While the General Data Protection Regulation (GDPR) isn’t explicit about all of the actions you must take to protect customer data, there are a few basic technologies you should put in place. In parts one and two of this series, we covered application security, mail protection, and application whitelisting. This blog addresses additional quick wins including patch management, administrative privilege rules, and full-disk encryption.
Staying up-to-date with patching is crucial for helping prevent data breaches. In particular, the recent WannaCry and NotPetya ransomware attacks demonstrated the severe consequences of missing critical patches, as fixes were available for both before the attacks. In addition, those impacted by the Eternal Blue exploit and the Double Pulsar Trojans were one patch away from preventing ransomware infection—and they had 58 days to get it in place. More recently, cybercriminals exploited a published vulnerability in Apache® Struts within a couple of days of public disclosure.
We have seen the consequences that can occur when organizations fail to quickly apply security patches—especially patches that fix vulnerabilities under active exploitation. A couple of reports comprehensively illustrate the magnitude of the problem:
NopSec®, a cybersecurity threat prediction and remediation firm, has released a report titled, "2015 State of Vulnerability Risk Management.” It compiled 20 years’ worth of data, painting a dismal picture of the state of enterprise vulnerability management:
The average time it takes to fix a security vulnerability is 103 days. However, this varies by industry; while cloud providers respond fastest (50 days), followed closely by healthcare organizations (97 days), financial services companies and education organizations take a worrying 176 days to take corrective action. 1
In addition, Qualys, Inc., a leading provider of information security and compliance cloud solutions for small and medium-sized businesses—as well as large corporations—sponsored a 2016 SANS research paper that suggests effective cybersecurity requires fixing all, “critical vulnerabilities in one day, because risk reaches moderate levels at the one-week mark and becomes high when a vulnerability remains in a critical system for a month or longer. Among respondents, 10% reported being able to remediate critical vulnerabilities in 24 hours or less.”2
To be honest, a one-day patch cycle is pretty ambitious, taxing the resources of even the most security-obsessed MSP. However, when you consider that the vulnerability in Apache Struts was targeted within 96 hours of discovery, MSPs may also need to put forth this extreme effort to head off the cybercriminals, particularly if the environment is complex. Fortunately, in most cases, with non-complex environments, automated weekly patching can help keep most cybercriminal exploits at bay.
The “managed” in managed services provider means you are in charge of your customers’ systems. Yet MSPs sometimes relinquish this responsibility by providing admin privileges to their customers’ employees, putting the business at risk.
Data from a 2016 research report from Avecto®, a privilege management organization specializing in endpoint security software, demonstrated the security value of restricting administrative privileges at the local and domain level. If your MSP business does not revoke admin privileges from users, you create a potential security issue.
Avecto counted, “530 vulnerabilities affecting Microsoft® products in 2016, and of these, 189 were of critical severity. Still, 94 percent of them could be mitigated by removing users’ admin rights. Also, 66 percent of all Microsoft vulnerabilities reported in 2016 could be mitigated by removing admin rights.”3
What does locking down admin privileges provide? For one, it can protect against tech support scams, as users won’t be able to modify their systems to allow fake tech support programs onto their computers. In addition, users often unwittingly use software that’s free for personal use, but that require licensing for business use. Controlling admin access prevents users from installing improperly licensed software that could lead to fines during a software audit.
Kensington®, a leader in desktop and mobile device accessories, asserts that the real costs associated with the loss or theft of mobile devices (laptops, tablets, and smartphones) exceeds $49,000 per device. 4 Clearly, the costs have little to do with the hardware and software on the device. There are costs associated with device replacement and lost productivity, but the lost data can cause big fines. Those fines could grow even higher under GDPR.
In April of 2017, CardioNet® was severely fined for a stolen laptop that had 1,400 patient records. Because this device did not have full-disk encryption, the resulting HIPAA breach cost the company $2.5 million USD. 5 That’s significantly more than the price of the hardware, software, and lost employee productivity.
It’s hard to imagine why the IT folks looking after CardioNet didn’t simply turn on full-disk encryption—it’s included in the operating system. If you’re serious about mitigating data loss on your customers’ mobile devices, you should deploy full-disk encryption to them ASAP. It could have saved CardioNet a $2.5 million fine.
With GDPR set to take effect in May 2018, businesses will need to do more to protect their data. By patching faster, controlling administrative privileges, and turning on full-disk encryption, MSPs can help reduce the risk of a data breach and hefty fines.
1. “Organizations Take Too Long to Fix Security Vulnerabilities,” BetaNews. https://betanews.com/2015/06/02/organizations-take-too-long-to-fix-security-vulnerabilities/ (accessed October 2017).
2. “Overwhelmed by Security Vulnerabilities? Here’s How to Prioritize,” Qualys, Inc. https://blog.qualys.com/news/2017/01/17/overwhelmed-by-security-vulnerabilities-heres-how-to-prioritize (accessed October 2017).
3. “Removing Admin Rights Mitigates Most Critical Microsoft Vulnerabilities,” Help Net Security. https://www.helpnetsecurity.com/2017/02/23/removing-admin-rights/ (accessed October 2017).
4. “Mobile Device Security: Startling Statistics on Data Loss and Data Breaches,” ChannelPro Network. http://www.channelpronetwork.com/article/mobile-device-security-startling-statistics-data-loss-and-data-breaches (accessed October 2017).
5. “Stolen Laptop Leads to $2.5 Million HIPAA Breach Penalty,” MSPmentor. http://mspmentor.net/mobile-device-management/stolen-laptop-leads-25-million-hipaa-breach-penalty (accessed October 2017).
This document is provided for informational purposes only and should not be relied upon as legal advice or to determine how the EU General Data Protection Regulation (GDPR) may apply to you and your organization. We encourage you to work with a legally qualified professional to discuss GDPR, how it applies to your organization, and how best to ensure compliance. SolarWinds MSP makes no warranty, express or implied, or assumes any legal liability or responsibility for the information contained herein, including the accuracy, completeness, or usefulness of any information.
© 2018 SolarWinds MSP UK Ltd. All rights reserved.