Cyberattacks. Data breaches. New privacy regulations. Natural disasters. People and companies around the world were faced with many challenges related to these disruptive events, among others, during 2018.
A new year comes with a new set of challenges; it is important to take into account what we learned in 2018, and what companies can do better in 2019 when it comes to managing risk and maintaining resilience. Before I delve into my predictions for risk management in the coming year, a few observations from 2018:
- We realize now, more than ever, just how vulnerable customer and corporate data is to hacks, breaches, and other liabilities. Some of the most covered news stories of the past year revolved around data breaches involving companies such as British Airways, T-Mobile, Saks Fifth Avenue and Lord & Taylor, and Google+. Exposed data included names, email addresses, passport numbers, credit card numbers, and encrypted passwords.
- The increasing number of digital records belonging to consumers, enterprises, medical facilities, and government entities has led to the development of stricter and more comprehensive regulations. The largest of these was the General Data Protection Regulation (GDPR), which was fully implemented on May 25, 2018, and regulates how companies are required to protect European Union citizens’ personal data.
- Third-party service providers are under more scrutiny for how they store and protect data shared by their partners. During the incident involving Saks and Lord & Taylor, for example, cybercriminals tapped into an unsecured point-of-sale system and stole more than 5 million customer credit card numbers. Enterprises with partnerships like these are becoming much more vigilant when it comes to assessing third-party vendors.
These issues aren’t going away, and will certainly evolve in the coming year to present different challenges. New trends in risk and resilience will also emerge as crucial factors. Below is a look at what I see as the four most important components for businesses to focus on to keep themselves, and their customers, secure in 2019.
Risk Enterprise Organizations Face
Beginning this year, data breaches and consumer privacy will likely become the top risk to companies around the world. This is due to the many large-scale data breaches many businesses endured in 2018; new legislation like GDPR that is more comprehensive and punitive for companies that do not protect their customers’ and their own data; and larger fines for companies that do not take the necessary steps to manage risk and ensure security.
According to a 2018 study from IBM, the average global cost of a data breach stands at $3.86 million, up 6.4 percent from 2017. The average cost for each lost or stolen record containing sensitive and confidential information in 2018 was $148, an increase of 4.8 percent over 2017. It stands to reason that these numbers will rise in 2019.
Companies around the world, in nearly every industry, are retaining more data related to their customers, partner companies, and proprietary/confidential corporate material. Simultaneously, hackers continue to refine and improve their methods of attack in an attempt to stay a step ahead of security protocols. These elements create an environment where the threats to company data are always increasing – a fact that is sure to be top of mind for enterprise leaders in 2019.
Cybersecurity on the Rise
The economic impact of data breaches over the past several years has not been enough to pressure businesses to invest as heavily as they should in cybersecurity. The fines have not been severe, and the loss of customers has been minimal.
However, all that is changing.
Companies that suffered cyberattacks in the past year have received negative news coverage, leading to loss of customers and damage to their reputations. New legislation like GDPR and similar pending regulations, like the California Consumer Privacy Act (CCPA), levy substantial fines that can severely impact an enterprise’s bottom line.
The trend toward harsher consequences will continue in the coming year to ensure companies are taking data retention as seriously as possible. As a result, companies will incorporate more comprehensive and resilient cybersecurity methods into their best practices.
A possible return of ransomware should also push businesses to take a hard look at their data protection procedures. Perhaps the most famous ransomware attack, WannaCry, occurred in 2017 and hijacked 200,000 computers in 150 countries. According to a report from Cybersecurity Ventures, we can expect a ransomware attack on businesses every 14 seconds by the end of 2019, up from every 40 seconds in 2016.
Adapting to Regulations
After nearly four years of debate, EU Parliament approved GDPR in 2016. Two years later, it was implemented as fully enforceable law and is considered the most important change to data privacy regulation in 20 years.
GDPR consolidated all privacy laws in the EU into one consistent regulation. It expanded the privacy rights granted to individuals in every EU country and placed many new obligations on organizations that market to, track, or handle personal data of EU residents, no matter where the organization is located.
Despite the years of debate and two years of lead time to become compliant once GDPR was finally passed, many companies were not prepared. A survey conducted by law firm McDermott Will & Emory and the Ponemon Institute during the weeks leading up to GDPR taking effect, found that 40 percent of respondents said their companies would not be compliant until after the deadline.
As a result, lawsuits totaling billions of dollars have been filed due to GDPR breaches. Many companies around the world that do business in the EU are still working to catch up to the new regulations and, should they experience a breach, will face fines that are much more severe than pre-GDPR.
But as companies continue to adjust to GDPR and work to comply, new legislation in 2019 will make the data protection landscape even more complex. For example, in the United States, the CCPA passed in June 2018 and goes into effect on Jan. 1, 2020. It takes many of the protections in GDPR and applies them to residents of California. Canada has since introduced similar legislation, called the Personal Information Protection and Electronic Documents Act (PIPEDA).
It is clear that GDPR was simply the tipping point for new, much stricter data security regulations, and it’s safe to say 2019 will see more governments introduce data privacy regulations of their own.
Securing the Cloud
A Gartner study predicts that, by 2020, 95 percent of breaches in the cloud will be caused by companies not configuring correctly – in other words, many companies will store their data in a perfectly secure cloud but will not take the necessary steps to ensure they are doing so securely.
Automation is key to cloud security, and engineers are focused on maintaining systems to that end. Because of this, a good amount of responsibility shifts to the end user companies that must move past legacy IT solutions to configure security in the cloud. In 2019, IT teams will need to re-tool their approach to better understand how security operations work in the cloud.
But cloud security is, and will remain, a shared responsibility model; the burden of data security falls on cloud service providers as well. As cloud adoption increases, there will also be an uptick in the need for third-party management around cloud service providers, driven by the constant threat of crippling data breaches.
The digital supply chain is evolving, and there is a greater need to assess vendors for effective security protocols. We will continue to see this through 2019, as enterprises put additional contract obligations on cloud service providers and require adherence to stricter security privacy and availability obligations. GDPR and CCPA are strongly influencing these heightened security measures as well.
A More Secure and Regulated Landscape
Many of the developments in data security throughout 2018 have set the stage for 2019. GDPR was the first domino to fall in what will be an increasingly regulated world for enterprise organizations. To that end, we will see more investment in cybersecurity and cloud security to fight the constant threat of hackers.
Unfortunately, it likely won’t be long before we learn of yet another massive data breach that affects millions of consumers. The approach companies take to securing customer data, as well as their own data, is improving, but we have a long way to go.
The world is changing at a head-spinning rate. Plans and protocols must be agile, and organizations will need to consider the lessons we’ve learned over the past several years and build on them to be successful in 2019.
Written by: Cory Cowgill, Chief Technology Officer, Fusion Risk Management.
Have you read?
# Revealed: Top Rated Visitor Attractions In Every Country In The World.
# The World’s Safest Cities Ranking, 2018.
# The World’s Most Powerful Militaries In 2018.
# The World’s Most (And Least) Expensive Cities For Taxis, 2018.