THE PAVILIONS PHUKET BRITISH INTERNATIONAL SCHOOL, PHUKET Kata Rocks
Login | Create Account Poll Currency Weather Facebook Youtube Search

As EU privacy law looms debate swirls on cybersecurity, compliance concerns

Just ahead of the implementation of a sweeping European privacy law tomorrow (May 25), debate is swirling on whether the measure will have negative consequences for cybersecurity and whether companies will be ready to comply with the new law.

technology
By AFP

Thursday 24 May 2018, 11:01AM


Fewer than 1 in 3 companies say they'll be ready for the GDPR compliance deadline next week, according to new research from ISACA. Graphic: Business Wire

Fewer than 1 in 3 companies say they'll be ready for the GDPR compliance deadline next week, according to new research from ISACA. Graphic: Business Wire

The controversy is about the so-called internet address book or WHOIS directory, which up to now has been a public database identifying the owners of websites and domains.

The database will become largely private under the forthcoming General Data protection Regulation set to take effect May 25, since it contains protected personal information.

US government officials and some cybersecurity professionals fear that without the ability to easily find hackers and other malicious actors through WHOIS, the new rules could lead to a surge in cybercrime, spam and fraud.

Critics say the GDPR could take away an important tool used by law enforcement, security researchers, journalists and others.

The lockdown of the WHOIS directory comes after years of negotiations between EU authorities and ICANN, the nonprofit entity that administers the database and manages the online domain system.

ICANN – the Internet Corporations for Assigned Names and Numbers – approved a temporary plan last week that allows access for “legitimate” purposes, but leaves the interpretation to internet registrars, the companies that sell domains and websites.

Assistant Commerce Secretary David Redl, who head the US government division for internet administration, last week called on the EU to delay enforcement of the GDPR for the WHOIS directory.

"The loss of access to WHOIS information will negatively affect law enforcement of cybercrimes, cybersecurity and intellectual property rights protection activities globally," Redl said.

Rob Joyce, who served as White House cybersecurity coordinator until last month, tweeted in April that "GDPR is going to undercut a key tool for identifying malicious domains on the internet," adding that "cyber criminals are celebrating GDPR."

 

Negative consequences?

Caleb Barlow, vice president at IBM security, also warned that the privacy law "may well have negative consequences that, ironically, run contrary to its original intent."

Barlow said in a blog post earlier this month that "cybersecurity professionals use (WHOIS) information to quickly stop cyberthreats" and that the GDPR restrictions could delay or prevent security firms from acting on these threats.

James Scott, a senior fellow at the Washington-based Institute for Critical Infrastructure Technology, acknowledged that the GDPR rules "could hinder security researchers and law enforcement."

"The information would likely still be discoverable with a warrant or possibly at the request of law enforcement, but the added anonymization layers would severely delay" the identification of malicious actors.

Some analysts say the concerns about cybercrime are overblown, and that sophisticated cybercriminals can easily hide their tracks from WHOIS.

Milton Mueller, a Georgia Tech professor and founder of the Internet Governance Project of independent researchers, said the notion of an upsurge in cybercrime stemming from the rule was "totally bogus."

"There's no evidence that most of the world's cybercrime is stopped or mitigated by WHOIS," Mueller said.

"In fact some of the cybercrime is facilitated by WHOIS is because the bad guys can go after that information too."

Mueller said the directory had been "exploited" for years by commercial entities, some of which resell the data, and authoritarian regimes for broad surveillance.

"It's fundamentally a matter of due process," he said.

"We all agree that when law enforcement has a reasonable cause, they can obtain certain documents, but WHOIS allow unfettered access without any due process check."

 

Global ripple effect

The new data protection rules that enter into force tomorrow (May 25) are already having an impact around the world as firms, including in the United States and China, move to comply.

While all firms globally are required to comply with the provisions of the General Data Protection Regulation (GDPR) when it comes to the data of Europeans, the rules may have a wider impact if firms decide to extend the protections to all users.

QSI International School Phuket

Major US platforms such as Facebook, Twitter, Instagram and Airbnb have begun to notify their users in Europe of modifications of their user terms in order to comply with the new EU rules.

Under GDPR firms user consent for use of their personal data must be freely "given, specific, informed and unambiguous".

Facebook has recently begun asking its European users that they approve the use of their data in order provide them with more pertinent advertisements as well as permission for facial recognition.

But it is still not clear which US firms will apply GDPR to all their users and which will do so only for Europe.

"We intend to make all the same controls and settings available everywhere, not only in Europe," Facebook's chief executive Mark Zuckerberg told reporters last month as the crisis exploded over the use of user data for political purposes by the firm Cambridge Analytica.

"Is it going to be exactly the same format? Probably not," he added.

 

Compliance concerns

According to a new global survey conducted by ISACA last month only 29% of companies will be ready when new EU privacy law come into effect. ISACA’s GDPR Readiness Survey provides a near-real-time look at readiness levels, top compliance barriers and expected readiness timeframes.

GDPR, a regulation out of the European Union, impacts entities doing business in or with the EU starting 25 May 2018. Not only are most unprepared for the deadline, but only around half of the companies surveyed (52%) expect to be compliant by end-of-year 2018, and 31% do not know when they will be fully compliant.

According to ISACA’s research, the top five challenges related to GDPR compliance are:

•Data discovery and mapping (59%)

•Prioritizing GDPR compliance among other business priorities (47%)

•Organizational education and change programs (45%)

•Ensuring cross-departmental collaboration and buy-in (42%)

•Preparation for data subject access or deletion requests (37%)

Among the survey’s most concerning findings is the level of employee education on GDPR and their role in compliance. Only 39 percent of respondents say their organizations’ employees have been educated to a satisfactory level about their responsibilities to maintain GDPR compliance.

“Employee awareness and education are critical components of ongoing GDPR compliance,” said Chris K. Dimitriadis, Ph.D., CISM, CRISC, CISA, past board chair of ISACA and chair of ISACA’s GDPR Working Group. “Awareness of – and commitment to – well-defined security, data management, and privacy policies and procedures clearly need to be an integral part of every organization’s culture, from the top down.”

The good news is that the majority of executive leaders recognize the importance of GDPR and its implications. According to the ISACA data, nearly 7 in 10 respondents (69 percent) believe their organization’s executives have made becoming GDPR-compliant a priority.

Organizations also expect to achieve significant benefits from GDPR compliance. The top three anticipated positive outcomes are:

•Greater data security (60%)

•Improved business reputation (49%)

•Marrying data security best practices with corporate culture (43%)

“One of the most practical and cost-effective ways organizations can support GDPR and other compliance requirements is to help employees understand the business value of the information they deal with on a regular basis,” said Tim Upton, CEO at TITUS, which sponsored ISACA’s survey and research report.

“That way, employees become more aware of their responsibilities when it comes to handling and protecting data within the flow of work, providing added value to the ways organizations earn and maintain the trust of customers and employees.”

 

 

 

Comment on this story

* Please login to comment. If you do not have an account please register below by simply entering a username, password and email address. You can still leave your comment below at the same time.

Comments Here:
Comments Left:
# Characters
Username:
Password:
E-mail:
Security:

Be the first to comment.

Have a news tip-off? Click here

 

Phuket community
Investigators given seven days to inspect ‘Phoenix’ wreck

The answer does not lie in the boat. All the crew survived and most of the passengers died. What do...(Read More)


Investigators given seven days to inspect ‘Phoenix’ wreck

7 Days is more realistic than 30 days. Investigators had already 4 months to do the pre investigatio...(Read More)


Phuket airport taxi driver charges for deadly wipeout stall

another way to give tourists confidence in Phuket safety. Don't charge a taxi driver for causing...(Read More)


Phoenix under armed guard as concrete blocks ballast exposed

Tampering of evidence is reserved to the 100 'Experts' ( BangkokPost) who are going to crawl...(Read More)


Phuket airport taxi driver charges for deadly wipeout stall

It is always fun to read how 'powerless' thai Officials are, or hide behind each other when ...(Read More)


Visitor numbers down in Oct as Chinese stay away

hello where are these chinese spending this money? not in the local shops and on the street, they ar...(Read More)


Phuket airport taxi driver charges for deadly wipeout stall

So in summary, his license has not been revoked. That being the case he most certainly IS still out ...(Read More)


Phuket airport taxi driver charges for deadly wipeout stall

Still investigating how thick the brown padding is I would imagine? ...(Read More)


Phoenix under armed guard as concrete blocks ballast exposed

What a hiding nonsense all together, When the Phoenix arrived at the ship yard, Journalists should h...(Read More)


New lane opens to relieve traffic at Chalong Circle

The new lane was not open on Tuesday evening ( 20 Nov)...(Read More)