Buzz about the General Data Protection Regulation (GDPR) has been around for years, but with the new security rules finally going into play in May 2018, it’s time to take it seriously. Some enterprises have been panicking, some have been preparing, and most have been doing a little of both. The new GDPR law will impact all companies who work with any EU citizens or companies. What does this mean for your business?
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Keep Calm and GDPR
1. AND
A GUIDE TO UNDERSTANDING AND PREPARING FOR
NEXT YE AR ’S BIG CHANGES IN DATA SECURIT Y
KEEP
CALM
GDPR
2. KEEP CALM AND GDPR
A GUIDE TO UNDERSTANDING AND PREPARING FOR
NEXT YE AR ’S BIG CHANGES IN DATA SECURIT Y
Buzz about the General Data Protection Regulation (GDPR) has been
around for years, but with the new security rules finally going into play
in May 2018, it’s time to take it seriously. Some enterprises have been
panicking, some have been preparing, and most have been doing a lit-
tle of both. The new GDPR law will impact all companies who work with
any EU citizens or companies. What does this mean for your business?
3. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
WHO NEEDS TO COMPLY WITH THE GDPR?
Any company that does business in any of the 28 EU mem-
ber states or with any EU citizens. Whether you’ve got
branches across Switzerland or just have PII on one person
in Paris who signed up for your newsletter, you have to com-
ply. But even if you don’t do business in Europe, the GDPR is
likely to change global security standards going forward, so
it might not be a bad idea to get on board anyway.
Meet the GDPR
The GDPR cracks down on the way companies process and store cus-
tomers’ personally identifying information (PII), which includes every-
thing from names, birthdays, photos, and email addresses to medical
data, pseudonymised data, and IP addresses. Better protection means
fewer data breaches—but it also ensures that customer information
stays safe when a data breach does occur.
Sure, some regulations protecting PII already exist, so
the GDPR might seem like just another rule to follow.
But it’s important to realize that the GDPR is far stricter
and has far more severe punishments than any regula-
tions we’ve seen before. Compliance is going to be vital.
The GDPR contains 99 articles that lay out regulations
for data storage and protection, but here are the major
ones to keep in mind:
• Data breaches must be reported within 72 hours, along with information about
which customers’ data was breached. Today, many companies aren’t aware that
a data breach has occurred until weeks, sometimes months, after the fact. The
latest Fireye M-Trends report states that an average breach goes undetected
for 146 days, so the new disclosure requirement calls for a seriously stepped-up
game.
• Customers gain more control over their data. They can ask to see which of their
data a company stores and have the “right to be forgotten,” or to have their data
deleted.
• Companies are now liable for any breaches resulting from data (mis)management
by third-party contractors.
• All companies dealing with EU citizens must be able to demonstrate that they’ve
adopted appropriate security measures.
• Non-compliance with GDPR will result in major, unprecedented fines of €20
million or 4% of global revenues, whichever is higher. For many companies, non-
compliance is not financially feasible.
4. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
Third-party problems
We can’t stress enough the significance of one of the more onerous re-
quirements of the GDPR: All companies are now responsible for data
breaches that occur on their third-party contractors’ watch. In other
words, even if your company has excellent security measures in place,
your law/accounting firm, regulators, business partners, or consulting
firms might not. And that’s a problem.
Whether you grant a third party access to your database or just share a Dropbox folder
with them, data and documents are out of your hands and off your company’s servers. In
the past, third parties’ data breaches were third parties’ problems. No longer. With GDPR,
you’re on the hook for any breached or stolen customer PII, even if it’s not necessarily
your fault. So even if you’ve done all you can to make sure you’re in compliance, you must
ensure that your data is still safe once it leaves the enterprise. This is a major change and
is likely to require a significant adjustment and security overhaul. Don’t panic (yet), but
read on for some tangible steps you can take to make sure you do this right.
Devices
Cloud
Services
Email
?
?
Email
?
? ?
?
? ?
? ?
?
? ?
5. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
A+ steps to take now to prepare for the GDPR
Assess. Take stock of your company’s current security situation. Where
is customer data stored and how? What types of documents are used to
store it? Who has access to it? How does it get moved between people
or departments? What security measures are already in place, both in
the enterprise and outside of it (i.e. in the cloud)? What processes are in
place to detect and respond to a data breach? How much of your cur-
rent security situation complies with the GDPR requirements?
• Act. Implement security measures that comply with GDPR and
protect PII, whether that means encryption, beaconization,
or strict data usage guidelines. Put these rules in writing and
make sure everyone at your company knows them. Assume a
data breach will happen and create a response plan. Who will
be responsible for reporting it, and how will that happen in the
required 72-hour window?
• Assemble. Make a list of every single third party your company
works with in any capacity and in every department.
• Agree. Ask your third-party contractors to sign agreements
acknowledging that they will not outsource work without explicit
approval, they will maintain a risk-based security program that
is GDPR-compliant (with your guidance if necessary), and they
will report any data breaches or changes to you immediately.
Contractors must also return or destroy all confidential data at
the end of their contract or termination.
• Appoint. Select someone in your company to be the Data Protection Officer
(DPO). GDPR recommends that this person is the point person regarding all data
security operations and stays on top of data breach prevention and response.
• Allure. Allure Security’s Novo software is specifically designed to prevent third-
party data breaches and doesn’t require keeping track of any keys, passwords, or
contractors’ activities. Consider adding Novo to your security line-up to ensure
GDPR compliance—and peace of mind.
A+ STEPS:
1. ACT
2. ASSEMBLE
3. AGREE
4. APPOINT
5. ALLURE
6. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
How Novo can help
One of the biggest headaches with GDPR compliance is ensuring that
documents and data aren’t accessed by unauthorized parties, whether
they’re stolen, accidentally forwarded, or leaked with malicious intent.
Allure Security’s Novo is designed to give you visibility and control over
your documents and data.
By embedding a beacon in every document your company uses, Novo keeps track of where
sensitive documents and data are at all times. Set up a geofence around your company’s
building or your contractor’s office, or authorize an employee’s personal IP address; as
soon as a document is opened outside an authorized area, Novo sends an alert and lets
you know exactly which documents were opened and affected. What’s more, Novo ren-
ders the document unreadable outside the authorized area. In other words, not only are
you instantly notified of suspicious activity, but the data itself is impenetrable if it finds
itself where it doesn’t belong. The rapid alert system makes it easy to notify authorities
and customers about a breach within minutes, well before 72 hours is up.
“Novo’s beaconization technology can dramatically reduce risks for large enterprises and
align them with the GDPR requirements to provide a reasonable risk-based security solu-
tion,” says Sal Stolfo, CTO of Allure Security. “Novo is exactly that: it’s reasonable, it’s
a means of detecting breaches, and it’s a means of informing a company when a breach
occurs. It ensures compliance and it works.”
Breaches are going to happen—there’s no getting around that fact in this day and age
as hackers get increasingly savvy. And the GDPR won’t punish you for experiencing a
breach. What the GDPR does ask you to do, though, is have solutions in place that mini-
mize risks, monitor your data’s security in the hands of third parties, and be able to report
problems when they occur. Novo makes this possible.
I N T R O D U C I N G :
Novo’s beaconization
technology can
dramatically reduce risks
for large enterprises and
align them with the GDPR
requirements to provide
a reasonable risk-based
security solution
7. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
How it works
Allure Security’s flagship Novo product is the first Data Loss Detection
and Response (DDR) technology that automatically tracks document
flows in and outside the enterprise network using machine-learned
Document Behavior Analytics (DBA) and data-level deception to pin-
point the source of exfiltration in real time and take action to prevent
data loss.
As documents flow through your existing network gateways, Novo tags real data with bea-
cons, maps all locations where beaconized documents are accessed, and learns normal
document flow and behavior. Novo alerts the moment it sees documents being opened
where they shouldn’t be—outside the geofence in another country, an employee’s home
computer, or any other suspicious location. If Novo detects unusual document behavior,
it replaces real documents with decoys, or fake documents, to protect the data and catch
attackers or insiders.
Real Time Alerts
Big Data Insights
& Reports
ENTERPRISE NETWORK
Documents Network Gateway
DBA ML Engine Detection
Policy Engine
Threat Intel
Beacons
DocFlows
DECOY GENERATOR
BEACONIZER
Sonar Beacon Events
8. KEEP CALM AND GDPR:
A GUIDE TO UNDERSTANDING AND PREPARING FOR NEXT YEAR’S BIG CHANGES IN DATA SECURITY
The Novo Difference
In the race to become compliant before May, your company might be
looking at a number of different solutions. Most solutions out there are
based on encryption, which ensures that if a document is intercepted
in the cloud, for instance, the interceptor won’t have the necessary de-
cryption key to understand the content. However, relying on encryption
to manage thousands of employees with access to millions of docu-
ments and billions of pieces of data—well, that’s a lot of decryption keys
and a huge technical challenge, especially when third parties come into
play. Losing even one key can lead to a loss of data, and managing and
enforcing an encryption solution among contractors and others operat-
ing outside the network is difficult, to say the least.
Novo moves past the concepts of endpoints and keys, and it frankly doesn’t matter how
your data is shared or stored. Novo makes it easy to know exactly where all your data is all
the time—and if it’s not where it’s supposed to be, you’ll know right away. Novo is easy to
manage, secure, and accountable—and best of all, it’s GDPR compliant from the moment
you set it up.
“Enterprises aren’t aware of where their documents go once they leave their network.
We believe visibility is the number-one way to prevent the loss of data,” says Mark Jaffe,
CEO of Allure Security. “Third parties have long been an obstacle to data security, and the
GDPR is taking significant strides to improve data breach protection. Novo stands up to
the task, and by making security second-nature, it lets enterprises focus on the work they
care about most.”
Enterprises aren’t aware
of where their documents
go once they leave their
network. We believe
visibility is the number-
one way to prevent the
loss of data
Take Novo for a test drive and
see where your document travels
by visiting alluresecurity.com and
requesting to schedule a demo.