EU GDPR – tips to help security teams


The General Data Protection Regulation (GDPR) regulates the privacy and handling of European Union (EU) citizens’ personal data. GDPR replaces the previous EU Data Protection Directive, and unifies data protection laws across the EU with a single set of rules. Securing, monitoring, and protecting the systems and applications that process and store personal data are key to GDPR compliance, and security teams and incident responders all have a
part to play.

Encrypt data

Encrypt data, both at rest and in transit. If you are breached, but the Personal Data is in a render unintelligible to the attacker, then you do not have to notify the Data Subjects (see Article 34 for more on this).

There are a lot of solutions on the market today—have a
chat with your channel partner to see what options are best for you.

Vulnerability management

Have a solid vulnerability management process in place, across the entire ecosystem. If you’re looking for best practice recommendations, contact us. Ensuring ongoing confidentiality, integrity, and availability of systems is part of Article 32. If you read Microsoft’s definition of a software vulnerability it talks to these three aspects.

Backups! Backups! Backups!

Please take backups. Not just in case of a dreaded ransomware attack, but because they are a good housekeeping facet in case of things like storage failure, asset loss, natural disaster, even a full cup of coffee over the laptop.
If you don’t currently have a backup vendor in place, Code42 has some great offerings for endpoints, and there are a plethora of server and database options available on the market today (even some very good open source alternatives like UrBackup). Disaster recovery should always be high on your list regardless of which regulations you are required to meet.

Secure your web applications.

Privacy-by-design needs to be built into processes and systems; if you’re collecting Personal Data via a web app and still using http/cleartext,
then you’re already going to have a problem. The latest General Data Protection Regulations require you to make code changes to your web forms and applications, so this is a good moment to ensure your SDLC is baking in security early in the cycle so you can find and fix issues faster.

Data Breach Reporting ! ?

GDPR standardises Personal Data Breach Reporting requirements, so now is a good time to review and update your Incident Response processes. If you need help setting up your incident response program, or you’d like to have a second pair of eyes review what you have today, we’d be happy to help. And if you are unlucky enough to find yourself in a potential breach situation, it’s vital to engage with an incident response team. Accelerating containment and limiting damage requires fast action. i-Force can have an incident response engagement manager on the phone with you within 4 hours (best effort for prospects without an engagement). If you are a previous customer, we’ll try even harder.

Detect attackers quickly and early !

Finding out that you’ve been breached 5 months after the fact is an all too common scenario (current stats from Mandiant say that the average is 146 days after the event). If you don’t know you’re under attack, then you have no ability to mitigate damage. If you’re in the same situation as the 60% of
organisations that told us they have no way of detecting compromised credentials (which has topped the list of leading attack vectors in the Verizon DBIR for the last few years), you’re more likely to find out way too late that an attacker was hiding in plain sight. User Behaviour Analytics provide you with the capabilities to detect anomalous user account activity within your environment, so you can investigateand remediate fast.

Lay traps.

Deploying deception technologies like honeypots and honey credentials are a proven way to spot attackers as they start to poke around in your environment and look for methods to access valuable Personal Data.

If you prevent a breach, you don’t need to report back to the Supervisory Authority.

Prioritise the security alerts

Ensure you can prioritise and respond to the myriad of alerts your security products generate on a daily basis. If you have a SIEM in place, that’s great, providing you’re not getting swamped by alerts from the SIEM and that you have the capability to respond 24×7 (attackers work evenings and weekends, too).

If you don’t have a current SIEM (or the time or budget to take on a traditional SIEM deployment project), or you are finding it hard to keep up with the number of alerts you’re currently getting, we can advise alternatives which generate alert volumes that are reasonable for even the smallest teams to

Don't forget shadow IT

Don’t forget about cloud-based applications. You might have some approved cloud services deployed already, and unless you’ve switched off the internet it’s highly likely that there is a degree of shadow IT (a.k.a. unsanctioned services) happening too.

Making sure you have visibility across sanctioned and unsanctioned services is a vital step to securing them, and the data contained within them.

Some more...

We’ve plenty more tips, but perhaps we can sit together and help your organisation figure out where the focus needs to be.

In order to come up with these recommendations, we’ve created a Security Assessment.

But you’re still interested in some more tips…


The SANS Institute, working in concert with the Center for Internet Security (CIS), has created a comprehensive security framework—the Critical Security Controls (CSC) for Effective Cyber Defense (often referred to as the SANS Top 20) — that provides organizations with a prioritized, highly focused set of actions that are implementable, usable, scalable, and compliant with global industry & government security requirements. These recommended security
controls also serve as the foundation for many regulations & compliance frameworks, including NIST 800-53, PCI DSS 3.1, ISO27002, CSA, HIPAA, and many others.