Category: Cyber Security

Magecart: The Largest Payment Card Attack in History. Here’s what you can do …

The previously disclosed Ticketmaster attack was not a one-off event, but instead part of the largest payment card theft in history impacting over 800 ecommerce sites around the world. If we consider the true impact of this event it is absolutely astonishing. The Target supply-chain-enabled attack from a few years ago was frightening, and that was only one merchant under attack, on in-store point-of-sale systems, for a mere 9 days. The Magecart website supply chain attack leveraged digital website payment card skimming that victimized over 800 global merchants for over 3 years – multiple orders of magnitude larger and significantly more chilling in scope.

The Magecart hacker group successfully attacked some of the most sophisticated ecommerce players and operated largely undetected since 2015 by taking advantage of a client-side vulnerability that exists in every commercial website today.  In the case of Ticketmaster, Magecart actors were able to compromise a 3rd party chatbot service called Inbenta that had been embedded on the Ticketmaster site. By manipulating the Inbenta JavaScript code on Ticketmaster’s webpages, Magecart could exfiltrate payment information from every single Ticketmaster customer who was served the Inbenta code.

The client-side browser is the primary environment wherein websites display and capture critical customer and payment data. It is the front door for interaction with customers and their data. 3rd party JavaScript executes on the client-side browser and is granted unmanaged and unlimited access to the entire webpage including the ability to exfiltrate data (keylogging, web injection, form field manipulation, phishing, etc.) and deface/alter webpage content. Simply put, by integrating 3rd party JavaScript, website owners are handing out skeleton keys to the front door while they focus extensively on securing the server-side back door. Security pros must think twice about being so cavalier with the skeleton keys to their front door and diligently secure both the server side and the client side of web sessions.

Given that many 3rd party vendors have comparatively weaker security protocols than the corporate websites that run them, it makes them attractive and susceptible attack targets.  3rd party JavaScript has unlimited access to the webpage DOM. This means that every 3rd party JavaScript vendor, and the hackers that seek to exploit them, have the same level of access to all webpage elements as the website owner’s development team.

 

Once that vendor is compromised, their code can be modified or replaced representing a major vulnerability for website owners. Magnifying the potential damage, once a hacker compromises a single 3rd party vendor, they have access to every single website that runs the tool.

3rd party JavaScript is served from external remote servers and executes on the client. This makes current security approaches such as pentesting, periodic code review, and dynamic application security testing entirely incapable of preventing these attacks. Since client-side connections with external servers are completely unmanaged and largely unmonitored, the company has no visibility into what these 3rd parties are doing and no way to prevent hackers from maliciously exploiting this access. Nearly every corporate website is currently unavoidably vulnerable to this attack vector.

Request an Expert Walk-Through of Data Exfiltration from Your Site

Here’s what you can do …

Luckily, there are steps that security teams can take to mitigate or even eliminate the risks of 3rd party vendors. From stringent prevention-level controls that still enable the beneficial usage of 3rd parties all the way to usage limitations that are restrictive and counterproductive, there are practical things that security pros can implement today to protect their companies from the next website supply chain attack.

Prevention is the best option

The best thing security pros can do to prevent an attack like Magecart is to implement technology that controls the access and permissions of every 3rd party running on the page. This insulates websites, their corporate owners, their visitors and private customer data from the inappropriate behaviors of overzealous 3rd parties and the more malicious activities of hackers that seek to exploit them.

Prevention-level approaches for addressing client-side connections not only secure the organization but are required for adequate data control defined by regulatory compliance (e.g. GDPR and California’s newly passed Digital Privacy Law). Without the ability to control private customer data and prevent unauthorized access by 3rd party website vendors or hackers, an organization is in a state of non-compliance.  

Additionally, a major benefit of prevention is that with security and privacy concerns satisfied, the business is free to deploy beneficial 3rd party website tools to achieve the shared goal of the business – revenue generation. By using 3rd parties on otherwise sensitive pages (e.g. payment, registration, login) the business is able to optimize their conversion rates at critical junctions of the customer journey. By using new and innovative tools, the business can be dynamic and differentiate from their peers who are forced to move slower and in a more restricted fashion. The end result is a secure and compliant site that delivers a superior customer experience and produces better analytics.

Monitoring and detection

While prevention is obviously the best method, monitoring provides a less secure and reactive option. Magecart’s multi-year activities are evidence that detection, although helpful, is woefully inadequate. The major inadequacy of detection approaches is that they are incapable of detecting these attacks in real-time. Even with a multitude of global sensors detection schemes may miss highly targeted and hyper-segmented attacks altogether.

Although they may detect an attack, they assuredly will never detect the attack in time for the website owner to avoid some damage. After all, even if the majority of the damage is avoided after detection, any leakage of customer data constitutes a compliance violation that will require full public disclosure. The resulting fines, PR crises and operational fire drills are typically crippling. We have not even begun to discuss that detection approaches have no remediation capability, so the only response is to completely remove the tool and suffer the operational and capital costs associated with losing and/or replacing its functionality. Ultimately, even this removal does not address the root cause leaving the site entirely and continuously exposed to future attacks via another compromised 3rd party tool operating on the site.

Fundamentally, these approaches are not scalable. 3rd party JavaScript changes routinely and sites are frequently changing and rotating the vendors they use. The alert fatigue coupled with the reactive nature of detection and the persistence of the underlying vulnerability renders these approaches severely limited.

Vendor due diligence assessments

Many organizations, and especially those under strict compliance mandates, perform routine, comprehensive vendor security assessments. Although, well intended and highly recommended, such exercises only provide a point-in-time assessment – and even then, only produce a comfortability level rating of a vendor’s security program. Any vendor can be breached at any time.  In practice we see some of the most seemingly mature and trusted 3rd party website tools be breached and exploited to victimize hundreds of websites. Although these assessments provide a semblance of comfortability and satisfy some compliance requirements, they do not provide prevention or even continuous detection. These assessments should be part of a comprehensive security program but are in no way adequate as a stand-alone approach to mitigating or preventing 3rd party risk.

Restricting the usage of 3rd party tools

The last resort would be to exercise a debilitating level of caution. The result is limiting the usage of beneficial 3rd party tools and is entirely counterproductive to the overall goals of the business. Limiting the number of tools used limits the organization’s ability to provide an engaging user experience and extract meaningful analytics. Relying only on “mature” or “trusted” 3rd party vendors and missing out on new and innovative tools makes delivering a compelling, differentiated, and dynamic web presence difficult. Restricting 3rd party tool usage in on sensitive areas of the website cripples conversion rates if customer experience and analytics are not optimized at critical points in the customer journey – like account registration, transactions, and check out.

The Time to Act is Now

It’s likely that the more than 800 compromised sites in this attack are just the tip of the iceberg given the amount of time that this attack was running undetected. Similar attacks on major global airlines, online electronics merchants, online mass merchants and credit rating agencies have recently been reported as exploited by this same attack vector.  3rd party vendors have shifted blame to site owners to incorporate the necessary security measures themselves.  It is therefore critical that site owners proactively employ preventative technology to prevent website supply chain attacks and continue to benefit from the differentiating utility they provide.

Next Steps

Quickly access an assessment of your current risk level.

If the industry wide susceptibility to this attack vector does not have you concerned about your own current vulnerability:

Request a customized expert walk-through of data exfiltration on your site @
www.sourcedefense.com

 

 

 

 

From a birds eye view of a CSO with Ian Amit

Apex sat down with Ian Amit, Chief Security Officer of Cimpress to discuss his views on what it means to be an innovative CSO today while remaining a business enabler. With over a decade of experience in diverse security fields he shares his experience and advice.

Q: What is IT security doing to support innovation in the enterprise?

A: First and foremost, ensuring that security understands the business needs as far as direction (technologically) and strategy. Then security complements said strategy and not only ensures it is taken through secure means, but also further enables it to take additional risks.

Q: What is the single most important thing CISOs should be focusing on today?

A: Understanding and prioritizing the risks for the business. It’s not a question of a technological vulnerability “du jour” to be addressed (especially if it does not affect the organization’s threat model) and more about being able to correctly utilize the resources at hand to most effectively address the actual relevant risks.

Q: How can you best describe the relationship between the CIO and the CISO in the enterprise?

A: Independent. The CIO and CISO have potential conflicting views when it comes to technology, and hence should be independent of each other.

Q: Should IT security be a business enabler?

A: Absolutely. IT Security should never come from a “NO” approach, and by definition should enable the business to pursue whatever course of action it deems the most beneficial.

Q: How do you stay abreast of the trends and what your peers are doing?

A: Beyond the continued technological education, working and engaging with peer CSOs and CISOs has been the most beneficial for me as far as keeping up with the news, and mostly around how other executives are meeting their challenges. Forums where there are curated discussions where the members drive the conversations have been the most effective in doing that.

Q: How have you searched for and found the best vendors for your organization?

A: It is a constant cycle of looking for the right vendors for the organization, and in my view the value of VARs have diminished significantly over the years and are only used to secure the best price point for a product. For me the focus on products is shifting, and I’m spending more on training my internal resources, while augmenting them with the right products. That means continuously challenging our operating model, and also the products we use.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: There is definitely a lot of overlap from my perspective, and I feel like a CRO is only applicable in organizations where the majority of the risk contains not only non-information elements, but is highly biased to financial or legal elements. In more “traditional” organizations, I believe that a CSO (who has all security in scope, not just information security) is the executive role responsible for risk overall, and can be coupled with a strong internal audit function to provide full risk management coverage for the organization.

Q: How has the role of the CISO changed over your career?

A: At the beginning of my career, CISOs were mostly IT-Security managers. The scope and focus of those roles has been mostly limited to technology risk and managing the security of the infrastructure and the technology stack. Modern CISOs, and especially CSOs are tasked with a broader scope which includes the social as well as physical elements of security of the organization.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Communication is key. Being able to have discussions with your peers in the executive management is critical, and this includes learning to formulate risk in business terms. Only then the application of “our” domain knowledge becomes applicable. One of the most common mistakes I’m seeing with CISOs in general is gravitating back to the engineering-heavy comfort zone where a lot of them came from, while losing focus over the actual missions which is to secure the organization and enable it to advance.

 

Why Employees are Your Greatest Cyber Risk

A new study has found that nearly two in five workers admitted to clicking on a link or opening an attachment from a sender they did not recognize.

This security slip-up is significant due to the installation of malware on their devices and the harvesting of sensitive corporate data.

Resulting from the societal BYOD (bring your own devices) trend, the Finn Partners Research study shows that more than half of employees (55 percent) are using their personal devices for work, which directly impacts increased vulnerability to hackers, malware and data breaches. In addition, only 26 percent of employees change their login credentials and/or passwords for personal and work applications at least once a month.

“The fastest and easiest way for bad actors to gain access to sensitive organizational data is for employees to click on nefarious links – we know that around 40 percent of our workforce is engaging in such behavior,” said Jeff Seedman, senior partner at Finn Partners who leads the firm’s U.S. cybersecurity specialty group. “Employees often assume their personal devices are secure, but then neglect to update their software regularly or put any protection policies in place. This is a serious problem, especially if a device loaded with company data gets lost, stolen or hacked.”

Only 25 percent of employees said they receive “cyber hygiene” training on a monthly basis from their IT team. Cyber hygiene refers to the updating of operating systems on devices, checking for security patches, and changing passwords […] Read more »

 

 

50% of Retailers Experienced a Data Breach Last Year

Three-quarters of U.S. retailers have experienced a data breach, half in the last year, says the Thales 2018 Data Threat Report.

According to U.S. retail respondents, 75% of retailers have experienced a breach in the past compared to 52% last year, exceeding the global average. U.S retail is also more inclined to store sensitive data in the cloud as widespread digital transformation is underway, yet only 26% report implementing encryption – trailing the global average.

Year-over-year breach rate takes a turn for the worse

While last year’s report showed an encouraging decrease in breaches, this year U.S. retail data breaches more than doubled from 19% in the 2017 survey to 50%. This massive increase drove U.S. retail to be the second highest vertical polled to experience a data breach in the last year, ahead of healthcare and financial services and only slightly behind the U.S. federal government.

Digital transformation brings increased risks to data
According to the report, 95% of U.S. retail organizations will use sensitive data in an advanced technology environment (such as cloud, big data, IoT and containers) this year. More than half believe that sensitive data use is happening now in these environments without proper security in place. Each of these technology environments comes with unique security challenges. As the attack surface increases, unique data security challenges need to be addressed.

The increase in attacks against the retail sector calls into question why spending on data security isn’t more significant. Ironically, in the U.S., the traditional concerns about data security related to perceived complexity and business performance impact are now outpaced by a perceived lack of need, which was cited by 52% of respondents. Although not exactly the same globally, a lack of organizational buy-in was tied to 41% not perceiving a need for data security. The message here is that management needs a sense of urgency, and security professionals must do a better job of selling the importance of data security.

Security spending is up but not aligning with risk

The good news is that U.S. retail organizations are responding to the ever-increasing threat with 84% citing plans to increase IT security spending and 28% noting the increase would be significant. The bad news is that spending is not going to what respondents believe are the most effective defenses.

The retail sector recognizes the need for encryption to protect sensitive data. Forty-nine percent require encryption to increase cloud usage and 44% need system level encryption and access controls to expand the use of big data. More than half (52%) believe encryption (along with anti-malware tools) is needed to drive IoT adoption. This is in addition to encryption being the number one choice to satisfy compliance and data security laws such as GDPR, Korea’s PIPA and APPI in Japan.

Seemingly contradicting themselves, both U.S. and global retail ranked endpoint and mobile defenses as those that will get the largest spending increase (72% U.S.; 52% global)) even though they rank them the least effective.  A bright spot is that more organizations are recognizing the threat to cloud data and with that 49% of respondents have ranked cloud at the top of their IT security spending priorities […] Read more »

 

 

Discussions with Malik Bernard on the pathway to cyber success

 

Apex sat down with Malik Bernard, Executive Head, Cyber Governance (Cyber Security and GRC) at the City of New York to discuss the cyber journey. With over 20 years overall in the space of Cybersecurity, Enterprise IT Strategy and Design, Vendor Management coupled with IAM and DLP program implementation, he shares his experience on the pathway to cyber success.

Q: What is IT security doing to support innovation in the enterprise?

A: This is an interesting question; On its face, a simple question; but if you give it some thought, there has to be a distinction between IT Security and  how it supports Cyber. Within IT Security, one may look at Data, Hardware/Software and Artificial Intelligence. I know from performing hands on labs, working with industry leaders, and analysts, the trend is towards

  • Hardware Authentication
  • Machine Learning coupled with Behavior Analytics
  • Cloud Security or should I say, better cloud security, beyond Firewalls, Storage etc. In this space, virtualization still rules and the implementation of Virtual IPS/IDS is paramount as part of an overall Cloud security strategy.

Q: Should IT security be a business enabler?

A: Everyone and every department, should support the business through smart hiring, defined, well documented processes and procedures and with appropriate technologies.

Q: How do you stay abreast of the trends and what your peers are doing?

A: I listen to smarter people than myself. I have within my circle of whom I trust, those that are non-bias individuals who aren’t afraid to tell me no, share with me what they really think and I attend a few workshop forums yearly to challenge and stretch my knowledge.

Q: How have you searched for and found the best vendors for your organization?

A: It helps to be the SME or subject matter expert or know a few on a variety of business and tech needs. This way, you can cut through the ‘pitch’ and get to the ‘how will this help solve the challenge(s) we’re currently facing’ and how will it scale.

Q: What is the biggest challenge for a CISO today?

A: This one depends on many factors; The size of the organization; The amount of power and control trusted and given to the CISO. I would say, keeping up with the ever changing attack surface of the enterprise and ensuring that one’s defensive posture, is the ‘right size’ for their environment.

Q: What is the difference between a CISO and a CRO (Chief Risk Officer)?

A: CISOs are more focused on tech, cyber, etc. CROs are more focused on Risk, Threats etc. They both should work closely together to ensure a full 360 view of Risk and Threats across the landscape.

Q: How has the role of the CISO changed over your career?

A: I’ve actually changed and defined in my prior role, what a next generation CISO should be focused on and how to get quick wins, towards a sustainable strategy of measured success. This role simply validated what I’ve been doing in prior, non exec, C-Suite positions.

Q: What advice would you give an early stage CISO joining an enterprise organization?

A: Discern what’s real, what’s perceived and what’s noise. Find a way to cut through the ‘pitch’ and understand how x may occur and have in place, 2, 3 options at the ready to defend the organization. Finally, listen more, speak less and be curious.

 

Mr. Bernard is the Senior Executive Head of the City of New York, where he heads up the City’s Cyber Governance Tower. He was also in charge of leading the following domain areas: Software Security Assurance akin to SDLC, Cybersecurity and Awareness Training and IT Risk.

Prior to joining the City of New York, Mr. Bernard held the role of Chief Information Security Officer (CISO), for a global technology company, where his and his team’s focus was on Cybersecurity (Identity Access Management, Data Leakage Prevention, Threat Management, GRC and Privacy Management.)

 

Gartner: Top Six Security and Risk Management Trends

As business leaders become increasingly conscious of the impact cybersecurity can have on business outcomes, they should harness increased support and take advantage of six emerging trends (listed below) to improve their enterprise’s resilience and elevate their own standing, according to Gartner, Inc.

  1. Senior business executives are finally becoming aware that cybersecurity has a significant impact on the ability to achieve business goals and protect corporate reputation. “Business leaders and senior stakeholders at last appreciate security as much more than just tactical, technical stuff done by overly serious, unsmiling types in the company basement,” says Peter Firstbrook, research vice president at Gartner. “Security organizations must capitalize on this trend by working closer with business leadership and clearly linking security issues with business initiatives that could be affected.”
  2. Legal and regulatory mandates on data protection practices are impacting digital business plans and demanding increased emphasis on data liabilities. “It’s no surprise that, as the value of data has increased, the number of breaches has risen too,” says Firstbrook. “In this new reality, full data management programs — not just compliance — are essential, as is fully understanding the potential liabilities involved in handling data.”
  3. Security products are rapidly exploiting cloud delivery to provide more agile solutions.“Avoid making outdated investment decisions,” advises Firstbrook. “Seek out providers that propose cloud-first services, that have solid data management and machine learning (ML) competency, and that can protect your data at least as well as you can.”
  4. Machine learning is providing value in simple tasks and elevating suspicious events for human analysis. Gartner predicts that by 2025, machine learning will be a normal part of security solutions and w3ill offset ever-increasing skills and staffing shortages. But buyer beware, says Firstbrook: “Look at how ML can address narrow and well-defined problem sets, such as classifying executable files, and be careful not to be suckered by hype. Unless a vendor can explain in clear terms how its ML implementation enables its product to outperform competitors or previous approaches, it’s very difficult to unpack marketing from good ML.”
  5. Security buying decisions are increasingly based on geopolitical factors along with traditional buying considerations. Increasing levels of cyber warfare, cyber political interference and government demands for backdoor access to software and services have resulted in new geopolitical risks in software and infrastructure buying decisions, Gartner says. “It’s vital to account for the geopolitical considerations of partners, suppliers and jurisdictions that are vital to your organization,” says Firstbrook. “Include supply chain source questions in RFIs, RFPs and contracts”  […] Read more »

 

 

65 Percent of Organizations Believe IoT Increases OT Security Risks

According to Kaspersky Labs State of Industrial Cybersecurity 2018 survey, 65% of organizations globally believe that operational technology (OT) or Industrial Control Systems (ICS) risks are more likely with the Internet of Things (IoT). Over the next year, 53% say that realizing IoT use cases and managing connected devices is a major priority.

As OT and IT converge, organizations can use IoT devices to boost the efficiency of industrial processes, but these devices and processes also present new risks and points of vulnerabilities. Industrial organizations surveyed feel unsafe, with 77% of respondents saying their organization is likely to become the target of a cybersecurity incident involving their industrial control networks.

Of the concerns related to IoT, 54% of respondents claim that the increased risks associated with connectivity and IoT integration are a major cybersecurity challenge, as well as new types of IoT security measures that need to be implemented (50%) and implementation of IoT use cases (45%).

According to Kaspersky Labs, companies relying on ICS are falling victim to conventional threats, including malware and ransomware. Almost two-thirds of companies experienced at least one conventional malware or virus attack on their ICS in the last year, 30% suffered a ransomware attack, and 27% had their ICS breached due to the errors and actions of employees.

Targeted attacks affecting the industrial sector accounted for only 16% in 2018 (down from 36% in 2017)  […] Read more »

 

 

Las Vegas Most Insecure Cyber City in US

A new study, Cybersecurity in the City: Ranking America’s Most Insecure Metros, has identified Las Vegas, Memphis and Charlotte as America’s most cyber insecure cities.

America’s Most Insecure Metros

10. Tampa – St. Petersburg
9. Orlando – Daytona Beach
8. West Palm Beach – Ft. Pierce
7. Jacksonville
6. Birmingham
5. Providence
4. Houston
3. Charlotte
2. Memphis
1. Las Vegas

America’s Least Vulnerable Metros

5. St. Louis
4. Seattle – Tacoma
3. Norfolk-Portsmouth-Newport News
2. Greensboro – Winston Salem
1. Richmond

“The Cybersecurity in the City: Ranking America’s Most Insecure Metros report emphasizes just how expansive both the vulnerability and threat landscapes have gotten in the U.S.,” said Guy Moskowitz, founder & CEO, Coronet. “While big companies may have the budgets, personnel and resources to protect their assets reasonably well, mid-market and small businesses are mostly left to fend for themselves. This is both unfortunate and a recipe for disaster” […] Read more »

 

Why People are ‘Password Walking’

A recent study of 61 million leaked passwords from Virginia Tech and Dashlane uncovered troubling password patterns.

Dashlane researchers examined the data for patterns, illuminating simple mistakes that continue to be made by people who use passwords in daily life, which is to say—virtually everyone. The Dashlane researchers found patterns across the keyboard, from not-so-randomly chosen letters and numbers to, popular brands and bands, and even passwords created out of apparent frustration.

Dashlane researchers discovered a high frequency of passwords containing combinations of letters, numbers, and symbols that are adjacent to one another on the keyboard. This practice, known as “Password Walking,” highlights the apathetic attitude most users have towards password creation, preferring convenience over security.

When users “Password Walk” they are creating passwords that are far from secure. Most hackers are keenly aware of the human tendency to rely on convenience and can easily exploit these common passwords.

Most are familiar with versions of “Password Walking,” such as “qwerty” and “123456”, but Dashlane’s researchers uncovered several other combinations that are frequently used:

  • 1q2w3e4r
  • 1qaz2wsx
  • 1qazxsw2
  • zaq12wsx
  • !qaz2wsx
  • 1qaz@wsx

These passwords are all comprised of keys on the left-hand side of standard keyboards. This means users can simply use the pinky or ring finger on their left hand to type their entire password. However convenient this may be, saving a few seconds is not worth the loss of one’s critical financial and/or personal data due to an account hack.

TThe study said, “The prevalence of “Password Walking” is troubling and should make anyone using such passwords take another look at their password practices. Genuinely random and unique passwords are essential to password security; punching a bunch of adjacent characters will not cut it.”

Vices like Coca Cola and Skittles seep into all corners of life, even passwords, the study said. The ten most frequent brand-related passwords:

  1. myspace *experienced a major breach in 2016
  2. mustang
  3. linkedin *experienced a major breach in 2016
  4. ferrari
  5. playboy
  6. mercedes
  7. cocacola
  8. snickers
  9. corvette
  10. skittles

Unsurprisingly, said the study, pop culture references were also prevalent. It would be wise to remember that using passwords that use names or common phrases is not a safe practice.

The ten most frequent pop culture passwords:

  1. superman
  2. pokemon
  3. slipknot
  4. starwars
  5. metallica
  6. nirvana
  7. blink182
  8. spiderman
  9. greenday
  10. rockstar

Last, as the world prepares for the Champions League Final this weekend, the study suggested that fans of the game should refrain from showing love for their favorite club in their passwords […] Read more »

 

 

GDPR: Will Your Company Be Fine or Fined?

Mayday, mayday” is a standard international distress signal. With the European Union’s General Data Protection Regulation (GDPR) going live on May 25, 2018, the phrase seems particularly apt.

What is the GDPR? Weighing in at over 50,000 words, the GDPR revises a decades-old EU privacy directive that harkens back to 1995, a time when there was more postal mail than email. The GDPR restricts how organizations can collect, use and retain personal data, and provides Europeans with certain rights to halt collection, and to obtain copies, correction and, at times, destruction of their data.

How does it impact U.S. businesses? The EU seeks to apply the GDPR to all companies regardless of location if they collect personal data from individuals in the EU, such as through websites targeting EU consumers with goods or services (whether paid or unpaid), or by monitoring the behavior of people in the EU. The GDPR also applies to vendors (and corporate partners and affiliates) who end up storing, transferring, processing or using EU personal data even though another company initially collected it.

What are the Cybersecurity Requirements? Companies must implement “appropriate technical and organizational measures to ensure a level of security appropriate to the risk.”  Doing so requires an organization to evaluate “the state of the art” of security; the costs of implementation; the nature, scope, context and purposes of processing the personal data; and the risks to individual rights and freedoms. Data protection must be implemented “by design and by default.”

Are there breach notification requirements? Yes. If a data breach is likely to result in “a risk” to an individual’s rights and freedoms, the company must notify the supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of it. When the breach is likely to result in a “high risk” to rights and freedoms, notifications also must be made without undue delay to the affected individuals.

Can we get ready in a few weeks? It is unlikely. The EU gave companies two years. Still, achieving compliance may be more straightforward for organizations that do not collect sensitive categories of personal data (race, ethnicity, health, sex life, sexual orientation, criminal history, trade union membership, political/religious/philosophical beliefs, genetics or biometrics) and whose activities are unlikely to result in high risks to individual rights and freedoms (such as through large-scale data processing, new technologies or systematic monitoring, profiling and automated decision-making) […] Read more »