It’s only six weeks until the GDPR is scheduled to become operative, and Absolute has found that so many organizations are still so unprepared that even at this late date, it behooves them to introduce new readiness assessments – which their partners will be able to leverage.
With the EU’s General Data Protection Regulation [GDPR] scheduled to kick in next month, Vancouver-based endpoint visibility and control provider Absolute is announcing a new assessment service designed to help organizations adhere to the regulation by better protecting and managing endpoints where sensitive data might be stored or shared. There’s also a play in it for their channel partners.
Compared with the introduction of past regulatory regimes like SOX and PCIe, the GDPR’s penalties for non-compliance are positively draconian. That, however, has led many organizations to suspect that enforcement out of the gate may be tepid at best. Chris Covell, Absolute’s CIO, said that this is a highly dangerous strategy.
“We are seeing a lot of organizations taking a ‘wait and see’ approach which we think is risky,” he said. “We are seeing an astounding lack of awareness of GDPR –
including in industries that are highly regulated, like healthcare and financial services. I have been through SOX and PCIe, and while in the past there has tended to be a lot of leeway at the beginning, this regulation is very aggressive. We are just over six weeks out from Day One. We do believe that there will be some changes, but that overall, the train has left the station. We are now seeing more companies deciding, at this late stage, that they can’t put this off any longer. With these new readiness services, we can meet the demand.”
Covell said that GDPR compliance is all about showing that you are protecting data, and to do that, you need to be aware of the data. Dark endpoints which contain potentially sensitive data that organizations know nothing about is a killer. He stressed that they need to be able to identify, monitor and remediate all endpoints, even those outside of the network.
“Data is paramount around GDPR,” Covell stated. With our embedded Persistence technology, we have that ability to identity where that data might be stored or accessed or shared. What is important is being able to provide evidence that your data has not been transgressed. With our assessment and tools, organizations will be able to do that in real time. We are focused on the areas where we can provide irrefutable proof that endpoints and data are protected.”
The assessments are specifically geared to organizations better understand their current situation and comply with three key areas within the proposed GDPR framework: Article 32 (security of processing); Articles 33 & 34 (notification of breach to authorities and data subject); and Article 35 (data protection impact assessment). The evaluation follows industry best practices, including ISO 27002, NIST 800-53 rev.4, NIST CSF, and CIS Critical Security Controls.
“The insider threat is still the greatest danger – inadvertent behavior that is subject to social engineering,” Covell said. “You have to protect people from themselves, and part of that is using the right set of tools to quarantine in real time. We have had customers generate scripts quickly to identify points of weaknesses.”
Covell said another danger point in larger organizations is that they tend to have people who don’t connect regularly to the corporate network, so they don’t get updates.
“We can do all that if they are of the network, as long as they are on the Internet,” he stated.
The Assessment Services engage Absolute’s professional services group.
“We tailor our offerings for specific customers,” he said. “We typically focus on data exfiltration, whether they are on exposed endpoints. We also look at the controls the companies have on the assets. We look at the software stack to make sure it is healthy, typically around endpoint control. We look at the incident response playbook to make sure it is adequate. That’s something that needs to be rehearsed once a year – ideally twice. GDPR doesn’t necessarily judge you on whether or not you get breached. It is on how you are able to respond to the breach. Being able to respond in a cool, planned fashion is important – and it also is likely to reduce a lot of negativity in the market if you are breached.”
So where’s the partner angle in this?
“Our partners can leverage their own professional services operation, or use ours in a combined go-to-market strategy,” Covell said. “GDPR is a hot topic. The differentiator for us is being able to leverage our Persistence in the hardware, and nobody else can do that.”