It was not that
long ago that the most senior security incumbent at the time of a data breach
was not only fired ignominiously, but torn to shreds by his/her ‘peers’ as
being anything from unqualified, to incompetent, to grossly negligent.
nothing short of pariahs.
The vestiges of
this ridiculous practice are still rife (take BA for example), but things are
changing, and we all have a Recital to thank for it:
No, this is not a political statement, though I couldn’t resist a play on words that also takes a poke at nationalist imbeciles on both sides of the Atlantic.
Instead, this is about the UK’s pending/potential/who-the-hell-knows-when/if exit from the EU and its effects on international transfers of personal data to/from the UK to/from the EU. Amazingly this is still confusing to a significant portion of the population, if they have even looked into it at all. You must understand that unless you have absolutely no intention of doing business whatsoever with your soon-to-be-ex EU counterparts, it’s the UK businesses that will need to be pro-active. Well, pro-active was three years ago, but you simply must make it easy for EU-based businesses to work with you regardless of the Brexit result.
You’ll notice I said ‘when’, not if, because if you have personal data online you will, eventually, be breached in some way.
I know this because the GDPR’s definition of ‘personal data breach‘ (Art. 4(12)) does not just mean ‘hacked by a bad guy’, it means: “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed;”. This therefore includes every unauthorised action that happens to the data, including the inevitability of human error. Nothing malicious, just a simple mistake, but it’s still a breach.
That’s right, none. Not until you’ve done a LOT of homework first. Even then, the most you’ll get from me are the right questions to ask to move forward, and [eventually] help with your vendor due diligence.
Besides, true security consultants should never ‘recommend‘ a specific technology by name, let alone by vendor. Our job is to provide you options based on a detailed breakdown of the security control function gaps that require filling, which in turn were determined from the results of an appropriate risk management life cycle. i.e. [simplified]: