EU data directive - a turning point for security

Organisations doing business in the EU will have to inform national information commissioners of data breaches affecting citizens within 24 hours - or risk heavy fines for not doing so

The European Commission is planning a raft of new directives on data security that commentators say will come to be seen as an important turning point. The new 24-hour data breach disclosure rules are a golden opportunity for organisations willing to embrace automation. And the directive includes a number of tough new provisions on data handling, but the element that will give security professionals the most immediate anxiety is the insistence that organisations doing business in the 27-nation European Union zone inform national information commissioners of data breaches affecting consumers or citizens within 24 hours - or risk heavy fines for not doing so.

This is a radical jump. Having been under little or no obligation to formally disclose a data breach in most EU countries, companies will suddenly be required not only to inform the authorities but do so in some detail on an accelerated timescale. Moreover, the change will affect not only companies in the EU but those doing business in it, making the directive the first de facto global data breach law. Informing the authorities that a breach has been discovered sounds straightforward. Actually, it is anything but. Assuming administrators have evidence that something has gone awry - do they have the tools to say precisely what without delay? What sort of reporting systems do they have to explain the extent of a breach? Do possible security failures have any regulatory and legal consequences and if so, what?

A major consequence of this development is that old-fashioned periodic, manual security audits and the manual configuration processes that underlie them should be viewed heading for obsolescence. Currently, security is often measured for regulatory and compliance purposes through an external audit that takes place quarterly or annually - depending on the business sector. Some organisations also perform more regular internal checks, but the design of these is open to interpretation and their frequency varies from organisation to organisation.

The reality of the data breach directive is that administrators could be asked to audit their security stance at any moment in time as a breach is uncovered, with only a few hours' notice. Referring back to an audit possibly months or weeks in the past will be useless; it will require an overview of security policies, compliance and data protection that reflects what is happening at the moment the request is made.

This makes complete sense. Can any company possibility understand its security state using an audit that is possibly months out of date? Here, the directive imposes an important level of discipline organisations should welcome. What such continuous auditing does do is render manual assessment impractical. The solution - automated auditing in real time - goes from being a useful convenience to an essential component of any security infrastructure. Today, real-time security and auditing requires that organisations integrate information from multiple types of hardware system, and across a range of vendors that generate reports through proprietary management consoles.

On top of this, any reporting infrastructure must also make sense of the flow of security data from different elements of the system - comparing this to a set of security policies. At any moment, security managers must be able to react quickly when a particular setting infringes the policy and have the means to describe what action was taken and why.

Although new reporting systems will be needed to build such an infrastructure, a key issue is whether this change from causal to mandatory and continuous auditing will be viewed positively by the people tasked with putting it into practice; the security professionals themselves. This is the biggest unknown of the data breach directive - how will professionals interpret and react to it? A recent survey of 100 network managers by Tufin sheds some light on the matter, finding that 42 per cent believe that the directive will lead to an increased risk-awareness. A third believe that their attitude towards continuous compliance has changed as a result of the new regime, with just over half convinced that automated audits would make it easier to comply with the directive.

Close up, attitudes probably vary from individual to individual and organisation to organisation; some seeing the directive as more of an aspiration, others as the medicine needed by an industry that even after a swathe of data breaches remains complacent. Far from being an imposition, the arrival of the directive could serve as a huge opportunity to impose a rational design on security that rewards the best practices and the companies willing to bring them into effect. As daunting as it appears, the directive's biggest plus is its scope, which imposes the same rules across the 27-nation EU zone and beyond.

This creates short-term hurdles, but the pay-off is potentially huge. For the first time, multi-national bodies will no longer have to interpret a confusing array of data breach and protection rules in different territories - allowing for the sort of policy centralisation that can enhance security. For the first time, everyone will be playing by the same rules based on a swift response. The world of manual, ad-hoc auditing was always one based on assumptions about risk. Now, suddenly, much less certainty is attached to them. In a world of uncertain security, there is no longer time to waste. It is critical that organisations approach the toughness of the directive head on using the right tools and processes, with automated auditing at the fore.

Shaul Efraim is vice-president of products, marketing and business development at Tufin Technologies