Why GDPR Day is February 15th, not May 25th 2018

If you read the news, you may think the negative portrayal of General Data Protection Regulation in the media means the new regulation will be one of the worst edicts ever introduced. However, from your customer’s perspective, the new data law may look very different. GDPR is set to help organizations truly respect their customers’ information by protecting it from possible cyber breaches, often accomplished by hackers via the Domain Name System (DNS).

Industry research reveals it typically takes 99 days before a data breach is detected (FireEye M-Trends 2017). This means organizations have from today, 15th February – exactly 100 days before May 25th 2018 – to ensure they are GDPR compliant. Adhering to GDPR can bring brand and commercial benefits, and our new research reveals 72% of businesses worldwide are confident they have the right processes in place ahead of the regulation coming into force.

Money, money, money going into GDPR compliance

Perception is reality. It seems businesses have understood this urgency to look after their customers data ahead of the deadline and begun their preparations, spending up to $5 million per company so far, and 63% of them have already appointed a Data Protection Officer (DPO) according to our latest research.

The regulation has been framed around the location of the data subject, rather than the data controller or data processor, meaning this EU regulation has global impact. It is encouraging to see the US is the most confident about complying to the new rules and has spent more on average ($1,417,000) than the UK ($1,165,000) and Spain ($1,223,000), and nearly as much as France ($1,584,000) and Germany ($1,752,000).

The reporting element of GDPR requires notification to the supervisory authority within 72 hours of breach occurring if data has been stolen. At the moment, few companies are reporting breaches in public with only large-scale attacks reaching the general public’s ears. Our 2017 survey data shows one-in-five (22%) of businesses worldwide has suffered a data exfiltration attack, and 18% have admitted to losing sensitive customer information. By notifying customers of any breach, regardless of scale or gravity, customers will have increased trust and loyalty to the company.

The number of data breaches last year proves legacy and current technology implemented are not working as well as they should, or as well as people think. A popular and relatively easy way for hackers to steal data is through data exfiltration by attacking the DNS Server.

Why is DNS important to GDPR?

A primary area to protect is DNS, as over 90% of current malware uses DNS (Cisco Security Report 2016). This is an easy vector for hackers to attack. As examples, the WannaCry and Petya ransomware attacks targeted different patches on network services that were not correctly secured. If hacked, the network service could be used as a vector of an attack because all legacy security solutions, such as firewalls, will be blind to exfiltration activity.

Around the world, 83% of organizations failed to apply all the necessary security patches, which made them vulnerable to future attacks. By first understanding how data can be accessed via DNS, businesses can better prevent more attacks from happening this year and remain compliant to data regulations like GDPR. More than one-in-three (38%) companies are putting top priority on DNS monitoring and analysis to help them comply with GDPR and protect them from emerging cyber threats.

Why is data exfiltration a big GDPR issue?

Due to the billions upon billions of transactions occurring over a network at any time, exfiltrated data can be easily hidden amongst the normal operations of a DNS service. All customer-facing and internal applications use DNS, which means that most DNS servers are constantly busy. Requests used for DNS data exfiltration often go unnoticed, as they are blended in with the vast volume of traffic to appear like normal traffic.

The introduction of GDPR in May will be a major driving force for any business which holds data related to EU citizens to take greater care in safeguarding their customers’ data. In order to not only avoid heavy fines, but also strengthen brand reputation and customer trust, organizations should look to immediately fortify their cyber security strategies.

There is still room for improvement with 100 days to go to the GDPR deadline, but it is very encouraging to see the majority of businesses are confident they will comply in time. There is more to come from us on this subject.