By David Braue
June 13, 2017
"Insecure collection of PII is not just a GDPR compliance violation," the firm warned in a statement in which it also highlighted the regulations' need for companies to obtain explicit opt-in from EU citizens. "The loss of personal data, profit, and reputation resulting from the use of insecure forms is a legitimate concern for consumers, as well as shareholders."
Licensing and contractual agreements will need to be reviewed, Fletcher warns, with privacy controls explicitly addressed in a GDPR-compliant way. This includes simplifying end user licensing agreements (EULAs): "an 80-page EULA is neither specific nor could you argue that someone is informed" about their rights under GDPR controls, he said.
Despite having nearly a year left to go before non-compliance threatens them with fines as large as 4% of global annual turnover, Fletcher expects many businesses will drag their feet on GDPR compliance until the last days before the new regulations kick in.
"I've worked in regulation for a number of years and I'm relatively pessimistic about people's ability to get in well in advance of deadlines," he said. "But Europe is a big market and Australian companies can't afford to lose access to that market."
Boards know that, but they may not intrinsically appreciate the importance of engaging information-security specialists at the highest level. The magnitude of the attitude shift that GDPR requires is reflected in the results of the recent NUIX Black Report, which surveyed dozens of ethical hackers about their practices and included questions about their perception of boards' security attitudes, and what those hackers would tell their boards if they had the chance.
Just 44 percent believed their boards see security as being crucial to the future success of the business, while 30 percent said it was seen as a compliance requirement and 15 percent believed boards do "just enough to show we think it's important but no more".
Advice from hackers for security decision-makers included reinforcing the importance of staff training - "you need to turn your weakest link into your greatest asset" - as well as marrying people and technology; assuming humans will fail; and understanding that security is "a journey, not a destination".
Respondents recommended that boards "trust your security professionals"; understand that there is a ROI for security and that "it is not a waste of time or money"; empower their CISO because "nothing is worse than a CISO with no ability to effect change"; and that it's more important to detect an attack than to deflect one.
This last point will be crucial for compliance with the GDPR, which is as much about openness around privacy breaches as it is about preventing them in the first place. Companies that are circumspect about admitting their compromises may quickly find themselves feted as examples by an EU that has become increasingly tired of fighting over privacy with US-based Internet giants.