Compliance no small feat
Akamai’s whitepaper highlights that, should businesses have to defend the robustness of their risk-based security strategies, their arguments might not be as sound as they need to be. Not availing themselves of the latest technologies or relying on their own limited knowledge of the rapidly evolving threat landscape could leave authorities questioning just how “risk-based” their approach really was.
Giese continues: “Many companies are still using technologies that leave them more vulnerable to an attack than they need to be – whether that’s opening up VPN vulnerabilities by allowing unnecessary access to the corporate network or choosing security solutions that are simply less effective. Others are limited in their ability to react to issues, taking longer than is necessary to spot threats or implement solutions to protect their web properties against them. Businesses should take a long, hard look at their security solutions and ask themselves, ‘is there a better way to protect the personal data we are processing?’ If there’s a simple, practical solution that they haven’t implemented, they should consider whether they can really claim that they mitigated the risk as required.”
Localisation is also adding complexity to the compliance requirements, resulting in businesses finding themselves obliged to achieve compliance with local requirements in multiple countries across the world. As countries update their privacy laws, global businesses will have to respond accordingly. While there are similarities, the individual nuances are making it more difficult for businesses to prove compliance with each of the individual regulations.
Steps to proving GDPR Compliance
Akamai is suggesting four steps that businesses can start to implement now in order to demonstrate to the Data Protection Authority (DPA) that an adequate risk-based approach has been taken in regards to protection of web properties:
- Learn from others’ failure
If a business waits until it’s attacked before responding to a new threat, it’s much less likely to successfully defend against it. Security providers that protect companies all around the world are able to spot threats early in one location and apply their learnings to all their other customers before an attack can strike.
- Maintain and document web application firewall rules
In the event of a security breach, the DPA will require evidence outlining what steps were taken to minimise the impact. So for web properties, demonstrating that the business has an effective application firewall in place that has been constantly updated to respond to the ever-changing threat landscape is a priority.
- Control access of third parties to personal data
Providing third parties access to networks is a business necessity; however, this access can put both personal data and general security at risk. Therefore, ensuring that there’s a system in place that can both track access to these networks and also mitigate the risk of unauthorised access, is a must if businesses want to be able to compile evidence for the DPA of risk mitigation measures.
- Create a buffer between your network and potential threats
If a business’ first line of defence is at the perimeter of its network, then the threat is already too close for comfort. Putting a buffer, such as a Content Delivery Network, between a company’s own infrastructure and any potential bad actors, can help ensure that threats are detected before they become an issue – as well as enabling the organisation to route traffic around Denial of Service attacks.