IT Teams – Beware of Accidental Fame Thanks to GDPR

12 October 2016

15-blogpost_grdpFame is something most IT practitioners never experience, nor desire. However, this IT instinct to stay ‘below the radar’ is about to be challenged in a way many did not foresee, due to formidable EU data regulations. For those who do not exercise care, the outcome may make some IT infrastructure experts accidentally famous – in a bad way.

While the new General Data Protection Regulation (GDPR) legislation may seem a world away from IT infrastructure and IP provisioning, it is in fact much closer than many think. Starting 25th May 2018, the GDPR will mandate a named individual to assume the official role as their organization’s Data Protection Officer, responsible for reporting all known breaches within 72 hours.

This duty will be essential for all companies where the core activities involve the “regular and systematic monitoring of data subjects on a large scale” or where the entity conducts large-scale processing of “special categories of personal data”. This means that DPOs, who are as likely to have a background in law as computer science, will be taking a renewed interest in the working of the organization’s DNS servers.

Given what is at stake is public ‘naming and shaming’ and the loss of corporate reputation, some businesses could be facing severe sanctions if blame can be laid at one person’s door…and it could be the IT department. While fellow IT colleagues may help one another out, a DPO’s first responsibility is to the local Information Commissioner’s Office (ICO). His/her duty is to report fully and accurately on any breaches, and potential or real data exfiltration. From the DPO’s position, saving the company’s reputation alongside their own is more important than protecting one of their co-workers at fault (and the odds may be stacked in their favor).

Let’s take an example. You or your colleagues have probably taken your work laptop home in order to prepare for a meeting or catch-up on workload, using your personal Wi-Fi network. In some cases, laptops can become infected with malware without being noticed. Back at the office, the malware can begin to exfiltrate data via the DNS protocol, giving smart attackers access to confidential information. By not being careful (or just being unaware), you or your colleagues could put your company’s line of defense at stake and potentially damage the business. This is a real worry from a security point of view, especially ahead of the new EU regulation, as data breaches could mean heavy fines.

In order to comply, all businesses will have to ensure that their departments work together on gathering, handling, processing and storing data, as well as using new tools, technologies and providing security training to their staff. This could have a significant cost financially, and is what business and IT leaders are most worried about from a day-to-day operations point of view.

The good news is there is a solution to this security issue. Given a majority of DNS servers are using legacy applications that monitor potentially harmful traffic from the outside, the case for a 360° DNS security that monitors from the inside is a strong one. Having a purpose-built layer of in-depth-defense to protect public and private DNS from both internal and externals threats, regardless of attack type, is key to keep the business safe from sloppy behaviors. At the same time, the fact that one’s own colleagues are now incentivized to share embarrassing and potentially costly DNS errors with the world is likely to focus the minds of those who ignore how GDPR is radically changing the game. After all, not every techie wants to be famous…