I know I've said this a few times in posts, but I'll say it again.
I question whether most of the people who beat their breasts about the data breaches at BA, Target, and Marriott--and the time it took to discover them--have ever worked in enterprise networking and security.
The ICO, which carries out the regulatory compliance enforcement and fines that go with it, has been busy the past couple of days.
Yesterday, they fined British Airways $229M US for a data breach that exposed data from 380,000 transactions.
Today, they've slapped Marriott with a $124M US fine for their exposure of 339 million customers' data.
Don't get me wrong. I absolutely believe in the strongest possible consumer data protection we can come up with. I think that the GDPR is an excellent start, as long as it remains a dynamic rather than static regulatory body.
I'm all in favor of the--as far as I know--eighteen states that have either strengthened existing laws or, like California, created a sweeping new GDPR-like standard for compliance. California's lead as the sixth-largest economy in the world will hopefully create momentum by other states to push for their own laws and, eventually, a Federal-level law that protects all Americans or those doing business with us.
Now, back to my usual soapbox: if you haven't been in the trenches, you don't have any idea how difficult it is to protect yourself from lateral movement in your organization. If you can't see the anomalous traffic, and if literally no one knows what belongs where as far as application relationships, how can you tell when you've been exploited?
You also have very little time to react before the exploits spread. Nation-state actors can move from their initial exploit to their next target in as little as twenty minutes.
I'd be willing to bet that most organizations, even the best funded with the best and brightest working for them, would have a difficult time doing any better than the teams at BA, Target, Marriott, or Equifax.
Now I'm adding my second soapbox on top of the first: many bemoan the "shortage" of Infosec professionals.
Don't you believe it.
If we're really being honest, there are tens of thousands of qualified people who are just "underqualified" right now, but have the drive and desire to do more.
Good leaders and managers should jump on the chance to train and mentor this next generation.
There's not a staffing shortage, really. There's a shortage of people willing to put in the time and effort.
And, on that note, my comments are longer than the article itself.
Matt's TL;DR: data privacy regulations are real, and it's going to be more stringent. Visibility and segmentation is key to a successful strategy. Take a chance and hire someone with the training who needs the experience.
See you all soon. Let's be safe out there.
"Marriott faces a $124 million fine for failing to protect customer data, the second major penalty proposed this week by UK regulators under Europe's tough new privacy rules."