.As readers told me my former articles were great but too lengthy I will restrict me to the cold facts ( you know who you are)

Fact 1

There will be new requirements on where data is processed the General Data Protection Regulation (GDPR) is set to replace the Data Protection Directive 95/46/ec REGULATION OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing the  Directive 95/46/EC (General Data Protection Regulation)We have three stakeholders here : • The controller – determines the purposes for which and whatmeans by which personal data is being processed• The Processor– an entity that proceses personal data on behalf of the controller• Processing– any operation that is performed on personal data

What most organizations in and outside the European Union are not aware off is that with the former directive (the Data Protection Directive 95/46/ec)  eu data law was only applicable if the entity outside the EU used means of processing ( automated or otherwise located in the EU )

Processing means here :

  1.  Equipment situated in the EU ( e.g. server )
  2. A processor established in the EU.

So if you don’t have a server transmitting data in Europe you are now not affected by the GDPR? WRONG!

If the entity is established outside the EU , and it either :1. Offer goods or services to EU residents2. Monitors behavior of EU residents ( art 3 (2) )The entity will be subject to the General Data Protection Regulation

This means in theory

So businesses in the US or UK that markets its products directly to EU residents but with no offices in the EU were in the past  not subject of the Directive but will be subject to the requirements of the Regulation.This means that a subject can demandfrom a controller at any time on request:

The purpose of the processing

  1. The categories of personal data processed
  2. The recipients to whom the data is disclosed
  3. The applicable retention period
  4. Information on the source of the data
  5. A copy of the data being processed by or on behalf of the controller. ( art 15, 16, 17 )

  The right to go to another provider

Also the right to data portability –A general right for data subjects to transfer their data subjects to transfer their data to another service provider. (Art 18, recital 55)

So the outsourcing of data processing activities by a controller is now mandated in detail the terms that must be included in such an agreement.

We already know that malicious outsiders are our top data breach incidents but what if our processor is not taking care of being secure?

A business case for controllers with a real life example of a data breach

There is the story of  storage provider of data (MBS) a global offsite data storage  processor since they process data on behalf of the controller.

The controller being :

General Service Administration, Environmental Protection Agency, Region 8, Department of Health and Human Services,National Institute of Health, Department of Interior, Fish and Wildlife Service,National Park Service,National Business Center,Bureau of Land Management ,Bureau of Indian Affairs,Department of Justice,Federal Bureau of Investigation, Bureau of Prisons,United States Department of Agriculture.Military- U.S. Air Force, Cannon AFB (sub),Peterson AFB (sub),Defense Commissary Agency,U.S. Navy Bureau of Medicine and Surgery,Naval Medical Center Portsmouth

Also offering services like:  SMS, your corporation can improve shareholder relationships and reduce costs, while providing exceptional service to the individuals who matter most to your organization – your shareholders

Now the shareholders are you and me dealing with these organizations.Actually legally they are our processors. So MBS is the processor for these agencies , while the agency is our controller and determines the purposes for which and what means by which personal data is being processed. MBS’s customers are also other companies, and it is those other companies who are  entrusting their customer data ( yours and mine )  with MBS. Now we see that one of their components is not properly shielded from the internet actually it is connected as researchers claim that they were able to confirm that MBS was running an unsecured MongoDB database, open for anyone to access..Modern Business Solutions Stumbles Over A Modern Business Problem – 58M Records Dumped From An Unsecured Database

And they got breached…. this has the same impact as when hammer  hits a mirror. From the impact center cracks are manifesting all around the mirror until it breaks . Like in real life with the data breach, investigators, log files and forensic , legal and press needs to be managed as well as the victims need to be informed. Costs are nearly $200 a record. If you included companies that suffered massive breaches – like Sony Networks’ loss of 100 million+ user accounts in 2011 – the average loss per record drops by about 75 percent, says Larry Ponemon, chairman of the Institute that bears his name. But these massive breaches happen so rarelythat including them would skew the results.

in at least 58 million people have had their personal information published on the internet – including their names, dates of birth, email and postal addresses, job titles, phone numbers, vehicle data, and IP addresses – after a hacker stole a massive unsecured database.

They are lucky that the EU GDPR is not in full force because…

Since processors will have direct compliance obligations under the regulation they also face penalties for non compliance as is connecting a naked server to the internet with adatabase non protected.A negligent breach by a processor of its obligations will attract a fine up to breached organizations can expect fines of up to 4% of annual global turnover (NB turnover, not profit) or €20 million – whichever is greater.

For the EU GDPR law this means that the processor now will be seen as a joint controller due these serious negligence.

EU citizens data dispersed over many processors and controllers

So do you know who is storing your data on your behalf?And where they store that data?And how that is processed?Who has access to it ?And what security identification and protection measures they have taken to safeguard this data you are responsible for as a processor?Or the data processor like the data center, cloud provider  that says they have everything under control since they are 27001 certified , trust us.We still see Pix Firewalls in place functional , which is the equivalent of an unpatched windows XP system on datanetworks serving business customers trusting the security is up to date.

IKEv1 allows an unauthenticated attacker to steal the memory contents of devices, which could lead to disclosure of confidential information

This means that there is a gap between the governance ( we need to see what’s happening and accordingly take measurements ) and the compliancy ( we need to have controls available with clear insight on actions taken)We will need more insight in the operational security goals like protective technologies, governance environment , access control etc..

P@ssport to the rescue-  bridging the GAP

P@ssport announced the introduction of its Compliancy Integrity Assessment ( CIA) that are set up to give companies insight in the risks they are taking with exploring new opportunities like big data, iot and mobility and at the same time improving their governance program.
P@ssport Compliancy Integrity Assessment  services are integrated in the overall Triple A strategy which stands for Against Attacks on Assets. With our Compliancy Integrity Assessment we provide not yet seen monitoring and reporting services that will make your operations compliant and you in control adding value to the risk and governance management program.

  By using the Compliancy Integrity Assessment we are moving from reactive cyberfirefighters towards a strong preventive failsafe security Triple A switchboard that can ensure against intrusions beyond cyber dikes” Peter Rus says.

“ We see that concerns about compliancy are taking over the world , for this you need to prove you are in control ,yet the mechanisms are still built on 20 year old cornerstones like firewalls, “ says Peter Rus Chief Innovation Officer. “
There are a lot of point to point solutions out there, taking care of only your side of the value chain where the investments made in cyber security are based on trust , not proof”.

“By using the Triple A method we are moving from reactive cyberfirefighters towards a strong preventive failsafe security Triple A switchboard that can ensure against intrusions beyond cyber dikes” Peter Rus says.
“This translates into minimizing fall out and ensure the company is in control while building out trust with customers and anticipate on chances that Big Data, IOT and Mobility offers,” he says.
Continuing : ” I still see Cisco Pix firewalls out here connecting customers in the cloud, an equivalent of putting an unpatched windows xp station on the internet”. For not knowing that these controls are part of your business process can be lethal and one cyber exposure can mean a lot of mitigation costs, bad press, and loss of customer confidence not even mentioning any fines.By using P@ssport  Compliancy Investigation Assessment you get direct insight in your processes, your risks and where you need more control points to get inline with General Data Protection Regulation and hereby radically reducing your overall cyber risk.

Our Triple A switchboard  is directed on governance and risk level at the senior directors and/or board members to provide compliancy and real time insight  . The Triple A focus method allows organizations to implement , sustain and maintain control mechanisms by using simple means .This Triple A method will enable your organization to see what is missing and take appropriate measures without leaving you in the dark.

Concurrent solutions on the market don’t go beyond investing in security technology on operational level. The outcome is that organizations as in the MBS example will not be in control of identifying where the EU citizens data is processed, stored, moved or archived. Also they cannot measure the effectiveness of the controls .
P@ssport sees this as huge risk for organizations in May 2018, 580 days from now. Also the market is not transparent: depending upon whom you believe, there are roughly 800 to 1200 companies selling cybersecurity products and services to end customers. Yes, the cybersecurity market is forecast to be around $70 billion this year, but that’s still a lot of vendors

Triple A – P@ssport we prevent your next cyberincident

Our way of approaching is first to have a discovery process in place to asses what is the company cyber risk and what is the current risk profile. Than we look at what assets or information is the most important to protect. Than we see what of those risks need to be eliminated transferred or mitigated. This will give direction to what strategy the company can rely upon. Take a risk based approach and understand the real threats to the assets like the example P@ssport gave with MBS, but this can also be with a third party provider , malware that does not get detected by antivirus for 5 years , and where USB port blocking is “kansloos”  (dutch for behind and probally as well known as “gratis”  in a 100 years)

A company like target where 100 million customers lost credit and debit card details had operational, financial and reputational impact. Target reported that their net earnings where down its profit fell nearly 50% in its fourth fiscal quarter of 2013 and declined by more than a third for all of 2013.

By adding our Compliancy Integrity Assessment in your risk management portfolio the C-level and Board will be able understand  IT security and translate it  into Business risks. Therefore creating a measurable standard of care for managing cyber risks. And not be held off by companies selling only cyber security technologies : the antivirus programs that discovered malware 5 years ago are now detecting barely half of new malware today.The loss of current and potential revenue becomes a real issue as we talk cyber security. By losing the trust of the customer can spell doom for many companies and a data breach prevention plan should be in place .

P@ssport helps the organization to counter any adverse reputational impact to be managed to understand the full context of the business and the threats is subjected to . P@ssport developed a Triple A risk based security strategy that stands out through innovation and is the first preventive strategy , it  can easily be formulated and implemented and helps you with your Cyber strategy and at the same time to prevent data breaches ( or unauthorized access to assets for that matter). And instead of being reactive become preventive with clear guidance on how to protect, store and control EU citizens data as it is now protecting 27 oil and gas platforms.By doing so the organization  will be able to adapt these Triple A controls where necessary in order to become compliant with the EU General Data Protection Regulation.

P@ssport Compliancy Investigation Architecture assessment includes:

  • Compliancy Integrity Assessment – Identify and understand how cyber threats can have impact on the complete Cyber Value Chain
  • Triple A Strategy– Build a framework with the right barriers to protect the organization, make them compliant to EU General Data Protection policies and technology to protect valuable corporate data.
  • Cyber Intrusion Prevention – Isolate and fend off cyber-attacks preventively not reactively over the whole Cyber Value Chain
  • Cyber Risk Barrier Management– Visualize ongoing metrics and review of effectiveness of security policies, procedures and investments.

This article is written for the Cyber Awareness month October and is part 2 of the illusion of being in control series:

part 1 –the illusion of being in control part 1

part 3- the illusion being in control part 3

Become preventive and not reactive ! Don’t delay contact us today!

For more information:

Peter Rus

Chief Innovation Officer / Cyber Security Architect/ Compliancy Integrity  Assessment



Tel: +31 070-7370471| |