Proposed EU Data Protection Fines Push the Lack of Breach Detection Capabilities into the Light

Recently proposed updates to the European Union’s data protection rules may force companies in the U.S. and abroad to take a hard look at solutions that tell them when they have been breached.  According to a WSJ article, the proposed updates will affect U.S. companies that “are active in the EU and offer their services to EU citizens”.

Of specific note is the requirement to notify authorities and customers of data breaches within 24 hours.  Breach notification laws are not new and there are notification statutes in the U.S. at the state level.  But the breadth of the EU provisions, the 24-hour requirement, and the fines for noncompliance have seriously amplified the debate.

In particular, the 24-hour requirement has companies really nervous.  This is justified when you consider that the Verizon Business “2011 Data Breach Investigations Report” showed that less than 5% of data breaches were discovered in the first 24 hours.   An article on the EU updates in CSO Online leads with the subheading “Many companies don’t have the sophisticated systems for identifying breaches in the first place”.

I have no sympathy here.  There are solutions that can detect an intrusion to corporate systems within minutes of the infiltration, so the lack of capability is not from a lack of technology.  Companies have long settled for shielding the perimeter with traditional approaches to defense from the usual suspects of IT security.  Forgive my lack of compassion, but the EU requirements are the bill coming due for stubbornly sticking with old approaches to new problems and blindly relying on the large IT security vendors rather than considering innovative solutions.

In the interest of disclosure, Triumfant does provide a solution that will detect a breach within minutes of the infiltration.  Triumfant is not a DLP tool, but what Triumfant will do is quickly detect an attack that gets past the company’s shields and provide a very detailed analysis of the attack within minutes.  Triumfant uses change detection and contextual analytics to detect the attacks that evade other security software, making Triumfant able to detect new malware attacks, detect targeted attacks, and detect the advanced persistent threat.  Security professionals tell me that the analysis Triumfant returns would take a seasoned security professional hours or days to produce.  We call this Rapid Detection and Response: the ability to detect the problem, provide actionable analysis, and remediate the attack within minutes of the infection.  Once the point of entry is identified, the company can then determine if data has been compromised, and if so, the extent of that compromise.

Companies continue to ignore the realities in front of them (such as the 5% statistic) and continue to pour their resources into shields.  Plugging in another appliance onto the network or installing another solution that requires prior knowledge to detect attacks won’t fix the problem.  Nor will blindly trusting the large IT security companies.

The time to look beyond traditional approaches and the usual suspects has not only come, it has passed.  Companies have resisted change for reasons only they know, but I suspect they are not willing to look past traditional approaches and embrace technologies that re-write their perceptions of how IT security tools work.

The EU requirements are not causing the problem; they are pushing the problem into the light.  And in doing so, they are also dragging into the light the companies that have too long ignored the changing realities of security.  Companies that were unwilling or unable to step into the light themselves.