The Cyber Security Implications of the EU GDPR: What You Need to Know!
Please be advised that these free recorded webinar presentations have been edited from the original format (which might include a poll, product demonstration, and question-and-answer session). To set up a live demo, please complete the form to the right.
After several years of preparation and debate, the General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018. Many companies may not have the correct countermeasures in place to mitigate against the risks associated with the new legislation. Some won’t have all of their digital assets accounted for due to a lack of a proper consolidation strategy.
After several years of preparation and debate, the General Data Protection Regulation (GDPR) will become enforceable on May 25, 2018.
Many companies may not have the correct countermeasures in place to mitigate against the risks associated with the new legislation. Some won’t have all of their digital assets accounted for due to a lack of a proper consolidation strategy.
Join CSC® experts, product director for domains and security, Ken Linscott, and director of domain product management, Ben Anderson, for a free webinar about how to make sure you’re ready for the GDPR May deadline.
In The Cyber Security Implications of the EU GDPR: What You Need to Know!, Ken and Ben will address:
- GDPR and ICANN: What's happening to our WHOIS?
- GDPR, risk management, and digital asset security, including specific risks, mitigation recommendations, and technologies that can help with compliance
Anu: Hello everyone, and welcome to today's webinar, "The Cybersecurity implications of the EU GDPR: what you need to know." My name is Anu Shah and I will be your moderator. Before we get started I'd like to make a few announcements.
All of your phone lines will be on mute for the duration of our session. However, you can enter your questions in comments in the Q&A widget at any time during the presentation. If you're having difficulty hearing the presenters through your computer speakers, please dial into the teleconference line. The phone numbers and conference room number are listed on the left side of your screen.
At the bottom of your screen are multiple widgets you can use. All the widgets are resizable and movable, so feel free to move them around to get the most out of your desktop space. You can expand your side area or maximize it to full screen by clicking on the arrows in the top right corner. You will find a PDF copy of today's presentation and a link to the DBS blog, Digital Brand Insider, in the resource widget. We encourage you to download any resources or links that you may find useful.
Joining us today are Ken Linscott and Ben Anderson. Ken is the product director for Domain and Security Services at CSC. His 18-years experiencein digital asset management and online brand protection was integral in the development of CSC's Digital Optimization plan.
Ben is the director of Domain Product Management, including new generic top-level domain,gTLDServices in the Digital Brand Services division of CSC. He is responsible for overseeing the development of the company's product portfolio and proposition. And with that, let's welcome Ken Linscott and Ben Anderson.
Ben: Thank you, Anu and welcome, everyone joining us today. My name is Ben Anderson, and what we'll do is we'll get started, but just a small caveat before we start. This is not legal advice and should not be taken as such, so please contactyourown counsel if you have any questions relating to GDPR and its impact on your business.
So as the title suggests, today we're going to be looking at GDPR, what it is, why you should care from a digital asset management perspective, and also five recommendations that you may wish to consider internally within your own business.
So I'm not going to spend too much time in this area in terms of what GDPR is. We'll focus more on the potential impacts on the global WHOIS system later on and what it means from a domain name management and enforcement perspective because many of you on this call will probably be well-versed in GDPR, as it has the potential to touch many aspects of your respective businesses. But for those not familiar with what it is, the General Data Protection Regulation, or GDPR, is an EU regulation that's been designed to harmonize laws surrounding data privacy across Europe and it reshapes the way organizations across the globe approach data privacy when dealing with EU systems. It comes into effect on May the 25th of this year and applies not only to EU entities dealing with personal data anywhere in the world, but also entities outside of the EU dealing with personal data of EU residents.
Non-compliance comes with substantial risk in the form of fines, and those are €20 million or 4% of the global annual revenue of the non-compliant organization, and it will be the higher of those two figures which will be considered as the fine. So the fines are certainly not small.
When it comes to digital asset management, transparency, accountability, data minimization and retention, and security and protection of data are the key guiding principles. And GDPR is essentially data protection by design. An organization should be implementing and documenting their approach to data protection in an effective manner. In all cases, companies will need to have an effective data breach management program in place, and that should be just not just for handling the immediate threat posed by such a breach but also reporting to the relevant authorities during or after that breach.
Ken will be talking a little later about what brands can do to better secure their digital assets and how CSC can assist, but here are some initial points about why you should care and how your online presence and customer interaction could be impacted. It's a growing threat. Data breaches were up almost 23% towards the end of last year, and it's not just the EU looking at data protection regulation. Many other countries and areas are looking at this model as a potential blueprint for their own local regulations. We know some countries are already looking at this and have started their own plans, and those are due to be announced pretty soon.
So, you know, we've seen some headline breaches in recent months, ones that have made the news and not in a very good way. And really, these have the potential to impact a brand's reputation more than previously thought. Customers and everyone on this call as individuals take their privacy and the use of their data seriously, so this is not a small thing anymore and you'll need to consider what happens to your business if such a breach takes place.
Our recommendations really to help you prepare are to conduct a GAP analysis and audit what personal data you're dealing with, where it's stored, processed, and who has access to it. Make sure you review and update your data protection policies and processes. These should include your domains, your SSL certificates, and a lot of the other things that also go with those, especially how you manage and maintain them.
All of your transaction and data collection points should be secure, and Ken will talk more closely about how you can do that with CSC, but this is an area that is often overlooked and maybe one of the last points to consider when you do a thorough GDPR review inside of your business. Your sites may be secure, but what about the domains themselves?
And ensure you've conducted an end-to-end review of your supply chain. Ensure your suppliers are compliant. That includes us, CSC, or your domain hosting or SSL provider if not CSC, and please make sure that you are continuously monitoring those supplies and self-assessing your business to ensure that your privacy management is well taken care of.
In summary, let's really see GDPR as actually quite a good thing from an individual perspective, but also it's a simpler a way of handling privacy across an entire continent. Many of us that have been working on GDPR for the last two years know that whilst this has been a lengthy process, it's also a great opportunity to get our houses in order, and, ultimately, it's a great way to inspire trust in a brand.
So with that brief summary of GDPR, let's move on to themore spicytopic that's currently the subject of much debate and that is the WHOIS system and the impact that GDPR will have on it. So for those of you that know, the global WHOIS system is probably . . . well, it is as old as domains themselves and is a way of finding out who owns a domain. The WHOIS displays a significant amount of personal information and data including your name, address, phone number, and email, and that's not just for the registrant of the domain but also the other three contacts, the admin, the technical, and the billing.
And we all know that these have been overly abused for many years now, and the WHOIS is a way of harvesting information for the use of unsolicited communication and much worse. And in a recent test case for the ICANN compliance team, the Dutch Data Protection Authority claimed the publication of personal data by the .Amsterdam Registry through the WHOIS was in direct contravention of the local law of the Netherlands, but also GDPR. And the Registry needed to make a choice between adhering to local law or ICANN compliance, and they choose the former. And after much debate, ICANN accepted that, so these registries now don't display that information in their WHOIS which is against the contractual points that they have in their contract with ICANN.
And the thing is, it's fair to say that in spite of various attempts to get ICANN organized to bring GDPR into focus, they've arrived at this party extremely late. And so after a lot of pressure ICANN has finally announced three models designed to address the WHOIS issue. This was done in conjunction with ICANN's law firm Hamilton's, and you'll see on your screen the timeline that's been set out and that ICANN has been working toward, and that, as with all things ICANN, is now delayed.
And really it's . . . there's not going to be much time for the registries and registrars to implement the model that ICANN suggests at that timeline if they kept to the points was three and a half months and that time is slowly moving away now, so there's going to be little time for registries and registrars to implement one of the models that ICANN suggests, but also not much time for those who are reliant on the WHOIS for various different things to change the way they follow their business processes with using WHOIS data and also the way they manage domains as well.
And this isn't just about ICANN andgTLDs,ccTLDoperators are also working on addressing the WHOIS issue and the impact that GDPR has on it. We're lucky in the fact that obviously ICANN oversees all thegTLDs, but theccTLDoperators are all working on their own separate models because they're not under one banner. So this timeline is moving forward and there's still not much clarity in terms of the models and the impact that any of these models will have on the WHOIS.
So at a high level there's some descriptions on your screen now of ICANN's three models. The first model . . . I'll explain these different data points in a few slides, but Model 1 would allow for the display of the Thick registration information, that's really just the domain, the expiry date, the registrar, and the name servers. And then being able to gain access to the additional data, the social data, or personal identification information of individuals, they would need to go through a separate system and then will be granted access to that data. That would be a self-certification model, but is one that many are saying within the ICANN community and outside of that is in contravention with GDPR.
The second model would allow for the display of some of theThinregistration data, but ultimately only two data points. That would be the email address of the technical contact and the email address of the administrative contact. And I think for those of you who use the WHOIS regularly or rely on services that use WHOIS data, you'll know that those two data points aren't really particularly useful when it comes to enforcement or trying to ascertain who owns a domain.
There's two variations within Model 2, 2A and 2B. 2A applies only to registrants within the European Economic Area, the EEA, and 2B will be applied to the WHOIS output globally, so no matter where the registrant came from, that data will be redacted or removed.
And then the third model would apply, again, to registrations on a global basis, but in order to get information on who owns the domain, so the standard WHOIS information, the requester would need to provide a subpoena or court order in order to get that information, so finding out who owns a domain will become a lot harder. So as I mentioned, we'll look at the data points in a little bit more detail. And what we've done here is we've separated out the known data points into the distinct three ICANN models.
This is the standard information that is shown for any domain name and specifically is the information shown for a common net is the only information that Verisign, the registry operator publishes. The remainder of the data is published by the registrar themselves, but for all of these models this will be the data that will be available for thosequerying the WHOIS and that will be the domain itself, the expiry date, the creation date, the name servers, and also what will probably become a lot more important is the abuse contact of the registrar themselves. So this data pretty much remains the same. It doesn't show any personal information. It's for each and every domain.
But looking at the actual social data that we currently see and use today, under each of these models you'll see what will be removed and that's represented in red. So under Model 1 for a natural person, an individual, we'll still see a lot of their information, but some will not be displayed, specifically their phone number and email address, but their street address will still be visible. To legal persons or organizations that have registered a domain, all of that information will remain available.
Model 2 in both the A and B separation redacts all of this information with the exception of the admin email address and the technical email address. And then in Model 3 all of it is removed and, again, the requester who wanted to see that information will need to apply to a court or get a subpoena or something similar within your own jurisdiction in order to get access to that information.
Now, we spend a lot of time with ICANN, the organization, over the last few weeks, both at their office in LA, over the phone, and at various meetings. And what we can say right now is that there's a leaning towards Model 2B, so that's where all the information with the exception of the admin email address and technical email address, all of that will be removed and only those two data points shown as well as the information we've shown on the previous slide.
So that may well change. There are additional models. ICANN asked for community input on those models and I think this is probably best shown in this slide which we've taken from ICANN and this maps out all of the different models and their impact on the global availability of WHOIS. To the right hand side is the current model where you can see all the information, and then those move over towards the left.
The further left they go, the more conservative they become, but I think at the moment there is little motivation for ICANN to choose these community-suggested models. The Eco model is one that a lot of the industry has got behind but we'll wait to see what happens in terms of that model itself. So right now the understanding is, and I'll get back to it just so everyone can see, that model in between Model 2 appears to be one that is likely to happen.
So the question is really what would that mean for our customers and what does that mean for you in terms of the way they use the WHOIS data for the various different reasons? Well, the visibility of who owns and controls a domain will become less. It will be more difficult to identify who owns a domain and more difficult to take action against registrants on your own.
So many organizations, rather than relying on the dispute services, can issue cease and desist letters or even contact registrants to let them know that they may be potentially infringing on rights. So without knowing who to contact and without knowing who owns a domain that becomes a lot more difficult and means that where there are domains that potentially infringe, you'll be reliant on the standard dispute processes which come with cost and a certain amount of complexity.
Also, when it comes to auditing domains, still a lot of companies have domains through lots of different providers. Local offices will often register domains themselves, and so now is a reallyreallyimportant time to consider whether or not you should be auditing where your domains are being registered, who is registering them, and who owns them, because visibility and services that allow you to find out who owns domain names will likely disappear.
And, again, this comes down to the ownership of your own domains themselves. We've long suggested the use of generic contacts and generic email addresses is the best way to manage your portfolio, so companies should really look to consider rationalizing and minimizing the ownership of their own domains because it's likely that a lot of this information will no longer be available.
So I'm hoping that's helped briefly explain the current situation, and I'm available any time for any of our customers that wish to discuss this further. But now what I'll do is I'll hand over to Ken who will explain what action you can take and how to secure your digital assets.
Ken: Thank you very much, Ben. That was very interesting. So as Ben said, I'm going to speak about the security measures that every company should address in the wake of the upcoming data regulation change. And really the starting point for that, Ben touched on it briefly, and that is Article 32 which states, "The controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk." It's fantastic but it doesn't tell us exactly what we need to do. So I think the starting point for us is with digital assets in mind is really to understand what your digital assets are.
And so we have here a slide that is really looking to explain that in order for you to maintain your company or your brand's presence online, you're using a whole multitude of different digital assets. Some really obvious ones, domains, DNS, SSL certificates, but perhaps more recently social media usernames and mobile apps. And over time, as the number of these assets has grown, the brand has naturally become a bigger target and a more fractured one because each of these assets are known to be a weak point which are vulnerable to exploitation by cyber criminals and by hackers. And so failure to administer these correctly or to implement the appropriate technical and organizational measures can result in a breach.
So I think this will be . . . it won't be news to anyone on the call. I think we're all aware that cyber threats are typically originating from two categories. There are others, but the vast majority and where we're going to focus today is on hacktivists and cyber criminals.
So hacktivists, they're looking to gain unauthorized access to systems. They're politically or socially motivated, but even though they're not focused on making money, obviously their actions can have a significant financial and reputational impact on the companies that they target. And we're thinking about groups like the Syrian Electronic Army, Anonymous, Lizard Squad, all of these groups that you see in the press on a fairly regular basis.
On the other hand, and probably more concerning, because they account for typically over 75% ofcyber attacks, are the cyber criminals. And, you know, they're individuals or organizations that are highly sophisticated. They're looking to exploit systems through various attack vectors that we have listed on the left-hand side there. They are great at combining those attack vectors to great effect, and they're looking to steal money, financial theft, they're looking at corporate espionage, and in relation to GDPR, they're looking to steal data.
So the question is what are the specific risks around digital assets? As brand owners, what can we do to better secure those digital assets? So as Ben alluded to, I'm going to through six recommendations which will help mitigate the threats and I think put you in the best possible place to avoid a data breach via these digital assets.
So the first recommendation, and Ben touched on it a moment ago, is to audit and consolidate, to understand what you have, and to bring that all under one management. So I've been in the industry a long time, 18 years, and it still surprises me how many brand owners still don't have a full accounting of their domains, their DNS providers or their SSL certificates. You know, if you don't know what you have, how can you manage it? How can you secure it? How can you identify issues? And how can your resolve weaknesses?
So our recommendation is not revolutionary. Our recommendation is very simple. It's reduce the risk by consolidating your assets with a corporate provider who's focused on service, security, and strategy.
And a couple of examples of why this is really important. You want to avoid forgetting to renew a domain name that is really important to your business. And in this example from the end of last year, Samsung forgot to renew a domain name which was associated with its S Suggest app. If you're not familiar with Samsung smartphones, they all have the S Suggest app built into them. And in this case the domain was picked up by a security researcher, who, in a period of 24 hours, tracked the fact that 620,000,000 connections were made to that domain name by 2.1 million devices.
In the same regard, you can look at SSLs and the risks around forgetting to replace an important SSL certificate. And, you know, in many cases the damage would be reputational, but this is an example . . . I think it goes back to 2015. It's one of Opera. It's a US browser. They didn't replace their certificate, and by failing to do that they created a vulnerability that was used by cyber criminals to install malware.
And so in both cases the solution is very easy. It's consolidate with a corporate provider for better renewal and replacement management. And I think in relation to what Ben was saying earlier, you know, particularly around domain names, the fact that the information that we will be able to access on the WHOIS is going to change means that there is . . . if you haven't audited your domain profile and you don't know where your domains are managed, you're running out of time to be able to do that with the information that we have today because it's going to change.
Our second recommendation is to select your vendors carefully. Ultimately, you're only as secure as your provider, and, again, Ben, alluded to this also. So regardless of whether we're thinking about digital assets or anything else to do with the systems within your companies and the data that you store, you should be looking at every single vendor that you have and making sure that they are living up to the standard that you are expecting and setting in terms of security. And within digital asset management I think there are three main things to consider.
The first of those is how secure is that provider from a renewal of domains or replacement of SSL certificates? We've just seen a couple of examples of where, you know, it didn't work. Here's another example, again, from the end of last year. Dell, using a retail registrar for the management of a domain name which was important to their business.
That domain was not renewed. The suspicion here is that a credit card expired and the auto-renew process within this retail registrar required a valid credit card. And the domain expired. It got picked up by cyber criminals. They used it to install malware on visitors to that site. So, you know, retail registrars, they don't offer credit on account, and therefore there is a track record of those types of suppliers letting down brand owners when it comes to things like renewing domains.
The second piece on this is, well, look at your provider and look at whether they've succumbed to DNS hijacking. So for those that aren't aware of DNS hijacking, this is where unauthorized access is gained to a domain management account. That's by obtaining passwords through fishing or social engineering. And of course, once thecyber criminalhas been . . . you know, has got access to that system, they have the ability to do all sorts of things, and the thing they'll really go for first is to change the DNS and they'll change it to their DNS, and by doing that, they'll take control of the website and where it points to, perhaps any email associated with it. They could even impact, you know, if you're using that domain for Voice over IP or VPN access, services like that, they can impact all of that.
And again we see a theme here of low cost or retail providers are more likely to succumb to these sorts of attacks. And a couple of reasons for that. One, is they have a huge number of customers who are regularly targeted in phishing attacks. And secondly, their business model means that they are susceptible to social engineering because, you know, they're running a call center service support structure. Those staff are working shifts, and, you know, ultimately they don't know their customers in the way that you would expect a corporate account management structure to know their customers.
This slide is something we've put together recently. The first thing to notice, there are a lot of examples of DNS hijacking, and the examples that people typically remember back in 2013 the "New York Times" being hijacked by the Syrian Electronic Army, but more recentlyGandi, a French provider in July of last year, they had 751 of their clients' domain names hijacked and used to install malware.
But by plotting all of these known examples of DNS hijacking I think there are two really clear trends that emerge. Firstly, the attack vector is becoming more common. 2017 was a record year by far and some major domain providers and DNS providers were compromised. But secondly, you can see that this is no longer the tool of hacktivists, which it certainly was back in 2012, 2013. It is now favored by cyber criminals and they're using it to steal data and to steal money.
Just, you know, a note on this is, you know, already in 2018 we've seen two examples of DNS hijacking. One, a cyber currency company hit $400,000 worth of this cryptocurrency stolen, and second, a web hosting company calledNewtecwhere thousands of their customers were affected. And I think the point is here is that, you know, this is at the moment for 2018, one a month, which again will be an increase on what we saw in 2017.
The third piece around looking at your provider is looking whether they've succumbed to a DDoS attack and, perhaps more importantly, what mechanisms do they have in place to mitigate against one? Can they provide 100% up-time guarantee for the services they provide? Do they have a track record for providing this? And certainly in the DNS space, I think that 2016 was a wake-up call for everyone because, you know, an enterprise class provider,Dyn, was hit by a huge DDoS attack, and where we would've expected them to be able to deal with it, they struggled. So certainly you now need to look at track record of all providers regardless of what sort of level of enterprise or level of service they focused on.
In summary then, looking at your vendors, one,sometypes of providers make better targets than others so avoid those providers. Two, choose a provider who invests heavily in their systems and their staff to mitigate the threats of phishing and social engineering. And three, choose a provider with a proven track record.
So our third recommendation is simply to secure the access to your digital assets. So once you've understood what you've got and you've consolidated them, whether that's with one provider or with one for domains, DNS, and SSL, you really need to think carefully about how you secure access to them. We've already covered how easy it is to be phished or socially engineered. That's true for your providers, but it's also true for you and your staff. And so what you need to do, you need to consider is well, what technologies exist to help us to protect that access? Because we can do awareness training, phishing awareness training and things like that with our staff all the time, but we're human and humans make mistakes, so what technology can we use to help secure the access?
So first, you know, you need to use things like IP validation. You know, white-listing the list of IP addresses from which a username and password will be valid. You need to be finding a provider that can provide two-factor authentication just in the same way that you log into your bank, you have your user name and password and then a piece of information that you don't know but you have in your hand because it gets sent to you.
Thirdly, you know, look at those that are going further than a two-factor authentication, those that will enable you to use federated identity to access through a single sign on environment. You know, obviously you need to find the provider that can . . . is invested in providing these technologies.
The second thing that you need to do is ensure that the users that are accessing the systems and these portals for you have the right level of access rights. This isn't something that you do once a year or once every six months. This has to be an ongoing process for you, and particularly around digital assets and domain names specifically there are four key actions that people can have access to that are risky and can possibly really negatively affect your business. One is transferring away, the second is lapsing, the third is DNS modifications, and the fourth is zone file changes.
You should be thinking very carefully about who within your organizationhas the ability to do those four actions, and in our view, minimizing it to those that truly need access and possibly putting in sort of approval mechanisms around people being able to make those changes.
The third piece here is you need to take advantage of some of the security offerings that have been offered by the registries. So if we go back to 2012 when DNS hijacking really became . . . sort of hit the headlines, the registries came out with a solution, and they recognized that the problem here was people getting unauthorized access. But the fact that once they were in the system there was all this automation built to make things happen really quickly, that automation suddenly became the tool of thecyber criminal, and so they found a way called registry locks to basically break that automation and say, "You know what? For this really important name that is being put on a lock we won't accept a request through the system without going through some additional steps." And those steps might be having a validated phone call with a specific person where you swap pass phrases and ensure that it's a valid request. For your business-critical domains, registry locks are the last line of defense, and where they're available we would strongly recommend that you look at putting those in place.
So we say that, but sadly our analysis and our survey in our last cyber security report suggested that only 51% of large brand owners were utilizing registry lock. And from our perspective, with the growing threat of DNS hijacking, the implications of it, the implications that someone can spoof your website and use it to collect even more username-password credentials and perhaps be looking to target your staff and then get into other systems within your business, we think it's an oversight and one that has some correlation to GDPR and what you should be doing there.
And with that in mind, I don't know if people listening saw this example, but this goes back to October, 2016. It's an example of a Brazilian bank. Depending on how you see it, it's the best example or the worst case example of what could potentially happen.
So this bank had 36 active websites. They were all hijacked. The cyber criminals put up exact replicas of that bank's sites and for a period of six hours they routed all of the bank's visitors to the perfectly reconstructed fakes, and of course the marks obediently handed over their account information.
They added some really smart pieces here for cyber criminals. They went to Let's Encrypt, they got themselves free SSL certificates in the bank's name so even when, you know, users went on and checked the SSL certificate they saw that it was registered to the bank so everything looked okay. They would've had the green lock. And they also disguised malware as an update to the bank's browser security plug-in. This was actually a Trojan and it disabled any antivirus software that existed, and so the problem became more than just the user credentials to that bank, it opened up all sorts of other information on those users' computers who were affected.
So, you know, estimates, hundreds of thousands if not millions of users' personal details stolen. So our recommendation here is really straightforward. It's, where possible, you put 2FA and other, sort of, access requirements on the front end of the systems that you're using to access your digital assets, and particularly with domain names in mind for your business-critical domains where possible you put a registry lock in place.
Our fourth recommendation is around securing your assets from the known third party threats, and here I'm thinking about DDoS and I'm thinking about phishing. For DDoS, I'm going to use the example ofTalkTalk. Now, the first thing I'm going to say is clearly a DDoS attack is not going to result in data being stolen, but distributed Denial-of-Service attacks are used to mask other attacks and this is what happened withTalkTalk.
So back in 2015 they were hit with a DDoS attack. Everyone within the business was really focused on mitigating that, getting their services back online, meeting the needs of their customers, and while that was happening they were hit with an SQL Injection attack which stole over a 150,000 of their customers' personal details. And it's a good example because the story is well known. You know, within a short period of time lots of customers left their business, their profits halved and then they were hit by the Information Commissioner's office in October 2016 with a fine of £400,000.
At the time, the Information Commissioner's office said, "Look, we're fining you because this could've been prevented if there had been some basic steps to protect customers' information."
Under GDPR, the potential fine based on 4% of global annual revenue could've been sometime like £17 million pounds. We share that I guess not to be scare mongering. It's not clear to me that we would see a maximum fine for theTalkTalkincident. In fact, you know, the £400,000 fine wasn't the maximum they could've received in 2016 under existing laws, so I doubt they would've received a fine of that magnitude.
What I think is more important is to think about what are the basic steps that they missed and what can we learn from those. So the first is clearly SQL Injection. It's a known attack vector. There are things that you should be doing to mitigate that so it doesn't happen, but from a digital asset, management perspective, I think my thinking is that there should never be a scenario where being hit with a DDoS attack takes your focus off everything else that is happening within your business.
We should all now be in a position where we are expecting DDoS attacks and that we have the right technologies in place to mitigate them. And so, you know, unfortunately, again, statistics tell us actually only about 50% of businesses worldwide have countermeasures against DDoS, and so our recommendation to this, you know, firstly, you know, DNS needs to be robust. You need that 100% up-time guarantee. You need a provider that has a track record in providing that, but on the other hand, there's a lot of other servers around your business that are key to you being operational and you need a standalone DDoS mitigation service to protect those.
So our recommendation is if you haven't done this thinking about GDPR, now is a good time to review this. It might not change what you're doing today but I think if you go back to some of the earlier comments from Ben, it's really important that you document that review process so if there is a future breach, and a DDoS attack is part of that, that you're able to defend the approach that you've taken.
When it comes to phishing, the example I'm going to use is Anthem. Anthem is the second largest health insurance provider in the US. Again, back in 2015 they were hit. A very small number of their staff were targeted in a phishing attack. It resulted in 80 million customers' details being stolen. And at the end of last year, as you'll see in the title there, they settled for a $115 million, the largest settlement of its kind for a data breach. So a couple of things here is, you know, the fines from GDPR are one thing, but GDPR also opens us up to mass litigation and so that has to be taken into account. There are other things, you know, perhaps stop orders and things like that that may, you know, stop you operating until you've complied with GDPR.
But the other piece here is that, you know, again, statistics tell us there are technologies out there, email authentication, the use of DMARC records. That exists and it's very effective in mitigating and reducing phishing attacks yetit'suptake has been very low. So again, our recommendation is review this. Understand the risk and potential impacts of phishing attacks against your staff and your customers in relation to GDPR. Look at what you've got in place around fishing awareness, spam filters, all of those things. Include email authentication and make a decision. Check that you've got the right level of protection in place. It might not change what you're doing today, but document that review process.
Our fifth recommendation is to implement technologies, sorry, that can help with policy compliance. And this is quite a short recommendation, there are two things I think are commonly overlooked. Firstly, domain monitoring. You know, a lot of brand owners think about that in terms of understanding what third parties are doing, but there's a big element of this which is policing your centralization policy with GDPR in mind. You know, having a full accounting of your digital assets is really important, so if you're not doing domain monitoring, it's low cost. It's really effective in doing that, something you should consider.
And the second is the use of CAA records on the zone file to help on your sort of consolidation and your centralization policy of using SSL certificates. So CAA record basically on a domain name means if the CAA record says "Comodo," it means that the only SSL certificate that can be put on that domain name is aComodocertificate, so it's designed to help you minimize people around your business going off and registering SSL certificates with various different providers.
Our final recommendation then is to match a multi-stakeholder approach with a partner who can provide valuable insights, and so hopefully for our customers will be extremely familiar with this but this is, you know, a summary of our digital optimization plan, and we use the digital optimization plan to work with our customers to benchmark where their approach is today and really to highlight areas where we can add value and perhaps identify gaps in their approach where risks exist, and so it will be very . . . you know, if you look at the detail there it will look familiar compared to some of the recommendations we've already talked through today.
We start being able to audit and consolidate. We move on to step two where we're looking to secure and we're securing from the known third party threats of DNS hijacking, DDoS attacks, phishing attacks. Step three is analyzing which of your domains can be safely divested or lapsed based on their relevance to your company and the business they conduct. You know, remembering here that, you know, domains might have often traffic which could, you know, if lapsed and picked up by third parties could be damaging to your business from a data perspective. And step four is around monitoring and enforcing, monitoring your brand across all of the various digital assets, identifying threats and determining whether you need to take action to mitigate them.
Our experience is that where brand owners adopt this style of approach and they use that framework within their business with multiple stakeholders, they get real success. And when we're talking about multiple stakeholders, we're talking about IT, we're talking about legal and compliance, marketing, more and more the security element of the business, and in all of this we're thinking about C-level appreciation of the risks to the business.
And where a brand manages to bring all of the stakeholders together and use that sort of framework, ultimately the approach is to be able to help reduce the risk of a data breach via digital assets because we reduce the likelihood of an attack and the impact. Now, this approach alone won't make you GDPR compliant. Digital asset management is a tiny piece of the overall GDPR sort of landscape, but it will enable you to better protect your data and reduce the risk of a breach by cyber criminals.
So in summary, there are six recommendations listed here on the screen from consolidating your domains to minimize the risks from poor management, selecting your vendors carefully, securing those assets within their management portal, securing the assets from known third party threats, implementing technologies that can help with policy compliance, and then selecting a vendor who can provide real-time security insights into your assets.
So that's my slides finished. We have a few minutes left. Anu, should I pass back to you for questions?
Anu: Yes, Ken, thank you. Thank you, Ben, also. That was great. We will now open up the Q&A session. Also on the screen we have a question for you. Would you like a free audit of your digital assets? Please select one of the options on the screen to indicate how you would like to be contacted, and also, just as a reminder, you can download a copy of today's materials from the resource widget.
So a couple of questions have come in and Ben has answered them, so let's get the few remaining one in prior to ending the session. What happens if I want a domain taken down? Ben, maybe this will be a question for you to answer.
Ben: Yeah, sure thanks, Anu. So obviously right now when you look at a domain, whether it contains infringing information or products or is attempting to pass itself off as part of your own portfolio, we usually take a few steps. The first is to contact the registrant and either issue a cease and desist or a, you know, a strong-worded letter asking them to hand back the domain. Some of the other options are to contact the registrar itself and point out that the domain may be breaching their own fair use policies, and thirdly is taking a dispute route, so using one of the standard UDRP processes.
After May the 25th, a lot of those options to begin with will disappear because it will be very difficult to find out who the registrant of the domain actually is, which means we're reliant on the registrar's abuse contact. And depending on where the registrar is based or the registrar's postural position towards abuse will determine how likely it is that you're able to have that domain actually dealt with. So registrars historically will . . . they will not hide behind, but they will use their anti-abuse processes or local law to determine whether or not they take action, and usually it's the case that they won't take any action at all because they would be concerned that any action that they do take may breach additional laws.
So ultimately, the only option available after May 25th will be to take the UDRP route. And UDRP will still remain in place and registrars will still need to respond to UDRP complaints. But as Ken said earlier, taking a review or an audit of the domains you have right now, it could be the case that you may be launching a dispute against your own company because someone in a local office has registered a domain on behalf of a company and not done it centrally.
So handling infringing domains will likely become a lot more complex and lengthy after May 25th.
Anu: Great. Thank you. So, Mark just submitted a question. Do you think it is more likely that legitimate assets can be enforced against by third party if our domains have been registered to private individuals instead of the corporate identity? In other words, should we ensure all official domains, WHOIS details are updated to corporate details? I know they should be anyway but is the risk likely to be greater once it is masked?
Ben: Yeah, so that's actually a really good question and something that I feel quite strongly about. Everything that we're talking about today is an interim model. So going forward, and once ICANN has come up with a method by which the WHOIS can be accessed without it being redacted, so different tiers of access so that law enforcement may access WHOIS data quickly through a system that authenticates they are who say they are means that you should always have that contact information up to date even though there is this hope in compliance for maybe a year. As a registrar, we're still required to make sure that the details that you submit are true and up-to-date. And if Model 2B is to be used where the admin and tech contacts, email addresses are visible, then I would strongly recommend and advocate making changes to the ownership of your domain portfolio to one that is uniform that allows for easy identification.
Anu: Great. Thank you. Folks, and we've got a couple of question in regarding the webinar being recorded. Yes, it is being recorded and we will be sharing the URL with everybody after the webinar. You will get it usually within a couple of business days of the webinar wrapping up. Let's get another question in before I let you go. Nick is asking would the changes to WHOIS impact the process for obtaining new domains or perhaps slow that processdown?
Ben: Like I said, Nick, no, there should really be no change. Right now the discussion is about the masking of the information. There are further discussions about whether or not some of this information is actually useful anymore or required, so your registrar will still be contractually required to collect the information that you provide for domains that you audit today. It will just be the publication and use of that data that will be impacted. So there'll be no change. It will just be what is visible and where that information is sent and how it's used that is impacted during this interim period.
Anu: Great, thank you, Ben, and thank you, Ken.Folks, thatis all the time we have today. If we didn't get to your question we will contact you with a response after the webinar. Thank you to everyone who joined us. We hope to see you next time.