A relatively new set of guidelines enacted in the European Union requires many global organizations to reconsider their security practices and update their protective measures.
A quick review of 2017 suggests that it was the worst year on record for cybersecurity – phrases like “data breach“, “phishing”, and “hackers” were uttered in the news so often that we numbed to the shock factor. Checking our credit reports and changing our passwords yet again for banking, credit cards, email, and everything else that impacts daily life is now nearly a quarterly requirement.
What makes cybersecurity such a complex concept is that it’s something we can’t see and that most consumers can’t even fully understand. These are the very elements that put consumers at the greatest risk because fighting an enemy when we don’t know its weaknesses seems challenging, but when the enemy knows ours, it’s terrifying. Cybercriminals are always working to stay one step ahead of the latest steps that consumers take to protect themselves.
What can we expect in 2018? It’s safe to assume that things may get worse before they get better. In many ways, organizations are still playing catch-up when it comes to cybersecurity. Hackers continue to outthink the latest developments in cybersecurity – and how? Because we make it too easy.
Yes, we make it easy – a breakdown in the corporate communication chain, not enough allocations in the budget, and inefficiencies in our security personnel or protocol are just a few of the factors that contribute to why we can’t keep up with hackers.
Is tech about to become all doom and gloom? Not a chance – and those fighting back are doing so with a vengeance. It’s true that governing bodies can’t pass legislation fast enough to keep up with hackers, but it’s also true that we can’t expect hackers to fear the law or those who enforce it.
Have you heard of the General Data Protection Regulation (GDPR)? If your organization has ever done business in Europe, you’ve either heard of it, or you will very soon. In early 2016, the European Parliament began mandating that companies who operate in, do business with, or ultimately collect data on citizens in EU countries will be subject to strict rules enacted to protect these consumers.
- While the GDPR is meant to simplify regulations with exceptional standards of consumer data protection throughout 28 EU member nations, the burden falls on hundreds, possibly thousands of businesses employing innumerable IT security personnel responsible for overseeing the implementation of updated standards to meet new requirements.
Now, you may read this and say to yourself, “I don’t do business in Europe or with citizens of EU countries, so this doesn’t apply to me”. Wrong!
While technically these rules may not apply to you, it’s likely that these rules and guidelines will swiftly spread and become the basis for consumer data protection and cybersecurity in general. Initially, regulators are not likely to audit organizations for compliance to GDPR regulations, and leniency is expected in the event of a data breach if the company can detail cybersecurity measures following these rules that were taken to protect consumer data. As with every data breach you’ve read about in the last several months, this will initially be a reactive measure, but it’s still indicative of new cybersecurity standards.
With the May 25 deadline looming, the question is if IT staff at affected organizations have spent the last 18 months properly preparing. That being said, there are several impacts we can predict for 2018:
- Many, if not most, U.S. companies will not meet GDPR compliance by the deadline
- American organizations have certain expectations that have long-since been established by our federal government, and we employ an arsenal of auditors and legal experts to read through thousands of sheets of fine print to understand complex guidelines. The GDPR will be no different.
- International law does not add clarity to the situation, and where regulations contradict established laws or expectations based on domestic operations, the cost to continue business will be weighed against the benefits – and the risks.
- It’s quite common in the U.S. to apply for an extension to a deadline, but that’s not likely to be an option in this case.
- GDPR regulators will quickly make an example of an organization
- Those that have not made every effort to comply with guidelines will be dealt with more harshly in an attempt to reinforce the strong position that American companies need to take action.
- The decline of password-only protection will accelerate
- Even situations where passwords require capital and lowercase letters, numbers, special characters and a minimum character count are becoming obsolete.
- The same as how recent versions of Apple’s iPhone required Touch ID, and the latest version incorporates facial recognition, we can expect much higher levels of security to access personally identifiable information (PII).
- Attacks via compromised IoT devices will get worse
- Physical devices that connect to the Internet can still be hacked. This network connectivity is what makes these devices so attractive, in that they allow the collection and exchange of personal data – that needs to be secure. For the most part, we will be reactive until manufacturers build devices that are “unhackable”.
- Automation of some threat-detection tasks will increase
- Automation is our best friend and our worst enemy, simultaneously. When the idea of writing code to automate the ability to perform tasks first exploded — given the appeal of efficiency and cost-cutting capability — we opened ourselves to being hacked, and offer yet another entry point due to a cybersecurity vulnerability.
Consider the last time you received an email from a friend or colleague that seemed like their email address was compromised. It was likely a message promoting hair growth vitamins, or from someone claiming to be from Google who recommended you reset your password immediately – but neither the web link nor the “from” email address had anything to do with Google. These seemed like obvious threats that are easy enough to ignore.
What happens if a hacker gains access to the webcam on your laptop and read your personal data through the reflection in your eyeglasses? This seemed far-fetched a decade ago, but today? It’s a genuine concern. Imagine that type of scenario but a hundredfold in complexity, and with access to global consumer data – what do you need to do to be ready?
Knowledge is power: arm yourself with an arsenal of information and be transparent in all professional relationships. We’ll face 2018 together, and emerge stronger in 2019 – together.
Published on 13th February 2018 by Ian Brady.