More Than CheckboxesTackling the Overlooked Aspects of GDPR 

Oleg GorobetsSenior Global Product Marketing Manager, Kaspersky Lab

THE EVOLUTION OF CYBERTHREATS

Damage from

 attacks

2003 2007 2009 2013 2017

VirusesWorms

SpywarePhishingBotnets

APTsZero‐daysWipers

Nuisances

Cyber‐crime

Professional Cyber‐espionage ?

We understand global IT & Business trends and the threats they bring!

3

Consumerization & mobility

Increasingonline commerce

Critical infrastructure at risk

Machine Learning

Personal Data Cloud & virtualization

Privacy & data protection challenge

Fragmentation of the Internet

Cars become smarterConnected Cities

Mobile threatsCriminal Currency

Massive data leaks

Decreasing cost of APTs

Commercialization of APTs

Supply chain attacks

Cyber-mercenaries

“Wipers” & cyber-sabotage

Targeted attacks

Financial phishing attacksRansomware

Malware for ATMs

Attacks on PoS terminals

Merger of cybercrime and APTs

Targetinghotel networks

Internet of Things

HacktivismVulnerable connected cars

Ransomware in Targeted Attacks

Data asThreats

to Smart Cities

Attacks on Smart Cities IoT botnets

Compliance

Risk Analysis

THE ‘NEXT GEN THREATS’ MARKET PHENOMENON

Both IT and commercial advances provide

new opportunities for attackers.

The result is the booming

Threat landscape affecting so many

businesses.

THE AVERAGE FINANCIAL IMPACT OF A DATA BREACH

SMB

Enterprise

Average Total Impact:$87.8k

Average Total Impact:$992k

IT Security Risks Report 2017 Kaspersky Lab

$134K$130K

$111K$107K$104K$99K

$132K$97K

$78K

Compensation

Damage to Credit Rating/Insurance…

Lost Business

Improving Software & Infrastructure

New Staff

$13K$12K$11K

$10K$8K$8K

$10K$8K

$7K

Lost Business

Additional Internal Staff Wages

Compensation

Improving Software & Infrastructure

New Staff

Base: 1,229 SMBs/ 919 EnterprisesSuffering At Least One Data Breach

PERSONAL DATA: NO PERIMETERS, NO BORDERS

PERSONAL DATA IS EVERYWHERE

PERSONAL DATA HAS BECOME A COMMODITY FOR CYBERCRIMINALS TO STEAL AND TRADE

ITS COMPROMISE CAN GRAVELY AFFECT PEOPLES’ LIVES

THE ACUTE NEED FOR DATA PROTECTION DRIVES NEW LEGISLATIONS

THE NEED FOR COMPLIANCE DRIVES SECURITY NEEDS

GDPR is a LAW

GDPR starts in Europe 25 May, 2018GDPR is how to deal with personal data as part of a human rightsAffects all businesses over the globe dealing with the EU citizens 

Get consent from data subject on data processing Locate and classify your sensitive dataCreate accountability process and establish data storage Prevent data breachesReport about data breachesControl data flow

PenaltiesUnder GDPR, in case of an incident, organizations can be fined up to 4% of annual global turnover or €20 Million (whichever is greater)

Breach NotificationUnder the GDPR, breach notification will becomemandatory in all member states where a data breach islikely to “result in a risk for the rights and freedoms ofindividuals”. This must be done within 72 hours of firsthaving become aware of the breach.

What an organization needs to do:

THE NUMBERS TALKTALK FOR THEMSELVES

Breach:

• 157,000 customers’ data stolen; multiple security issues

• The ICO has issued a £400 000 fine under the 1998’s Data Protection Act

• Under GDPR, it could become £59mln   

• Sold customers’ data, fined £130 000 

• Under GDPR, it would become £4mln 

Source: The Register, ‘Last year's ICO fines would be 79 times higher under GDPR’

TOP IT CONCERNS

Most Concerning IT Security Related Business Issues

69%

43%

42%

39%

38%

35%

33%

Data protection

Security issues of cloudinfrastructure adoption andbusiness process outsourcing

Business continuity

Cost of securing increasinglycomplex technology

environmentsEnsuring compliance of staffwith security policies andregulatory requirements

Relationships withpartners/customers

Security issues of mobiledevices and BYOD trends

Top 3 Security Challenges Related To Each Business Issue

Base: 5,274 All Respondents

Data loss/exposure due to targeted attacks 39%

Electronic leakage of data from internal systems 32%

Physical loss of devices or media containing data 28%

Incidents affecting suppliers that we share data with 17%

Incidents affecting third party cloud services we use 17%

Incidents affecting IT infrastructure hosted by a third party 18%

Viruses & malware 19%

Loss of access to internal services 16%

Loss of access to customer-facing services 15%

Identifying / remedying vulnerabilities in IT systems we use 19%

Managing security across different computing platforms 16%

Incidents involving non-computing, connected devices 13%

Inappropriate IT resource use by employees 20%

Time and cost of enforcing security compliance among employees 18%

Fines for not maintaining compliance with security regulations 11%

N/A N/A

Managing security of users' own devices in the workplace 16%

Inappropriate sharing of data via mobile devices 16%

Physical loss of mobile devices exposing the organization to risk 15%

IT Security Risks Report 2017 Kaspersky Lab

GDPR: PERCEPTION & REALITY

10

AM I SUBJECT TO GDPR LEGISLATION?

One more set of regulationsto comply with…

I don’t have personal data, nothing to worry about!

I HAVE STRONG SECURITY!I SHOULD BE SAFE!

It’s so complex, I’ll have a hard time explaining the means & budgets to the Board..

GDPR ASPECTS FOR A COMPANY

Know your roleUnderstand your data

Train your champions

Assign a DPO

Perform GAP analysis

Conduct DPIAs

Review consents 

Develop and test breachResponse frameworks 

TWO KEY ASPECTS TO START WITH

Know your role Understand your data

Roles, Rules and Rights

Data Subject

Controller Processor1 

Processor2 

Consent

Rights:• Reviewing• Portability• Rectification• Oblivion• Objection

Rules

Processor3

National Border

• Biz.Processes• Training• Rules for Processor

DPO

Obligations

Business ITP2P

C2P

• Data storing• Breach detection• Notifications

Authority

SCCP

(logging, audit)

Data Ws: What? Where? When? Who?

File Server

Mobile Endpoint

ConnectedStorage

Endpoint

Smartphone/TabletCloud Infrastructure

PerimeterPortableStorage

User1 User2

Regulated Data Storage

HOW IT SECURITY CAN HELPKASPERKY LAB’S VISION

Knowing Your Data is Key

File Server

Mobile Endpoint

ConnectedStorage

Endpoint

Smartphone/TabletCloud Infrastructure

PerimeterPortableStorage

Mail Server

DATA PROTECTION FRAMEWORK

SensitiveData

Protection

Mitigate risks & Reduce attack surface

Encryption Security Controls

THREAT PROTECTION

DATA DISCOVERY TOOLS 

Ready‐to‐use compliancedictionaries Custom dictionaries

DEFINE & DISCOVERKnow what data you haveand where you have itCONTAIN & GOVERN Know where is resides

RESPOND & REPORT Report Breaches &  Contain Incidents

DLP‐based functions CASB

PREVENT

BREACH DETECTION / PREVENTION

EDR

Access Rights & Security Policies

DATA STORAGE

People & Processes

Inside Infrastructure:Endpoint Protection +

At the perimeter:Mail & Gateway

In the cloud:Cloud Security

GOVERNING THE DATA

Security Controls

File Encryption

Endpoint Detection  & Response

Breach Detection &Prevention

Mailbox Data Discovery

Web Control

Mail/ChannelEncryption

Data Discovery

Mail & Gateway DLP

AccessRights

AccessRights

Encryption

CASB

Cloud DLP Breach 

Detection

Data Discovery

Platform Existing New

Security Controls: Make Breaches Less Likely to Occur

• Can block launch of unsolicited apps (including malware) 

• Can be configured to let only whitelisted apps run

• Can block  undesired sites(and categories)

• Can be configured to allowaccess only to whitelisted sites

• Can block the use of undesired devices (e.g. USB sticks or network adapters)

• Can be configured to allow trusted devices to be connected

Threat protection is True for Avoiding BreachesHumanExpertise

Treat Intelligence / Big Data

MachineLearning

LET'S TALK?