SEC Clarification: Companies Must Disclose Breaches

In late February, the U.S. Security and Exchange Commission (SEC) issued new cybersecurity guidance in the form of an “interpretive release.” According to the SEC website, the Commission frequently provides guidance on federal securities laws and SEC regulations for business and investment communities. The release covered three main topics: Disclosure of cybersecurity risks and incidents Companies have been largely remiss in alerting the public to breaches that may directly impact them. Equifax took five months to reveal that the data of 145 million people had been compromised. Yahoo took years to disclose that every one of its user accounts had…

With Less Than 100 Days to Go, How to Get C-Level Buy-in for GDPR Compliance

For GDPR compliance initiatives to work effectively, there has to be buy-in from the boardroom. That doesn’t just mean releasing the necessary funds to bolster efforts ahead of 25 May, but understanding the need for long-term cultural and process changes to the organisation in the years to follow. However, with less than 100 days to go until the compliance deadline, only a quarter (26 per cent) of European firms are fully compliant, according to Forrester. So how can you drive greater awareness at senior levels of your organisation? The good news is that new Centrify research suggests that the C-level…

4 Months to Go: A New Year GDPR Checklist

As we enter the New Year, IT and security leaders have most likely been glued to revelations of major new CPU-level vulnerabilities Meltdown and Spectre, described by researchers as among the “worst ever” discovered. However, there’s arguably an even more pressing concern, not just for IT but the entire organisation: GDPR compliance. There are now just over four months to get your house in order before the sweeping new EU regulation formally comes into force on 25 May. Regulators will be given the power to levy fines of up to 4% of global annual turnover or £17m, whichever is higher….

Six Months and Counting: How Standards and Frameworks Can Help GDPR Compliance

The theft of highly sensitive personal information on 57 million Uber drivers and customers in the Uber data breach — and its subsequent cover-up — is in many ways what the GDPR was invented for. Here is a multi-billion dollar US tech company that reportedly protected access to key data in the cloud by using just static log-ins. Not only did its data protection controls therefore fall short of the best practice “state-of-the-art” approach outlined in the GDPR, but the firm also failed to report the incident — something which would incur a fine of €10m (£8.9m) or 2% of…

NIS Directive Compliance: It’s Just as Important as the GDPR

IT security managers have had plenty on their plate this year co-ordinating compliance efforts in advance of the forthcoming EU General Data Protection Regulation (GDPR). But while the sweeping new privacy law has dominated the headlines for the past year or more, there’s another important piece of regulation on its way from Brussels, that will apply specifically to “operators of essential services” (OES). It’s known as the EU directive on the security of Networks and Information Systems (NIS). With the same huge fines of up to £17m or 4% of global annual turnover levied for non-compliance, it’s vital that you…

Post-Brexit Data Flows: Why There’ll be No Place for UK Firms to Hide from GDPR

As with most aspects of the EU, unhindered cross-border data flows are something most U.K. firms just take for granted these days. Thanks to the cloud, huge volumes of corporate data is stored in third party providers’ data centres, frequently not even in the UK. Aside perhaps from those in highly regulated sectors, corporate users don’t think twice about accessing that data, and sending it to and from partners and customers on the continent. However, the U.K.’s departure from the world’s biggest trading bloc raises new questions about the legality of such transfers. In a new report, the House of…

Brexit Means Brexit … Means GDPR Compliance

The long-awaited negotiations governing the UK’s divorce from the EU officially began on 19 June, marking arguably the most important period in the country’s history since the Second World War. What follows remains to be seen, but given Brexit is now a reality, many UK organisations may be wondering/hoping whether this means they’ll be spared the sweeping new data protection regulation directed from Brussels. As the recent Queen’s Speech has again reminded us, there will be no such reprieve for UK organisations. Brexit means Brexit, and that means firms must accelerate their EU General Data Protection Regulation (GDPR) compliance plans…

FedRAMP Compliance: Beyond the Letter of the Law

When I mention “compliance” to most people, I often get that cringe — the one that says “ugh, what a pain.” I’m empathetic to folks who are just trying to get the job done, and whose only interaction with compliance is being told somewhere along the line that they have got to jump through more hoops. But having lived information security for several years, and having previously had some experience with risk frameworks and compliance efforts, I’ve developed a different viewpoint. My colleagues in security immediately understand and connect with the statement that with compliance, “there is the letter of the…

Data Mapping: A Tricky First Step to GDPR Compliance

Last Thursday, the one year countdown to GDPR compliance officially began. For those of you still wondering what all the fuss is about, new research commissioned by Centrify has revealed that public companies suffer on average a 5% share price drop immediately following disclosure of the breach. The EU General Data Protection Regulation (GDPR) will ensure there’s no room to hide: as of 25 May 2018, if you’ve been breached you must notify the Supervisory Authority within 72 hours of becoming aware, unless particular circumstances apply. To help organisations figure out a plan of action, Centrify is running a monthly…

Five Key Takeaways from AWS re:Invent 2016

I had the honor of attending the Amazon Web Services (AWS) re:Invent 2016 and wanted to highlight some of my key takeaways from the conference. Since Centrify was a sponsor, I was able to talk with many folks with an interest in learning more about Centrify’s announcement, “Centrify Delivers Innovative Capabilities and Best Practices to Streamline and Secure Adoption of Hybrid Cloud.” 1. AWS is Innovative as a Large Company A good proxy for innovation is the number of features and products a company releases. AWS currently has tens of thousands of employees, and AWS announced 24 new products at the AWS Re-Invent show….