Insight
The GDPR in 2019: Enforcement and Penalties around the Globe
If 2018 was the year of GDPR implementation, then 2019 is the year of GDPR enforcement. Data Protection Authorities (DPAs) in Germany have started their audits, and France’s DPA, the CNIL, levied its first major fine earlier this year.
The GDPR upped the stakes for data protection around the globe. Since its implementation, a number of countries have released new legislation around penalties, ranging from hefty fines to imprisonment. It’s easy for organizations to view fines as a harsh punishment, but fines and penalties demonstrate the value a government places on data protection for its residents. The GDPR and other regulations have fines of over $1,000,000 per violation, and in many of these countries, simply being non-compliant can be a violation (even if there hasn’t been a data breach). As countries around the world recognize their responsibility to protect data subjects, the punishment for mishandling or compromising personal data increases.
In this post, we’ll look at how countries around the globe address penalties for data protection violations, review notable penalties, and walk through some steps your organization can take to avoid them.
Insight
Upgrading Your Internal Controls for a Hybrid Environment
Governance, Risk and Compliance (GRC) has become a key component of IT and business environments in every industry - and these environments are expanding rapidly. With the widespread adoption of cloud-based solutions, many organizations now operate with a hybrid environment that mixes cloud and on-premise technologies. These hybrid environments require an updated and more complex strategy to enable a culture of continuous compliance.
To achieve an efficient and effective implementation, your GRC program should support an impact-based approach that contextualizes risk within the business and monitors risks across security models. In this post, we’ll take a look at the challenges of migrating to a cloud-based solution, the key components of an enterprise GRC system, and the best practices for maintaining compliance in a hybrid environment.
Insight
How to Use Privacy KRIs to Predict Future Risks
GDPR enforcement has kicked off, and the CCPA countdown has begun. With the threat of significant penalties for non-compliance looming, many organizations are placing a greater focus on data privacy. But is “checking the box” on compliance the only (or best) way to evaluate the effectiveness of your program?
Companies working to develop privacy programs that adapt with regulatory, industry, and technology change need a way to quantify and prioritize privacy risk. Privacy key risk indicators (KRIs) are designed to do exactly this. KRIs quantify the anticipated risks associated with an area of your privacy program, so you can prioritize risk mitigation appropriately, set clear objectives for your program, and establish a privacy risk appetite. In this post, we will look at how to apply KRIs, how to use the types of KRIs, and how to design a KRI framework for your privacy program.
Insight
A New Tool for Finding Malicious JavaScript and Securely Using External Libraries
September 2019 Update: This JavaScript Security extension has been published by Burp Suite! You can install it directly within Burp, via the BApp Store feature in the Burp Extender tool.
Why compromise just one website when you can compromise a whole bunch of them all at once?
I'm sure that's what attackers were thinking in 2018 as they compromised content delivery networks (CDNs) and used them to host malicious JavaScript. And it’s a genius strategy! Compromised companies will unwittingly feed them sensitive customer data (e.g., credit card numbers), will never have any evidence of the attack, and will never know anything has changed. Meanwhile, their customers will receive malicious JavaScript libraries that the "victim" companies require them to load for a smooth customer experience. Then the sensitive information will be fed directly from the user to the attacker.
Why is this so easy? Today, more sites are relying on JavaScript to enhance the user experience, and they are doing it in a way that makes it harder to evaluate referenced JavaScript libraries: they are using JavaScript libraries to load other JavaScript libraries into the Document Object Model (DOM).
It can be challenging to track these issues down during a penetration test, especially when you have limited time and you want to deliver the highest quality results possible. To assist our partners, clients, and the security community in identifying these issues, we developed a Burp Suite extension. Burp Suite is a Java-based tool used by many security teams for web-application testing. This extension helps Burp Suite users evaluate JavaScript in use in web applications for subresource integrity and content security policy protections while comparing observed resources against threat intelligence feeds. You can download the extension for free via the BApp Store.