Articles on this Page
- 04/28/17--15:18: _Dropdown List Compo...
- 04/30/17--18:38: _Symantec Threat Int...
- 04/25/17--13:07: _Reducing Insider Th...
- 05/01/17--14:31: _New self-help resou...
- 05/04/17--08:40: _WEBINAR: Symantec ...
- 05/04/17--18:26: _Symantec CA Continu...
- 05/05/17--17:26: _Massive Google Phis...
- 05/08/17--08:23: _Download Cleanwipe ...
- 05/08/17--11:37: _Symantec Windows 10...
- 05/09/17--16:02: _Growing up Safe and...
- 05/09/17--20:04: _On-Demand Partner E...
- 05/10/17--00:52: _Microsoft Patch Tue...
- 05/10/17--06:07: _Latest Intelligence...
- 05/10/17--08:53: _WEBINAR: Symantec E...
- 05/10/17--21:38: _マイクロソフト月例パッチ（Micros...
- 05/10/17--21:46: _微软“周二补丁日” — 2017年5月
- 05/10/17--21:59: _2017年4月最新情报
- 05/11/17--01:28: _2017 年 4 月の最新インテリジェンス
- 05/05/17--12:49: _Secure One Services...
- 05/12/17--10:27: _Get ready for GDPR,...
- 04/28/17--15:18: Dropdown List Component Excludes Duplicate Entries
- 04/30/17--18:38: Symantec Threat Intel feed
- 04/25/17--13:07: Reducing Insider Threats in a New Administration
- 05/01/17--14:31: New self-help resources for Endpoint Protection
- Common Issues 101 for Endpoint Protection. See http://www.symantec.com/docs/TECH240360.
- Install and Upgrade 101 for Endpoint Protection. See http://www.symantec.com/docs/TECH240361.
- Policy Configuration 101 for Endpoint Protection. See http://www.symantec.com/docs/TECH240362.
- Security Threats 101 for Endpoint Protection. See http://www.symantec.com/docs/TECH240365.
- Guided Knowledge for Endpoint Protection. See https://support.symantec.com/en_US/endpoint-protection/guided-help-install.html
- 05/04/17--18:26: Symantec CA Continues the Public Dialogue
- 05/05/17--17:26: Massive Google Phishing Attack Seen and Remediated by CloudSOC
- 05/08/17--08:23: Download Cleanwipe tool to remove Symantec Endpoint Protection.
- 05/08/17--11:37: Symantec Windows 10 Migration Best Practices
- 05/09/17--16:02: Growing up Safe and Unafraid with Symantec
- Planting the Seeds for a Safer Future: Actions Today Changing our Tomorrow
- Cyber Security is Vital for Nonprofits Too: How Nonprofit CASA is Protecting Children’s Personal Information with Symantec
- Ambassadors of Safety: Kosch-Westerman Foundation and Symantec team up to protect the terminally ill
- Symantec Makes STEM Education Possible for The Einstein Project
- 05/09/17--20:04: On-Demand Partner Enablement Webinars are Now Available!
- 05/10/17--00:52: Microsoft Patch Tuesday – May 2017
- 05/10/17--06:07: Latest Intelligence for April 2017
- 05/10/17--21:38: マイクロソフト月例パッチ（Microsoft Patch Tuesday）- 2017 年 5 月
- 05/10/17--21:46: 微软“周二补丁日” — 2017年5月
- 05/10/17--21:59: 2017年4月最新情报
- 05/11/17--01:28: 2017 年 4 月の最新インテリジェンス
- 05/05/17--12:49: Secure One Services Partner of the Year
- 05/12/17--10:27: Get ready for GDPR, not fined by it
96% of organisations don’t fully understand GDPR
90% are worried about their ability to comply
26% in 2016 believed their organisation will fully comply by May 2018
22% in 2016 have GDPR compliance as top priority
The penalties range from 2%-4% of global annual turnover but there is also a scaling.
The 2% or 10 million Euro, whichever is highest, is targeting a series of offences such as failing to take appropriate security measures.
The 4% or 20 million Euro, whichever is highest, means that something seriously bad has happened, such as an illegal data transfer or a repeated violation of the law.
Authorities could take action on their own initiative
With GDPR cross-border complaining is more effective and likely to involve more authorities. The level of fines make it more likely that a competitor or a disgruntled employee may also approach the authorities.
Reporting or not reporting
This includes the obligation to report data breaches or certain privacy impact assessments. Having to report an incident or failing to have proper security that resulted in an incident may trigger an investigation that could disclose bigger privacy compliance challenges. Failure to meet a notification obligation (e.g. to report a breach) is an infringement that would trigger fines. Choosing not to report a data breach to avoid regulatory scrutiny or sanctions is not a viable strategy and could increase fines.
The amount and type of affected personal data
The damage caused and seriousness of risk
The number of data subjects
The multitude of jurisdictions
The disposition of the company that broke the law, its compliance efforts, its presence in a particular country
How involved the authorities became and whether they have a history of imposing heavy fines
When using a DropDown list component in Workflow forms, the component does not always display all items included in from the configured array variable. The component has built in to its function a duplicate filtering element, such that, If the field being displayed matches other elements, all duplicate elements are removed.
For example, if the drop down list component is configured using an array of text items as follows:
The drop down list component will display the following options:
The duplicate Text2 options would be omitted.
This defect will be addressed in a future build. As a workaround, ensure the entries for the display field selected in the drop down list component have unique entries for all items in the array.
From Edward Snowden and Chelsea Manning to every honest employee within an agency, insider threats – whether intentional or not – pose a tremendous risk to government. Look no further than the recent WikiLeaks release of CIA documentation. Although the organization has not identified the source of those documents, it did say that the documents had been “circulated among former U.S. government hackers and contractors in an unauthorized manner, one of whom has provided WikiLeaks with portions of the archive.” This type of information has a tremendous impact on our national security.
Managing insider threats has been a major mission of security professionals for years. President Obama signed an executive order to curb insider threats; the National Counterintelligence and Security Center has a task force focused exclusively on mitigating insider threats; and Congress continually pushes legislation to limit and punish those involved in insider compromise. But, the threat of a breach as a result of an insider is not always malicious. In fact, simple negligence by an unknowing employee could cause just as much damage.
Also, consider all the Shadow IT infiltrating government systems. From Box to Dropbox to 4shared, employees are accessing unauthorized applications at will, causing headaches, or should I say migraines, for government IT professionals.
The administration should consider all of these factors as it puts together a strategy for defending against insider threats, and this must be a key part of the administration’s cybersecurity plan.
The best weapon in the fight against insider threats is data loss prevention (DLP), a capability that protects data at rest, in motion and in use. Let’s look at some of the key aspects of DLP and why it is such an effective tool against insider threats.
Securing a BYOD environment. Government has worked to introduce bring your own device (BYOD) programs as a way to incentivize potential employees and simply make the government work more efficiently. Security teams can now manage BYOD policies while securing confidential data. Tools can monitor email being downloaded to a native mail app on employee-owned devices and create an inventory of confidential data being stored on them. This tool provides visibility into mobile data loss risk and quickly pinpoints exposures if mobile devices are lost or stolen.
Gain insight into hidden data. Many agencies encrypt data, which is an excellent best practice to use. DLP can look into those encrypted files stored on agency servers and identify what confidential data is stored. This allows managers to know when valuable data is either accidentally leaked or when malicious insiders try to steal valuable intellectual data by encrypting it first in order to avoid detection.
Finding high risk insiders. Not all users are created equal. Some never access valuable data, while others work with it all the time. How do you find something out of the norm? With risk summary reports, DLP systems combine endpoint and network events by user to help identify abnormal behavior patterns for high-risk individuals. While some data loss comes from well-meaning stakeholders – employees, contractors, etc. – these summaries help show the malicious insiders that post a significant threat to higher-value data.
Insider threats are one of the most difficult aspects of cybersecurity to prevent, but one that is most likely to hurt a new administration. With the right DLP strategies, though, the government can mitigate these threats before they cause a problem. For more information on the benefits of an effective DLP solution, click here.
Symantec Support is introducing a comprehensive set of self-help resources called Support 101.
Support 101 is designed to help you with the most common questions or issues when installing, configuring, or managing Endpoint Protection.
Topics for Endpoint Protection* include:
To access the full set of resources for Endpoint Protection, visit https://support.symantec.com/en_US/endpoint-protection.html.
*other products coming soon.
We value your opinion. If you have any feedback for improving the knowledge base, please let us know by replying directly to this thread.
You can also suggest improvements within individual knowledge base articles by clicking "Did this article resolve your issue?" Your feedback is then reviewed and acted upon by our support agents as part of a regular review process.
WEBINAR: Symantec IT Management Suite 8.1 & Ghost Solution Suite 3.2 Launch
DATE: May 16, 2017
TIME: 8:00 AM (PST) / 11:00 AM (EST)
Symantec IT Management Suite 8.1 and Ghost Solution Suite 3.2 are here! Please join us for a special webcast on Tuesday, May 16 to learn how these new solutions will make your life easier.
We will discuss and demo some of the cool new features such as streamlined processes for updating Windows 10 and Office 365, peer-to-peer content distribution, Mac profile management, and much more!
We will also have a panel of ITMS 8.1 early adopter customers who have already upgraded to IT Management Suite to share their experiences so you can learn all the do's and don'ts of a successful upgrade.
Don't miss this great opportunity to get the latest information on IT Management Suite 8.1 and Ghost Solution Suite 3.2!
Register Today (Click Here)
We believe that we have put forward a proposal  that provides the highest level of transparency and reassurance of trust in active SSL/TLS certificates available in the industry. We also believe that our proposal avoids the imposition of significant compatibility and interoperability risks, as well as customer business disruption, which would result from any proposal that limits the trust of existing Symantec SSL/TLS certificates, imposes shorter validity periods on newly issued Symantec certificates, and/or removes EV recognition for our certificates in browsers. This post responds to comments about our proposal made by Ryan Sleevi in his post summarizing Google’s discussions with Symantec  and by Gervase Markham in his draft proposal on behalf of Mozilla .
1. We are confident in our issuance processes and in the additive protection measures already in place, which is why we are conducting extensive audits that will be made public as outlined in our proposal. We have proposed audits that go far beyond the scope of traditional WebTrust for CAs and Baseline Requirements audits.
a. In the case of EV certs we will have an external auditor examine 100% of the active EV certificates issued. We are confident in our processes and a full, detailed external audit is the best mechanism we are aware of to showcase this.
b. In the case of our SSL/TLS RA program, we have taken the most conservative action possible: we have shut it down. Additionally we have almost completed our revalidation of every active certificate that our former TLS RA partners have authenticated. As of May 4, 2017, the status of the revalidation or review of the active certificates authenticated by our former TLS RA partners is as follows:
* The certificates in the “Errors” column of the table above, which we have revoked and replaced, were due to spelling mistakes in information in the organization name, imprecise values in locality (e.g. related to the name change of Distrito Federal to Ciudad de Mexico, similar to those called out by other CAs and considered acceptable exceptions to the Baseline Requirements by Google  and Mozilla ), or instances where we did not receive sufficient documentation to substantiate subject information. In the case of Certisur, after receipt of additional substantiating information and further review, we concluded that 6 of the revoked certificates were compliant with the Baseline Requirements and satisfied Symantec policies.
c. Further, we have proposed to have an external auditor revalidate all of our work described in the table above with RAs and make that report public. For clarity, we are not proposing an audit that is subject to standard audit sampling practices, but rather third party review and validation of 100% of these active, RA-validated certificates.
In addition, we previously added extensive controls to our issuance process in response to the 2015 test certificate mis-issuance incident documented here . This included an automated compliance checking engine that blocks non-compliance with the Baseline Requirements.
Moreover, the additional transparency we are already providing by logging all certificates issued to Certificate Transparency logs – including DV and OV – is a practice that the rest of the industry has yet to adopt. This transparency effort included explicitly providing to Google for whitelisting the certificates that were issued by Symantec prior to us fully deploying CT support.
Finally, we have proposed moving to quarterly WebTrust audits going forward to provide the community with even more frequent updates on the reliability of our processes.
These measures are designed to demonstrate the integrity of our active certificates and to provide timely visibility into the integrity of our future certificate issuances. A third party review of all (100%) active EV and RA-issued certificates is at the extreme end of transparency and we believe such reviews will assure the community about our issuance practices.
2. Mr. Sleevi has set forth a second proposal that involves Symantec outsourcing its SSL/TLS issuance to a third party. We have evaluated this sub-CA proposal and believe it is unwarranted and not proportional to the actual or perceived risk that is mitigated under our proposal. We believe our issuance processes are sound and that the transparency initiatives outlined above – specifically, published reports from our third party audits that we expect to complete by August 31, 2017 – will confirm this for the community. Until the audit results are available for public review, we think it is premature to suggest that Symantec consider any such sub-CA proposal.
3. While we recognize that shorter validity certificates may reduce exposure to certain security risks, we believe any such change must be consistent across the entire CA industry and be phased in over a period of time taking into consideration existing barriers to adoption. Both Mr. Sleevi (in his latest proposal) and Mr. Markham propose a 13-month validity limit for Symantec certificates. Limiting Symantec’s ability to issue longer-lived certificates while not imposing that same limit on other CAs is uniquely punitive to Symantec’s CA business and unjustified. We also do not believe that a 13-month validity limit should be imposed on the CA industry at this time– a conclusion that is reinforced by the recent CA/Browser Forum vote rejecting ballot 185, which proposed to limit the maximum validity of SSL/TLS certificates issued by all CAs to 13 months. As we have stated in our public response, many enterprises are not at the level of automation maturity necessary to practically and cost-effectively adopt shorter validity certificates. For these organizations, standardizing on shorter validity certificates would present substantial increases in their operating costs. A significant percentage of our active certificates have a validity period greater than 13 months. We have heard from many customers that they will move to another CA if a major browser limits the validity of Symantec certificates to 13 months or less to avoid the operational burden of replacing certificates more frequently – particularly when commercial alternatives exist. If this action is taken exclusively against Symantec, it will create significant disruption for hundreds of thousands of customers / users and will harm our CA business.
In light of the difficulty of currently operationalizing the replacement cycle of short-lived certificates for many of our customers, we have proposed 9-month domain revalidation of all of our certificates. An initial certificate validation is one level of authentication. Certificate domain revalidation post-deployment further extends the trustworthiness of the initial certificate, which is a positive extension of the CA trust model. This 9-month domain revalidation proposal is intended to supplement our proposed expanded offering of shorter validity certificates for those customers for whom it would be a significant burden to adopt them. We’ve proposed reporting our revalidation findings externally and, working with the browser community, we believe we can establish appropriate transparency mechanisms (e.g. through an OCSP extension or a signed revalidation list) that provide an attestation to this revalidation and ensure accountability of our implementation of this action. We’ve also proposed continuing our investments in automation to enable organizations with even the most complex infrastructure to practically and cost-effectively adopt shorter validity certificates.
4. Portions of Mr. Sleevi’s sub-CA proposal were redacted and he mentioned that Symantec shared additional details with Google during our joint meetings that Symantec did not make public in its response. In our private discussions with Google, we shared key elements of our current solution roadmap, which, as a normal evolution of our business, includes enhancing our issuance platform to create a competitive advantage in the marketplace. We publicly highlighted our investments in this area in our proposal as part of our discussion of automation and supporting shorter validity certificates – specifically, “[o]ur near term investments will focus on modernizing our certificate issuance systems and workflows to enable faster issuance, and developing tools that enable customers to rapidly and securely implement their certificates and configure their systems.” We intend to keep the community informed about our progress here as part of the quarterly updates we have proposed to deliver to the community.
In summary, we believe our proposal provides the most open and transparent posture of any CA in the industry and reassures trust in active Symantec certificates and our current issuance practices. Our proposal also mitigates the significant compatibility and interoperability risks, as well as customer burden, which would result from any proposal that limits the trust of existing Symantec SSL/TLS certificates, imposes shorter validity periods on newly issued Symantec certificates, and/or removes EV recognition for our certificates in browsers.
We understand our role as a key player in the trust ecosystem of the Internet and take it very seriously, including the obligation to follow the compliance frameworks set forth by the CA/Browser Forum and browser root programs. We believe the error rate of our issuances is low compared to our peers and we welcome objective third party information that puts this into context. While third party, comparative data from Netcraft supports our position that our certificate issuances are equal to or better than other CAs, we always work to do better.
We encourage the community to consider objective, comparative results of our processes with others along with the merits of our proposal. It is important that any actions taken by Google and Mozilla don’t overreach and result in unnecessary business disruption to customers and users of sites that rely on Symantec SSL/TLS certificates. We believe careful and deliberate consideration of the strengths and weaknesses of Symantec’s proposal as compared to those proposed by Google and Mozilla requires more time than has been implied by Mr. Markham and should involve more feedback from the affected stakeholders in the Internet ecosystem than has been received to date. To that end, we recommend that Google and Mozilla take the time to proactively reach out to the enterprises whose voice is greatly underrepresented in these forums to truly understand the customer use cases we have described and the reasoning behind our proposal.
There was a very large, sophisticated phishing attack on May 3 using a malicious application called Google Docs. This attack and others like it can be identified, tracked and remediated in CloudSOC.
How users experienced the attack
Users received a phishing email with an invitation to view a Google document from one of their contacts. Users who clicked on it were redirected to install a malicious third party app called Google Docs. During this installation the user is asked to select a Google account asked to grant permissions to “read, send, delete, manage email” and “manage your contacts” by the malicious app. Once the user clicked to authorize these permissions, the app could access the data on mail.google.com and googleapis.com/auth/contacts. Then the user is redirected to a fake landing page that can be used for additional phishing messages.
CloudSOC identifies the attack and revokes access
Organizations using CloudSOC will see this malicious application in their Google Securlet dashboard along with details on the users who authorized the app to access their accounts and a button to automatically revoke the authorization to that malicious app for all users.
CloudSOC Securlet dashboard identifies fake Google Docs app
CloudSOC identifies users who have authorized access to fake Google Docs app and offers to revoke this access
Oauth attacks not new but growing more common
In today’s world of cloud apps, it is a convenience for users to grant permissions to third party apps to access accounts (such as email, social media, file sharing, etc.) using OAuth rather than requiring a password. Google has mitigated this attack but others like this are growing in popularity. Bad actors are taking advantage of how common it has become for users to grant access to third party apps, so common that many users don’t worry about granting these permissions if the request looks normal. In this case, the app was named Google Docs and looked legitimate to many users. These types of attacks don’t use malware but CloudSOC will provide visibility and controls to remediate this type of attack.
You can use several methods to uninstall the Symantec Endpoint Protection product components, such as through the Windows Control Panel. If these common methods fail, you can use the CleanWipe utility.
Symantec Technical Support does not recommend using CleanWipe the first time you have uninstallation trouble. You should only use CleanWipe as a last resort when the usual uninstallation methods are unsuccessful.
You should always use the latest version of CleanWipe to remove Symantec Endpoint Protection. CleanWipe can remove older installations of Symantec Endpoint Protection. However, you should not use an older version of CleanWipe to remove a newer version of Symantec Endpoint Protection. This action can have unexpected results.
Refer this guide: Uninstalling Symantec Endpoint Protection with the CleanWipe utility
Cleanwipe tool is available to download in the article shared above.
Welcome to our Windows 10 migration best practice site where you'll find everything you need to know to get started with your Windows 10 migration.
Coming soon will be our Windows 10 migration whitepaper and sample jobs for both Deployment Solution and Ghost Solution Suite, check back soon!
Product donation is Symantec’s largest mechanism to support the nonprofit community and help nonprofits fulfill their missions. In partnership with TechSoup, each year we provide cybersecurity solutions to more than 25,000 organizations across 55 countries worldwide, allowing them to secure their most important data wherever it lives. Since launching the software donation program in 2002, Symantec has helped more than 93,000 nonprofits solve today’s biggest security challenges and protect against the ever-evolving threat landscape.
In honor of the United States’ National Military Veterans Appreciation Month, we’re shining a spotlight on Military Veterans Against Child Abuse—a nonprofit that relies on Symantec for data security, while it works relentlessly to teach young children how to stay safe and secure in the offline world through its award-winning program “A-B-C Learn Safety With Me”.
Creating a world where children feel safe and unafraid because they have the information and tools to make smart and empowered choices is no easy task. Between stranger awareness, bullying, fire and pool safety, animal safety, car seat safety, inappropriate touching and hygiene issues, the dangers are widespread. And while there are many programs aimed at grade school children, two U.S. Air Force veterans, Sharon and James Blacknall struggled to find age appropriate curriculum for kids 3 to 5 years old.
Instead of ignoring the gap, Sharon shared her concerns with her mother, a former pediatric nurse and school teacher, who encouraged her to address the problem. So she did.
Sharon published a first step and then in 2013 went on to found the Military Veterans Against Child Abuse (MVACA)—a 501(c)3 nonprofit organization whose mission is to educate young children, parents, child care providers, teachers and the community as a whole about child safety and child abuse prevention through educational material, activities, seminar and advocacy. MVACA believes that teaching preschool children about safety doesn’t have to be scary. Instead it can be as natural as learning the ABCs and 123s.
“There are a lot of kids out there that need to hear this message, and I get a thrill, because when you’re doing the program, you actually see the little light bulb when they get it, when you see them a year later and they tell you the things they use from the program to stay safe. I always say if I save one child I’m done. That’s why I was put here on earth,” said Blacknall, Executive Director of MVACA.
Nonprofit Military Veterans Against Child Abuse relies on Symantec for data security, while it works relentlessly to teach young children how to stay safe and secure in the offline world through its award-winning program “A-B-C Learn Safety With Me”.
The organization created “A-B-C Learn Safety With Me,” a comprehensive, innovative program that teaches three to five year old children the basics of safety, personal hygiene, their alphabet and numbers. When the child is introduced to a new number or alphabet, a corresponding safety rule is also taught. The suggested activities are designed to be taught in 30 minute increments and to complement a child development center's current curriculum, not replace it.
Today, MVACA remains an all-volunteer organization, with Sharon serving as the only full-time volunteer. Because safety is key to the organization’s mission, they make it a priority across all operations, including running Norton Small Business through the organization’s software donation partnership with TechSoup, to safeguard sensitive information such as photos and materials, and protect against threats.
“There have been attacks made toward our website and Facebook page. With Symantec running in the background, we have the peace of mind that no matter how many irons are in the fire at any given time, our data, email and copyrighted material are safe and secure,” said Blacknall.
MVACA is a movement among supporters at #safeandunafraid because they believe all children have the right to grow up safe and unafraid.
“With Symantec acting as our older, protective brother keeping an eye on us in the background, we too feel #safeandunafraid when logging on and accessing our necessary files,” said Blacknall.
Learn more about some of the many nonprofits utilizing Symantec products through Symantec’s partnership with TechSoup:
Dear Valued Partners,
We are very excited about this new era in our company, our partnership, and our program.
From April to May 2017, We had outlined a number of trainings to help you up to speed, ready to leverage all the benefits of Secure One program, and equip with solution knowledge to drive new sales opportunities.
If you have missed any of these trainings, on-demand webinars are now available for you. Please feel free to attend the recorded sessions.
Pease first log in Symantec Connectwith your PartnerNet account, and you'll be able to view all recorded trainings.
You can also Symantec Connect Partner Calendar, and select “APJ” under Geo Selection, you are able to register the up-coming enablement webinar series.
This month the vendor has released 56 vulnerabilities, 17 of which are rated Critical.
Number of web attacks blocked by Symantec rises to more than 1 million per day and Longhorn cyber espionage group linked to malware detailed in Vault 7 leak.
WEBINAR: Symantec Endpoint Protection 14 Series: Part 5 of 5: A Step-By-Step Approach for Endpoint Detetion & Response
TIME: 10:00 AM (PST) / 1:00 PM (EST)
SPEAKER: Scott Hardie, System Engineer, Symantec
5-Part Webinar Series: Endpoint Protection…what really matters?
Part 5 of 5: A Step-By-Step Approach For Endpoint Detection & Response
Endpoint Detection and Response (EDR) was developed as a way to address Advanced Persistent Threats (APTs). It is the sneakiness of APTs that make them so dangerous and so difficult to eradicate.
Although it is generally accepted that EDR technology requires a unique agent, we’d like to ask “should it”?
Join us to learn how Symantec Endpoint Protection 14 tackles EDR without an extra agent. Discover:
•How EDR is used to improve security
•Why integrations are important
•Why Symantec Endpoint Protection and ATP beat the competition
•Future plans EDR
Finally, see a demo that showcases how quick and easy it is to identify and respond to threats with Symantec.
Register Today (Click Here)
今月は、56 個のセキュリティ情報がリリースされており、そのうち 17 件が「緊急」レベルです。
シマンテックで遮断される Web 攻撃が増加し、1 日あたり 100 万件を超えました。一方、サイバースパイ集団 Longhorn と、機密文書 Vault 7 に記されているマルウェアとの関係が明らかになりました。
It’s been quite a year for Secure One Services partners—we became part of Symantec, renamed the program, added cloud SKUs to our single price list, and invited more exceptional partners to join the program. Secure One Services is a growing and thriving community of global support partners. Each year we recognize Secure One Services partners in each region who have done an exceptional job of supporting our end-customers and driving renewals. The two awards are Partner of the Year: the best in class of the region across the year and the Excellence Award: bestowed bi-annually to the top performing partners in each region.
I’m thrilled to announce this year’s winners of the Secure One Services Partners of the Year:
I am also happy to announce the winners of this year’s Excellence Awards:
In EMEA, we honor: BT Services SA, Qsight IT, and SecureLink UK
In Asia Pacific, we honor: Netpolean Philippines Inc and nForce Security Systems AP Co Ltd
In the Americas, we honor: Forsythe Technology.
I spoke to Torjus Gylstorff, our VP of Worldwide Partner Sales and asked him what these awards represent in his mind. He said “The Secure One Services Partners of the Year and the Excellence partners represent the best of the best. They are critical to our business and to keeping our customers secure.”
I cannot agree more. Congratulations to all the award winners, and most importantly, THANK YOU for servicing our mutual customers with such passion and commitment.
With GDPR on the horizon, it is now important to discuss the complex issue of fines. While this blog neither gives legal advice nor predicts future actions of Europe’s privacy regulators, it does provide the basic facts.
It’s the fines associated with GDPR non-compliance that make this topic one for boardroom debate. GDPR isn’t a “paper tiger”. It has sharp teeth. Recent Symantec research on the state of privacy in Europe shows how seriously GDPR is being taken:
Many of the customers I talk to about GDPR misunderstand the penalties, the risk and the consequences of failing GDPR compliance. I’ve met people who think that fines will go to the EU budget. Others are unsure whether local or global turnover is used to calculate fines. Some hope that Brexit may provide them with a safe heaven. A frequent statement is that “we are not going to be ready and none else will be either”. Another remark is that “do you really believe the authorities will start issuing fines up to 4% of companies’ global turnover”? Or “our investment in Europe is relatively small despite the fact that we serve a lot of Europeans. Why would the authorities target us?”
How stringent will regulators be?
In a recent meeting with the regulators and European officials some regulators seemed willing to “take industry by the hand” and lead them to compliance. Others want to be enforcers. At the moment, nobody knows for sure how enforcement will take shape. We do know that the fines are described in the law like this:
What I will say is that your current compliance situation impacts the level of enforcement your organisation risks facing. The argument goes like this: the old 95/46/EC law follows largely the same principles like GDPR, but the latter is much more detailed and results oriented. However, because 95/46/EC has existed for 22 years, those already fully compliant with 95/46/EC can reach GDPR as an evolutionary step. Not being ready on time in 2018, but working your way up from 95/46/EC, doesn’t protect you but it is likely to get you into less trouble.
Those not in full compliance now with 95/46/EC have a tough road ahead. Why? If you haven’t met with 22-year-old standards by now you are less likely to be able to fulfil the requirements of GDPR anytime soon. This situation results in companies “rushing through” a GDPR compliance program. This is expensive but probably the only way to mitigate the risk.
GDPR expands the “risk surface”
95/46/EC created a system of “approximated” national laws. One of the consequences of “approximation” was that breaking the law in one country was hopefully “containing” the infraction. With GDPR the law is harmonised and full cooperation between data protection authorities is a key component of it. Consequently, a violation of the law in one EU jurisdiction may actually result into violations in multiple EU jurisdictions. Suddenly the “risk surface” is all of the territories within the EU that you do business, making it riskier to be caught breaking privacy rules.
GDPR has global reach
If you are doing business in Europe, even remotely, you must comply with GDPR. If serving EU customers directly or indirectly, GDPR will apply to you via contract. Factors to consider are the maturity of the privacy compliance program and the risk to data caused by an infraction. The size of your investment or presence in a country could be relevant depending on the circumstances.
What triggers an investigation?
What could actually trigger an investigation is complex. Here are three factors to consider:
How soon we are going to see fines and how large?
The views among data protection authorities differ. Remember that fines based on global annual turnover are an idea that comes from EU competition law. However, the 10 million threshold of GDPR penalties has been already exceeded by recent decisions of the Italian Data Protection Authority. France and Germany have already taken steps to increase the sanction powers of their national data protection authorities in preparation for GDPR.
How are fines calculated?
By looking at the particular circumstances of every case. The recent Garante decision is a good example. Some of the factors that will be taken into consideration include:
In reality at this stage it’s impossible to predict how exactly GDPR will be enforced. Any prediction may go out of the window if a major privacy scandal erupts. Something like the Snowden disclosures back in 2013. GPDR has real teeth and it’s becoming pretty clear that it will be a game changer in risk, enforcement, compliance and business practices. The less risky strategy is to focus on compliance than becoming a test-case in Europe. Often a question asked is whether one should apply GDPR across non-European data. A lot depends on the business model of every organisation but more and more practitioners seem to give the same answer. It is easier to have a single policy, a single standard across the organisation and the highest one at the moment is GDPR.
One should also remember that although the GDPR fines have attracted public attention, Data Protection Authorities have many more arrows in their quiver that may prove even more problematic than the fines. Decisions by DPAs such as ban of processing of certain categories of data or suspension of data flows can kill complete business models. In addition, unlike the fines that have the caps previously mentioned, the liability and right of compensation towards data subjects cannot be capped.
The good news for practitioners is that the prospect of large fines and damage to brand reputation will get you a conversation with the board! While that’s important at an operational level, I think GDPR offers so much more. It’s an opportunity to be far better than we are today at managing and securing information. Because information fires up competitive advantage, better information management means better business. Get the foundations of information management right with GDPR and your organisation will have its house in order, ready for a new level of success.