Sponsored by Wizuda, Zeroday brought together 500 Information Security professionals at an outstanding day of presentations and panel sessions in Dublin, Ireland (08.03.16.) Here’s 4 big things to think about from a Data Transfer perspective…
1.“The bad guys are outside the castle – right?”
Cybersecurity models tend to focus on maintaining a strong perimeter defence. We build our castle wall high, and keep the criminals on the other side where they belong. Meantime, living safe and content inside the castle we have a community of people we trust. And yet things can go very wrong as a result of their activities too – as shown by recent high-profile data breaches. How do we stop the castle-dwellers just throwing data back over the wall again? And so, under GDPR internal and external data transfers are of equivalent importance from a governance perspective. The good guys are just as likely to produce a breach – be it through sabotage, or simple innocent human error during everyday operations. Any data transfer, internal or external, represents a risk that must be controlled.
And the bad guys? As Tom Kellerman (CEO Strategic Cyber Ventures) explained to the Zeroday audience, chances are the criminals are already on the inside too, quietly biding their time and exploring your network – perhaps for months, or even longer. As he explained, “It’s more important to stop things leaving your network, than to stop things entering it”.
2.“You’re on your own. So collaborate!”
Kurt Pipal from the FBI outlined some of the cybersecurity processes and actions that are executed at the level of the nation-state. Notwithstanding the fact that most nation states can’t really match the intelligence resources available to the USA, the accompanying message was crystal clear – “you are on your own”. As panelists lamented the absence of ‘prosecutability’ for cyber criminals, Wizuda Chairman Dennis Jennings posed the question – where is the international consensus that might produce a brand-new law enforcement initiative that goes beyond individual nation states? It would seem nothing much is in the offing. Enda Kyne, from FBD Insurance, noted that in Ireland, the Central Bank had taken the next step in encouraging collaboration: there was now a formal instruction for financial services organisations to collaborate in sharing intelligence about security threats.
3.Data Protection and the Law
Bryan McCarthy, from Irish law firm Ronan Daly Jermyn, turned the legal spotlight onto Data Protection. It’s not even May 25th 2018 yet, and yet international transfers of personal data were already under scrutiny in the Irish courts. “It will cost you to do things about GDPR laws, but it will cost you more not to do things,” he explained. Sitting behind the regulation were a raft of key concepts such as “Privacy by Design”, and an extensive list of security obligations that will cause organisations to revisit their technical tools through the prism of GDPR compliance. In a conference where the main flavour was certainly not GDPR itself, David Clarke (CISO) provided a timely reminder that “the GDPR deadline is not going to change.”
4.Security means managing simple threats as well as complex threats
The unfortunate Peoplepoint breach provided a perfect illustration of one of the most troubling 2017 security threats: namely, the humble Email. Whilst teams, be they in Silicon Valley or Galway, focus hard on perfecting their advanced dark-web strategy, it’s important not to overlook more basic security weaknesses such as accidentally sending thousands of personal data records to a slightly misspelt email recipient. All of which can be easily addressed in a number of ways. A secure file-sharing tool (in lieu of traditional email) interrupts the transfer process with various checks and balances to stop it happening. Data transfer governance potentially spans everything from individual emails up to large-scale scheduled file transfers.