Did you know?
The General Data Protection Regulation (GDPR) will take affect May 25, 2018. This will affect global organizations that hold or process personal data of any European Union resident. The definition of “personal data” is much more broad than in current US compliance regulations, and penalties for non-compliance are 20 million Euros or 4% of global revenue, whichever is higher.
Moving data into the cloud does not change your duty to protect it. There is often a misconception that by moving to the cloud, organizations can outsource security of their data, but the responsibility can not be outsourced. Many businesses fail to read the terms of the cloud provider’s agreements, which clearly state what they are providing . It is critical to create a matrix of responsibility for each cloud-based service to confirm that you are covering the protections that the provider is not – especially if you fall under compliance guidelines and/or maintain sensitive data in the cloud.
Government agencies are becoming more involved with proactive enforcement of cybersecurity and compliance. We saw this start in 2016 as government subcontractors were told they needed to comply with the National Institute of Standards & Technology (NIST) 800-171, and those who didn’t were no longer eligible to fulfill contracts. The Office of Civil Rights (OCR) announced that they will be looking closely at breach reporting by healthcare organizations via an audit program that will include fines and corrective action plans. The biggest enforcer to date has been the Federal Trade Commission (FTC), who has begun to leverage major fines against businesses for “unreasonable data security“, and may be looking next at the education sector.
Organizations continue to struggle with threat detection and incident response. This includes everyone from SMBs to enterprise, as we saw with the breaches at Equifax and Uber. Dark Reading published the “7 SIEM Situations That Can Sack Security Teams” which explains some of the challenges with common detection tools (and even some outsourced monitoring services) and very few organizations have true incident response programs that include plans, running through scenarios in tabletop exercises, and having resources to contact if needed for escalation to an incident.
There were over 200,000 unfilled cybersecurity positions at the beginning of 2017, and CSO Online has predicted it will triple by 2021. Gartner’s 2017 report estimates that by 2019, security outsourcing services will make up approximately 3/4 of spending on security software and hardware. It’s clear that technical controls alone are not able to prevent breaches, and a more holistic approach to cybersecurity is needed.
The impact of a breach goes beyond the cost of remediation. The costs of investigations, notifications, and putting controls in place to prevent future events is the tip of the iceberg. Post-breach lawsuits are on the rise, fines are being levied, C-levels are being held accountable, and company values often plummet, costing millions more.