Quantcast
Channel: Symantec Connect - ブログエントリ
Viewing all 5094 articles
Browse latest View live

Dropdown List Component Excludes Duplicate Entries

0
0
Publish to Facebook: 
No

When using a DropDown list component in Workflow forms, the component does not always display all items included in from the configured array variable. The component has built in to its function a duplicate filtering element, such that, If the field being displayed matches other elements, all duplicate elements are removed. 

For example, if the drop down list component is configured using an array of text items as follows:

Text1
Text2
Text3
Text2
Text2

The drop down list component will display the following options:

Text1
Text2
Text3

The duplicate Text2 options would be omitted.

This defect will be addressed in a future build. As a workaround, ensure the entries for the display field selected in the drop down list component have unique entries for all items in the array.


Symantec Threat Intel feed

Reducing Insider Threats in a New Administration

0
0
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

From Edward Snowden and Chelsea Manning to every honest employee within an agency, insider threats – whether intentional or not – pose a tremendous risk to government. Look no further than the recent WikiLeaks release of CIA documentation.  Although the organization has not identified the source of those documents, it did say that the documents had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” This type of information has a tremendous impact on our national security.

Managing insider threats has been a major mission of security professionals for years. President Obama signed an executive order to curb insider threats; the National Counterintelligence and Security Center has a task force focused exclusively on mitigating insider threats; and Congress continually pushes legislation to limit and punish those involved in insider compromise. But, the threat of a breach as a result of an insider is not always malicious. In fact, simple negligence by an unknowing employee could cause just as much damage.

Also, consider all the Shadow IT infiltrating government systems. From Box to Dropbox to 4shared, employees are accessing unauthorized applications at will, causing headaches, or should I say migraines, for government IT professionals.

The administration should consider all of these factors as it puts together a strategy for defending against insider threats, and this must be a key part of the administration’s cybersecurity plan.

The best weapon in the fight against insider threats is data loss prevention (DLP), a capability that protects data at rest, in motion and in use. Let’s look at some of the key aspects of DLP and why it is such an effective tool against insider threats.

Securing a BYOD environment. Government has worked to introduce bring your own device (BYOD) programs as a way to incentivize potential employees and simply make the government work more efficiently. Security teams can now manage BYOD policies while securing confidential data. Tools can monitor email being downloaded to a native mail app on employee-owned devices and create an inventory of confidential data being stored on them. This tool provides visibility into mobile data loss risk and quickly pinpoints exposures if mobile devices are lost or stolen.

Gain insight into hidden data. Many agencies encrypt data, which is an excellent best practice to use. DLP can look into those encrypted files stored on agency servers and identify what confidential data is stored. This allows managers to know when valuable data is either accidentally leaked or when malicious insiders try to steal valuable intellectual data by encrypting it first in order to avoid detection.

Finding high risk insiders. Not all users are created equal. Some never access valuable data, while others work with it all the time. How do you find something out of the norm? With risk summary reports, DLP systems combine endpoint and network events by user to help identify abnormal behavior patterns for high-risk individuals. While some data loss comes from well-meaning stakeholders – employees, contractors, etc. – these summaries help show the malicious insiders that post a significant threat to higher-value data.

Insider threats are one of the most difficult aspects of cybersecurity to prevent, but one that is most likely to hurt a new administration. With the right DLP strategies, though, the government can mitigate these threats before they cause a problem. For more information on the benefits of an effective DLP solution, click here.

その他の投稿者: 

New self-help resources for Endpoint Protection

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

Symantec Support is introducing a comprehensive set of self-help resources called Support 101.

Support 101 is designed to help you with the most common questions or issues when installing, configuring, or managing Endpoint Protection.

Topics for Endpoint Protection* include:

To access the full set of resources for Endpoint Protection, visit https://support.symantec.com/en_US/endpoint-protection.html.

*other products coming soon.

Feedback

We value your opinion. If you have any feedback for improving the knowledge base, please let us know by replying directly to this thread.

You can also suggest improvements within individual knowledge base articles by clicking "Did this article resolve your issue?" Your feedback is then reviewed and acted upon by our support agents as part of a regular review process.

WEBINAR: Symantec IT Management Suite 8.1 & Ghost Solution Suite 3.2 Launch

0
0
Webinar: May 18, 2017 (8:00 AM PST / 11:00 AM EST
Publish to Facebook: 
No

WEBINAR:  Symantec IT Management Suite 8.1 & Ghost Solution Suite 3.2 Launch

DATE: May 16, 2017 

TIME: 8:00 AM (PST) / 11:00 AM (EST)

Symantec IT Management Suite 8.1 and Ghost Solution Suite 3.2 are here! Please join us for a special webcast on Tuesday, May 16 to learn how these new solutions will make your life easier. 



We will discuss and demo some of the cool new features such as streamlined processes for updating Windows 10 and Office 365, peer-to-peer content distribution, Mac profile management, and much more! 



We will also have a panel of ITMS 8.1 early adopter customers who have already upgraded to IT Management Suite to share their experiences so you can learn all the do's and don'ts of a successful upgrade. 



Don't miss this great opportunity to get the latest information on IT Management Suite 8.1 and Ghost Solution Suite 3.2! 



Register Today (Click Here)

Symantec CA Continues the Public Dialogue

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

We believe that we have put forward a proposal [1] that provides the highest level of transparency and reassurance of trust in active SSL/TLS certificates available in the industry.  We also believe that our proposal avoids the imposition of significant compatibility and interoperability risks, as well as customer business disruption, which would result from any proposal that limits the trust of existing Symantec SSL/TLS certificates, imposes shorter validity periods on newly issued Symantec certificates, and/or removes EV recognition for our certificates in browsers. This post responds to comments about our proposal made by Ryan Sleevi in his post summarizing Google’s discussions with Symantec [2] and by Gervase Markham in his draft proposal on behalf of Mozilla [3].

     1.  We are confident in our issuance processes and in the additive protection measures already in place, which is why we are conducting extensive audits that will be made public as outlined in our proposal. We have proposed audits that go far beyond the scope of traditional WebTrust for CAs and Baseline Requirements audits.

          a.  In the case of EV certs we will have an external auditor examine 100% of the active EV certificates issued. We are confident in our processes and a full, detailed external audit is the best mechanism we are aware of to showcase this.

          b.  In the case of our SSL/TLS RA program, we have taken the most conservative action possible: we have shut it down. Additionally we have almost completed our revalidation of every active certificate that our former TLS RA partners have authenticated. As of May 4, 2017, the status of the revalidation or review of the active certificates authenticated by our former TLS RA partners is as follows:

                          CA response chart.jpg

* The certificates in the “Errors” column of the table above, which we have revoked and replaced, were due to spelling mistakes in information in the organization name, imprecise values in locality (e.g. related to the name change of Distrito Federal to Ciudad de Mexico, similar to those called out by other CAs and considered acceptable exceptions to the Baseline Requirements by Google [4] and Mozilla [5]), or instances where we did not receive sufficient documentation to substantiate subject information. In the case of Certisur, after receipt of additional substantiating information and further review, we concluded that 6 of the revoked certificates were compliant with the Baseline Requirements and satisfied Symantec policies.

          c.  Further, we have proposed to have an external auditor revalidate all of our work described in the table above with RAs and make that report public. For clarity, we are not proposing an audit that is subject to standard audit sampling practices, but rather third party review and validation of 100% of these active, RA-validated certificates.

     In addition, we previously added extensive controls to our issuance process in response to the 2015 test certificate mis-issuance incident documented here [6]. This included an automated compliance checking engine that blocks non-compliance with the Baseline Requirements.

     Moreover, the additional transparency we are already providing by logging all certificates issued to Certificate Transparency logs – including DV and OV – is a practice that the rest of the industry has yet to adopt. This transparency effort included explicitly providing to Google for whitelisting the certificates that were issued by Symantec prior to us fully deploying CT support.

     Finally, we have proposed moving to quarterly WebTrust audits going forward to provide the community with even more frequent updates on the reliability of our processes.  

     These measures are designed to demonstrate the integrity of our active certificates and to provide timely visibility into the integrity of our future certificate issuances. A third party review of all (100%) active EV and RA-issued certificates is at the extreme end of transparency and we believe such reviews will assure the community about our issuance practices.

     2.  Mr. Sleevi has set forth a second proposal that involves Symantec outsourcing its SSL/TLS issuance to a third party. We have evaluated this sub-CA proposal and believe it is unwarranted and not proportional to the actual or perceived risk that is mitigated under our proposal. We believe our issuance processes are sound and that the transparency initiatives outlined above – specifically, published reports from our third party audits that we expect to complete by August 31, 2017 – will confirm this for the community. Until the audit results are available for public review, we think it is premature to suggest that Symantec consider any such sub-CA proposal.

     3.  While we recognize that shorter validity certificates may reduce exposure to certain security risks, we believe any such change must be consistent across the entire CA industry and be phased in over a period of time taking into consideration existing barriers to adoption. Both Mr. Sleevi (in his latest proposal) and Mr. Markham propose a 13-month validity limit for Symantec certificates. Limiting Symantec’s ability to issue longer-lived certificates while not imposing that same limit on other CAs is uniquely punitive to Symantec’s CA business and unjustified. We also do not believe that a 13-month validity limit should be imposed on the CA industry at this time– a conclusion that is reinforced by the recent CA/Browser Forum vote rejecting ballot 185, which proposed to limit the maximum validity of SSL/TLS certificates issued by all CAs to 13 months. As we have stated in our public response, many enterprises are not at the level of automation maturity necessary to practically and cost-effectively adopt shorter validity certificates. For these organizations, standardizing on shorter validity certificates would present substantial increases in their operating costs. A significant percentage of our active certificates have a validity period greater than 13 months. We have heard from many customers that they will move to another CA if a major browser limits the validity of Symantec certificates to 13 months or less to avoid the operational burden of replacing certificates more frequently – particularly when commercial alternatives exist. If this action is taken exclusively against Symantec, it will create significant disruption for hundreds of thousands of customers / users and will harm our CA business.

          In light of the difficulty of currently operationalizing the replacement cycle of short-lived certificates for many of our customers, we have proposed 9-month domain revalidation of all of our certificates. An initial certificate validation is one level of authentication. Certificate domain revalidation post-deployment further extends the trustworthiness of the initial certificate, which is a positive extension of the CA trust model.  This 9-month domain revalidation proposal is intended to supplement our proposed expanded offering of shorter validity certificates for those customers for whom it would be a significant burden to adopt them. We’ve proposed reporting our revalidation findings externally and, working with the browser community, we believe we can establish appropriate transparency mechanisms (e.g. through an OCSP extension or a signed revalidation list) that provide an attestation to this revalidation and ensure accountability of our implementation of this action.  We’ve also proposed continuing our investments in automation to enable organizations with even the most complex infrastructure to practically and cost-effectively adopt shorter validity certificates.  

     4.  Portions of Mr. Sleevi’s sub-CA proposal were redacted and he mentioned that Symantec shared additional details with Google during our joint meetings that Symantec did not make public in its response. In our private discussions with Google, we shared key elements of our current solution roadmap, which, as a normal evolution of our business, includes enhancing our issuance platform to create a competitive advantage in the marketplace. We publicly highlighted our investments in this area in our proposal as part of our discussion of automation and supporting shorter validity certificates – specifically, “[o]ur near term investments will focus on modernizing our certificate issuance systems and workflows to enable faster issuance, and developing tools that enable customers to rapidly and securely implement their certificates and configure their systems.” We intend to keep the community informed about our progress here as part of the quarterly updates we have proposed to deliver to the community.

In summary, we believe our proposal provides the most open and transparent posture of any CA in the industry and reassures trust in active Symantec certificates and our current issuance practices. Our proposal also mitigates the significant compatibility and interoperability risks, as well as customer burden, which would result from any proposal that limits the trust of existing Symantec SSL/TLS certificates, imposes shorter validity periods on newly issued Symantec certificates, and/or removes EV recognition for our certificates in browsers.

We understand our role as a key player in the trust ecosystem of the Internet and take it very seriously, including the obligation to follow the compliance frameworks set forth by the CA/Browser Forum and browser root programs.  We believe the error rate of our issuances is low compared to our peers and we welcome objective third party information that puts this into context. While third party, comparative data from Netcraft supports our position that our certificate issuances are equal to or better than other CAs, we always work to do better.

We encourage the community to consider objective, comparative results of our processes with others along with the merits of our proposal. It is important that any actions taken by Google and Mozilla don’t overreach and result in unnecessary business disruption to customers and users of sites that rely on Symantec SSL/TLS certificates. We believe careful and deliberate consideration of the strengths and weaknesses of Symantec’s proposal as compared to those proposed by Google and Mozilla requires more time than has been implied by Mr. Markham and should involve more feedback from the affected stakeholders in the Internet ecosystem than has been received to date.  To that end, we recommend that Google and Mozilla take the time to proactively reach out to the enterprises whose voice is greatly underrepresented in these forums to truly understand the customer use cases we have described and the reasoning behind our proposal.

[1]: https://www.symantec.com/connect/blogs/symantec-ca-proposal

[2]: https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/lOHrTr97Qx0/2IkcSGq9AQAJ

[3]: https://groups.google.com/forum/#!msg/mozilla.dev.security.policy/IZYmm8zsSKU/vwPIi2L1AgAJ

[4]: https://groups.google.com/d/msg/mozilla.dev.security.policy/DgeLqKMzIds/x-Rj2AgSAwAJ

[5]: https://groups.google.com/d/msg/mozilla.dev.security.policy/DgeLqKMzIds/emMZb_E4AwAJ

[6]: https://www.symantec.com/page.jsp?id=test-certs-update#

Massive Google Phishing Attack Seen and Remediated by CloudSOC

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

There was a very large, sophisticated phishing attack on May 3 using a malicious application called Google Docs. This attack and others like it can be identified, tracked and remediated in CloudSOC. 

How users experienced the attack

Users received a phishing email with an invitation to view a Google document from one of their contacts. Users who clicked on it were redirected to install a malicious third party app called Google Docs. During this installation the user is asked to select a Google account asked to grant permissions to “read, send, delete, manage email” and “manage your contacts” by the malicious app. Once the user clicked to authorize these permissions, the app could access the data on mail.google.com and googleapis.com/auth/contacts. Then the user is redirected to a fake landing page that can be used for additional phishing messages. 

CloudSOC identifies the attack and revokes access

Organizations using CloudSOC will see this malicious application in their Google Securlet dashboard along with details on the users who authorized the app to access their accounts and a button to automatically revoke the authorization to that malicious app for all users.  

Google attack with highlight image001.png

CloudSOC Securlet dashboard identifies fake Google Docs app

Google attack with highlight image002.png

CloudSOC identifies users who have authorized access to fake Google Docs app and offers to revoke this access

Oauth attacks not new but growing more common

In today’s world of cloud apps, it is a convenience for users to grant permissions to third party apps to access accounts (such as email, social media, file sharing, etc.) using OAuth rather than requiring a password. Google has mitigated this attack but others like this are growing in popularity. Bad actors are taking advantage of how common it has become for users to grant access to third party apps, so common that many users don’t worry about granting these permissions if the request looks normal. In this case, the app was named Google Docs and looked legitimate to many users. These types of attacks don’t use malware but CloudSOC will provide visibility and controls to remediate this type of attack. 

Download Cleanwipe tool to remove Symantec Endpoint Protection.

0
0
Publish to Facebook: 
No

Hello Everyone,

You can use several methods to uninstall the Symantec Endpoint Protection product components, such as through the Windows Control Panel. If these common methods fail, you can use the CleanWipe utility.

Warning:

Symantec Technical Support does not recommend using CleanWipe the first time you have uninstallation trouble. You should only use CleanWipe as a last resort when the usual uninstallation methods are unsuccessful.

You should always use the latest version of CleanWipe to remove Symantec Endpoint Protection. CleanWipe can remove older installations of Symantec Endpoint Protection. However, you should not use an older version of CleanWipe to remove a newer version of Symantec Endpoint Protection. This action can have unexpected results.

Refer this guide: Uninstalling Symantec Endpoint Protection with the CleanWipe utility

http://www.symantec.com/docs/HOWTO124983

Cleanwipe tool is available to download in the article shared above. 


Symantec Windows 10 Migration Best Practices

0
0
Publish to Facebook: 
No

Welcome to our Windows 10 migration best practice site where you'll find everything you need to know to get started with your Windows 10 migration.

Coming soon will be our Windows 10 migration whitepaper and sample jobs for both Deployment Solution and Ghost Solution Suite, check back soon!

Growing up Safe and Unafraid with Symantec

0
0
How the Vision of One Military Veteran is Empowering Children
Publish to Facebook: 
No

Product donation is Symantec’s largest mechanism to support the nonprofit community and help nonprofits fulfill their missions. In partnership with TechSoup, each year we provide cybersecurity solutions to more than 25,000 organizations across 55 countries worldwide, allowing them to secure their most important data wherever it lives. Since launching the software donation program in 2002, Symantec has helped more than 93,000 nonprofits solve today’s biggest security challenges and protect against the ever-evolving threat landscape.

In honor of the United States’ National Military Veterans Appreciation Month, we’re shining a spotlight on Military Veterans Against Child Abuse—a nonprofit that relies on Symantec for data security, while it works relentlessly to teach young children how to stay safe and secure in the offline world through its award-winning program “A-B-C Learn Safety With Me”.

SymantecTechSoup-11n-MVACA (1).png

Creating a world where children feel safe and unafraid because they have the information and tools to make smart and empowered choices is no easy task. Between stranger awareness, bullying, fire and pool safety, animal safety, car seat safety, inappropriate touching and hygiene issues, the dangers are widespread. And while there are many programs aimed at grade school children, two U.S. Air Force veterans, Sharon and James Blacknall struggled to find age appropriate curriculum for kids 3 to 5 years old.

Instead of ignoring the gap, Sharon shared her concerns with her mother, a former pediatric nurse and school teacher, who encouraged her to address the problem. So she did.

Sharon published a first step and then in 2013 went on to found the Military Veterans Against Child Abuse (MVACA)—a 501(c)3 nonprofit organization whose mission is to educate young children, parents, child care providers, teachers and the community as a whole about child safety and child abuse prevention through educational material, activities, seminar and advocacy. MVACA believes that teaching preschool children about safety doesn’t have to be scary. Instead it can be as natural as learning the ABCs and 123s.

“There are a lot of kids out there that need to hear this message, and I get a thrill, because when you’re doing the program, you actually see the little light bulb when they get it, when you see them a year later and they tell you the things they use from the program to stay safe. I always say if I save one child I’m done. That’s why I was put here on earth,” said Blacknall, Executive Director of MVACA.

Nonprofit Military Veterans Against Child Abuse relies on Symantec for data security, while it works relentlessly to teach young children how to stay safe and secure in the offline world through its award-winning program “A-B-C Learn Safety With Me”.

The organization created “A-B-C Learn Safety With Me,” a comprehensive, innovative program that teaches three to five year old children the basics of safety, personal hygiene, their alphabet and numbers. When the child is introduced to a new number or alphabet, a corresponding safety rule is also taught. The suggested activities are designed to be taught in 30 minute increments and to complement a child development center's current curriculum, not replace it.

Today, MVACA remains an all-volunteer organization, with Sharon serving as the only full-time volunteer. Because safety is key to the organization’s mission, they make it a priority across all operations, including running Norton Small Business through the organization’s software donation partnership with TechSoup, to safeguard sensitive information such as photos and materials, and protect against threats.

“There have been attacks made toward our website and Facebook page. With Symantec running in the background, we have the peace of mind that no matter how many irons are in the fire at any given time, our data, email and copyrighted material are safe and secure,” said Blacknall. 

MVACA is a movement among supporters at #safeandunafraid because they believe all children have the right to grow up safe and unafraid.  

“With Symantec acting as our older, protective brother keeping an eye on us in the background, we too feel #safeandunafraid when logging on and accessing our necessary files,” said Blacknall.

Learn more about some of the many nonprofits utilizing Symantec products through Symantec’s partnership with TechSoup:

On-Demand Partner Enablement Webinars are Now Available!

0
0
A series of On-Demand Webinars are available for APJ partners
Publish to Facebook: 
No

Dear Valued Partners,

We are very excited about this new era in our company, our partnership, and our program.

From April to May 2017, We had outlined a number of trainings to help you up to speed, ready to leverage all the benefits of Secure One program, and equip with solution knowledge to drive new sales opportunities.

If you have missed any of these trainings, on-demand webinars are now available for you.  Please feel free to attend the recorded sessions.

Pease first log in Symantec Connectwith your PartnerNet account, and you'll be able to view all recorded trainings.

APJ Webinar On-Demand: Partner Enablement Resources

APJ Webinar On-Demand: Buying Program Transition

APJ Webinar On-Demand: Symantec Secure One - Program, Systems and Tools

APJ Webinar On-Demand: Introducing Symantec Products

You can also Symantec Connect Partner Calendar, and select “APJ” under Geo Selection, you are able to register the up-coming enablement webinar series.

Microsoft Patch Tuesday – May 2017

0
0
This month the vendor has released 56 vulnerabilities, 17 of which are rated Critical.

続きを読む

Latest Intelligence for April 2017

0
0
Number of web attacks blocked by Symantec rises to more than 1 million per day and Longhorn cyber espionage group linked to malware detailed in Vault 7 leak.

続きを読む

WEBINAR: Symantec Endpoint Protection 14 Series: Part 5 of 5: A Step-By-Step Approach for Endpoint Detetion & Response

0
0
Webinar: May 18, 2017 (10:00 AM (PST) / 1:00 PM (EST)
Publish to Facebook: 
No

WEBINAR: Symantec Endpoint Protection 14 Series: Part 5 of 5: A Step-By-Step Approach for Endpoint Detetion & Response

TIME: 10:00 AM (PST) / 1:00 PM (EST)

SPEAKER: Scott Hardie, System Engineer, Symantec

5-Part Webinar Series: Endpoint Protection…what really matters?



Part 5 of 5: A Step-By-Step Approach For Endpoint Detection & Response



Endpoint Detection and Response (EDR) was developed as a way to address Advanced Persistent Threats (APTs). It is the sneakiness of APTs that make them so dangerous and so difficult to eradicate.  



Although it is generally accepted that EDR technology requires a unique agent, we’d like to ask “should it”?  



Join us to learn how Symantec Endpoint Protection 14 tackles EDR without an extra agent. Discover:



•How EDR is used to improve security

•Why integrations are important

•Why Symantec Endpoint Protection and ATP beat the competition

•Future plans EDR



Finally, see a demo that showcases how quick and easy it is to identify and respond to threats with Symantec.



Register Today (Click Here)

 

マイクロソフト月例パッチ(Microsoft Patch Tuesday)- 2017 年 5 月

0
0
今月は、56 個のセキュリティ情報がリリースされており、そのうち 17 件が「緊急」レベルです。

続きを読む

微软“周二补丁日” — 2017年5月

0
0
微软在五月份的星期二补丁日共发布了56个漏洞,其中有17个漏洞评为严重级别。

続きを読む

2017年4月最新情报

0
0
赛门铁克每天阻挡的网络攻击升至100万次,网络间谍团伙Longhorn与Vault 7泄露文件中描述的恶意软件关系密切。

続きを読む

2017 年 4 月の最新インテリジェンス

0
0
シマンテックで遮断される Web 攻撃が増加し、1 日あたり 100 万件を超えました。一方、サイバースパイ集団 Longhorn と、機密文書 Vault 7 に記されているマルウェアとの関係が明らかになりました。

続きを読む

Secure One Services Partner of the Year

0
0
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

It’s been quite a year for Secure One Services partners—we became part of Symantec, renamed the program, added cloud SKUs to our single price list, and invited more exceptional partners to join the program. Secure One Services is a growing and thriving community of global support partners. Each year we recognize Secure One Services partners in each region who have done an exceptional job of supporting our end-customers and driving renewals. The two awards are Partner of the Year: the best in class of the region across the year and the Excellence Award: bestowed bi-annually to the top performing partners in each region.

I’m thrilled to announce this year’s winners of the Secure One Services Partners of the Year:

SYMC-award-excellence-Apr2017poty-small.png

company-logos.png

I am also happy to announce the winners of this year’s Excellence Awards:

SYMC-award-excellence-Apr2017-small.png

In EMEA, we honor: BT Services SA, Qsight IT, and SecureLink UK

In Asia Pacific, we honor: Netpolean Philippines Inc and nForce Security Systems AP Co Ltd

In the Americas, we honor: Forsythe Technology.

I spoke to Torjus Gylstorff, our VP of Worldwide Partner Sales and asked him what these awards represent in his mind. He said “The Secure One Services Partners of the Year and the Excellence partners represent the best of the best. They are critical to our business and to keeping our customers secure.”

I cannot agree more. Congratulations to all the award winners, and most importantly, THANK YOU for servicing our mutual customers with such passion and commitment.

Get ready for GDPR, not fined by it

0
0
Cross Post Blogs: 
Thought Leadership
Background Image on Blogs "Quilted" Page: 
Publish to Facebook: 
No
Twitter カードのスタイル: 
summary

With GDPR on the horizon, it is now important to discuss the complex issue of fines. While this blog neither gives legal advice nor predicts future actions of Europe’s privacy regulators, it does provide the basic facts.

It’s the fines associated with GDPR non-compliance that make this topic one for boardroom debate. GDPR isn’t a “paper tiger”. It has sharp teeth. Recent Symantec research on the state of privacy in Europe shows how seriously GDPR is being taken:

  • 96% of organisations don’t fully understand GDPR

  • 90% are worried about their ability to comply

  • 26% in 2016 believed their organisation will fully comply by May 2018

  • 22% in 2016 have GDPR compliance as top priority

Many of the customers I talk to about GDPR misunderstand the penalties, the risk and the consequences of failing GDPR compliance. I’ve met people who think that fines will go to the EU budget. Others are unsure whether local or global turnover is used to calculate fines. Some hope that Brexit may provide them with a safe heaven. A frequent statement is that “we are not going to be ready and none else will be either”. Another remark is that “do you really believe the authorities will start issuing fines up to 4% of companies’ global turnover”? Or “our investment in Europe is relatively small despite the fact that we serve a lot of Europeans. Why would the authorities target us?”

How stringent will regulators be?
In a recent meeting with the regulators and European officials some regulators seemed willing to “take industry by the hand” and lead them to compliance. Others want to be enforcers. At the moment, nobody knows for sure how enforcement will take shape. We do know that the fines are described in the law like this:

  • The penalties range from 2%-4% of global annual turnover but there is also a scaling.

  • The 2% or 10 million Euro, whichever is highest, is targeting a series of offences such as failing to take appropriate security measures.

  • The 4% or 20 million Euro, whichever is highest, means that something seriously bad has happened, such as an illegal data transfer or a repeated violation of the law.

What I will say is that your current compliance situation impacts the level of enforcement your organisation risks facing. The argument goes like this: the old 95/46/EC law follows largely the same principles like GDPR, but the latter is much more detailed and results oriented. However, because 95/46/EC has existed for 22 years, those already fully compliant with 95/46/EC can reach GDPR as an evolutionary step. Not being ready on time in 2018, but working your way up from 95/46/EC, doesn’t protect you but it is likely to get you into less trouble.

Those not in full compliance now with 95/46/EC have a tough road ahead. Why? If you haven’t met with 22-year-old standards by now you are less likely to be able to fulfil the requirements of GDPR anytime soon. This situation results in companies “rushing through” a GDPR compliance program. This is expensive but probably the only way to mitigate the risk.

GDPR expands the “risk surface”
95/46/EC created a system of “approximated” national laws. One of the consequences of “approximation” was that breaking the law in one country was hopefully “containing” the infraction. With GDPR the law is harmonised and full cooperation between data protection authorities is a key component of it. Consequently, a violation of the law in one EU jurisdiction may actually result into violations in multiple EU jurisdictions. Suddenly the “risk surface” is all of the territories within the EU that you do business, making it riskier to be caught breaking privacy rules.

GDPR has global reach
If you are doing business in Europe, even remotely, you must comply with GDPR. If serving EU customers directly or indirectly, GDPR will apply to you via contract. Factors to consider are the maturity of the privacy compliance program and the risk to data caused by an infraction. The size of your investment or presence in a country could be relevant depending on the circumstances.

What triggers an investigation?
What could actually trigger an investigation is complex. Here are three factors to consider:

  1. Authorities could take action on their own initiative
    For example if they receive information about a company’s new privacy policy and its impact on users. Here an inquiry into the use of the firm’s data may result into further investigation.

  2. Customers complain
    With GDPR cross-border complaining is more effective and likely to involve more authorities. The level of fines make it more likely that a competitor or a disgruntled employee may also approach the authorities.

  3. Reporting or not reporting
    This includes the obligation to report data breaches or certain privacy impact assessments. Having to report an incident or failing to have proper security that resulted in an incident may trigger an investigation that could disclose bigger privacy compliance challenges. Failure to meet a notification obligation (e.g. to report a breach) is an infringement that would trigger fines. Choosing not to report a data breach to avoid regulatory scrutiny or sanctions is not a viable strategy and could increase fines.

How soon we are going to see fines and how large?
The views among data protection authorities differ. Remember that fines based on global annual turnover are an idea that comes from EU competition law. However, the 10 million threshold of GDPR penalties has been already exceeded by recent decisions of the Italian Data Protection Authority. France and Germany have already taken steps to increase the sanction powers of their national data protection authorities in preparation for GDPR.

How are fines calculated?
By looking at the particular circumstances of every case. The recent Garante decision is a good example. Some of the factors that will be taken into consideration include:

  • The amount and type of affected personal data

  • The damage caused and seriousness of risk

  • The number of data subjects

  • The multitude of jurisdictions

  • The disposition of the company that broke the law, its compliance efforts, its presence in a particular country

  • How involved the authorities became and whether they have a history of imposing heavy fines

In reality at this stage it’s impossible to predict how exactly GDPR will be enforced. Any prediction may go out of the window if a major privacy scandal erupts. Something like the Snowden disclosures back in 2013. GPDR has real teeth and it’s becoming pretty clear that it will be a game changer in risk, enforcement, compliance and business practices. The less risky strategy is to focus on compliance than becoming a test-case in Europe. Often a question asked is whether one should apply GDPR across non-European data. A lot depends on the business model of every organisation but more and more practitioners seem to give the same answer. It is easier to have a single policy, a single standard across the organisation and the highest one at the moment is GDPR.

One should also remember that although the GDPR fines have attracted public attention, Data Protection Authorities have many more arrows in their quiver that may prove even more problematic than the fines. Decisions by DPAs such as ban of processing of certain categories of data or suspension of data flows can kill complete business models. In addition, unlike the fines that have the caps previously mentioned, the liability and right of compensation towards data subjects cannot be capped.

The good news for practitioners is that the prospect of large fines and damage to brand reputation will get you a conversation with the board! While that’s important at an operational level, I think GDPR offers so much more. It’s an opportunity to be far better than we are today at managing and securing information. Because information fires up competitive advantage, better information management means better business. Get the foundations of information management right with GDPR and your organisation will have its house in order, ready for a new level of success.  

Viewing all 5094 articles
Browse latest View live




Latest Images