2019: The Year of the Data Breach, Again…
“Magic 8 ball, will 2019 be the Year of the Data Breach…again?”
All signs point to YES.
With the passing of laws like GDPR and PIPEDA, the Marriott Breach, New York Department of Financial Service’s cybersecurity rule deadlines, increased SEC enforcement, and increase in data breach lawsuits, by the time last December ended, there is no doubt that all industry specialists could not wait to label 2018 as the Year of the Data Breach. However, as we sit in the dawn of 2019, it is becoming ever increasingly clear, that 2019 will in fact be, the Year of the Data Breach, Again.
According to European Confederation of Institutes of Internal Auditing’s (ECIIA) annual Risk in Focus 2019 report, “Cybersecurity is the single biggest risk organizations are likely to face over the next year.” Although data security and compliance were not considered by many companies to be of the highest importance, they were rated within the top five more consistently than any other risk, apart from cybersecurity.
The ECIIA says that companies are now moving away from legacy systems and are making good use of penetration testing and ethical hacking to ensure their systems are being brought up to standard. However, this has simply led to hackers attempting to exploit systems in other ways, often by targeting key suppliers or technology partners. Last year, instances of malware being injected into supply chains grew by 200 percent, according to the internet security company Symantec. It is therefore becoming more incumbent on organizations to examine their own connections and relationships with suppliers, with their network only as strong as the weakest link in the chain.
“So, VP of Compliance, what do you expect to see this year?”
My predictions for Cybersecurity Compliance in 2019 are as follows:
- A Spider Web of IT Complication and Regulation
- It’s the Law… almost
- The CTO will be the New CFO
- “We Will No Longer be Your Long Hanging Fruit” - said every small business in 2019.
A Spider Web of IT Complication and Regulation
Regardless of experience or background, 2019 will not be an easy year for information security. My prediction is that it is only going to get more complicated. However, what we are excited to see is the awareness that the breaches of 2018 have brought to information security – how more and more senior executives are realizing that information security needs to be treated as a true business function – and 2019 will only see more of that.
It’s the Law… almost
After the passing of GDPR, legislators domestically have been keeping busy introducing new legislation meant to bolster the U.S.’s cybersecurity and privacy postures. I predict that during the first two quarters of 2019, there will be a significant increase of legislation put forth for approval both in the US and world-wide… for now here are a few of the potential new legislations looking to be passed this year:
National Breach Notification Law
A bill introduced by the House Financial Services Committee would amend the Gramm-Leach-Bliley Act (GLBA) to include a national breach notification law for the financial industry that would supersede the multitude of state laws.
“It is going to take better cooperation from all my colleagues and the industries that handle consumer data in order to advance additional meaningful changes,” the author of the bill, Rep. Blaine Luetkemeyer, R-Mo., said in a statement. “At some point, there will be another major breach, and without a comprehensive solution our constituents will pay the price for our inaction.”
State of California’s SB: 327 – Information privacy: connected devices act
California’s IoT law applies to manufacturers of devices or those who have a device manufactured on its behalf for sale in California. It does not, however, apply to devices purchased for resale, even if they are privately labeled, and some legal experts feel “the law is ambiguous in many respects, and will likely create significant challenges in its implementation and effectiveness,” according to Sudhakar Ramakrishna, CEO, Pulse Secure.
A bipartisan group of representatives has put forth a bill to create a national standard encryption that would supersede any similar standards created on the state or local levels. Representatives Ted W. Lieu D-Calif., Mike Bishop R-Mich., Suzan DelBene D-Wash. and Jim Jordan R-Ohio reintroduced the Ensuring National Constitutional Rights for Your Private Telecommunications (ENCRYPT) Act. If enacted the bill would ensure a uniform, national policy for the interstate issue of encryption technology. “As a computer science major, I can tell you that having 50 different mandatory state-level encryption standards is bad for security, consumers, innovation, and ultimately law enforcement,” Lieu said. Bishop agreed saying the concept of having a central repository is key to defending the nation against cyberattacks.
Rights groups sounded the alarm over the Clarifying Lawful Overseas Use of Data (CLOUD) Act, ostensibly meant to streamline the process through which law enforcement accesses data across borders, saying that it instead would circumvent Fourth Amendment protections and put human rights activists at risk. The act would essentially provide a “backdoor” for law enforcement at home and abroad to access emails, chat logs, videos and photos, “without following the privacy rules where the data is stored,” according to an Electronic Frontier Foundation (EFF) blog post. The CLOUD Act backdoor “operates much in the same way” as provisions under Section 702 of the FISA Amendments Act that let police “search, read and share” private communications without obtaining a warrant, the post states. Essentially, “U.S. police could obtain Americans’ data, and use it against them, without complying with the Fourth Amendment.”
Cyber Diplomacy Act
A bipartisan group of lawmakers cheered the passage of the Cyber Diplomacy Act (H.R. 3776) by the House of Representatives. The bill was introduced by Rep. Edward Royce, R-Calif., and Elliot Engel, D-N.Y., in September 2017 and will now move on to the Senate. If signed into law the Cyber Diplomacy Act would require the government to secure and implement commitments from other countries on proper cyberspace behavior. This would include generating agreements between nations to not support cybercriminal activity such as theft of intellectual property, cooperate in developing measures to keep their territories clear of intentionally wrongful acts using information and communications technology (ICT) in violation of international commitments and promote securely-designed ICT products.
The CTO will be the New CFO
In 2019, cybersecurity concerns will be a major topic in the boardroom and executive offices of every significant enterprise. Major data breaches across different industries has struck fear into CEOs and other officers and board members that their company could be next. What’s more, partners, shareholders and customers now seek to hold corporate leaders ultimately responsible, and that sentiment is only heightened internally within organizations.
2018 has proven that the integrity of a security program is directly connected to a company’s bottom line, posing the questions, will the CTO be the new CFO? After all, data is the new currency, why shouldn’t CTOs also be held to the same reporting standards as traditional business functions.
“We Will No Longer be Your Long Hanging Fruit” - said every small business in 2019.
My final prediction for the year, small businesses will no longer allow themselves to be an easy target - and the hackers know it. In 2019, smaller firms will enlist the same cybersecurity approaches that large enterprises use. This means leveraging the benefits of a robust security operations center.
Small- to midsize businesses and small enterprises will find ways to monitor and detect threats and respond when necessary. The impetus to do so will be accelerated by larger organizations, which will demand that businesses they work with meet certain cybersecurity standards.
However, in the end, hackers today are developing more sophisticated attacks than ever before and so my initial prediction still remains true, “2019: The Year of the Data Breach, Again.”. The good news is that companies today recognize the threats they face and are increasingly discovering new ways to better protect themselves, which in many cases includes the adoption of robust cybersecurity compliance frameworks, such as NIST CSF or ISO 27001, as well as purchasing cybersecurity insurance.