By Cory Cowgill
Chief Technology Officer, Fusion Risk Management
In 2018, organizations faced a variety of obstacles such as cyberattacks, data breaches, privacy regulations, and natural disasters. People and companies around the world were left adjusting and, unfortunately, sometimes scrambling in order to deal with these unforeseen issues.
A new year comes with a new set of challenges. It is important to take into account what we learned from everything the past year dealt us – and how companies can do better in 2019 when it comes to risk and maintaining resilience.
Cory Cowgill, CTO of Fusion Risk Management, recently discussed the challenges enterprise companies will face in the coming year with the editors here at Solutions Review.
Here’s our conversation, edited slightly for readability:
Solutions Review: What key takeaways from 2018 will be the most top-of-mind for businesses entering this New Year?
Cory Cowgill: Beginning this year, data breaches and consumer privacy will likely become the top risk to companies around the world. This is due to the large-scale data breaches many businesses endured in 2018.
We realize now, more than ever, just how vulnerable customer and corporate data is to hacks, breaches, and other liabilities—and the data collected is only increasing. People are quick to only think about the data that is being brought in from consumers. But, it is also important to keep in mind all the data collected from enterprises, medical facilities, and government entities.
Companies around the world, in nearly every industry, are retaining more data related to their customers, parent companies, and proprietary/confidential corporate material. Simultaneously, hackers continue to refine and improve their methods of attack in an attempt to stay a step ahead of security protocols.
These elements create an environment where the threats to company data are always increasing – a fact that is sure to be top of mind for enterprise leaders in 2019. These new takeaways of both the amount of data being brought in, and the emphasis on its vulnerability, have led to major changes – one of the biggest being government-enforced privacy regulations.
SR: The General Protection Regulation (GDPR) officially went into effect on May 25, 2018. What challenges will it bring in 2019?
CC: Many companies around the world that do business in the European Union are still working to catch up to the new regulations. Despite nearly four years of debate, and two years of lead time to become compliant after the regulation passed back in 2016, many companies were not prepared.
In fact, a survey conducted by the law firm McDermott Will & Emory and the Ponemon Institute during the weeks leading up to GDPR taking effect found that 40 percent of respondents said their companies would not be compliant until after the deadline. As a result, lawsuits totaling billions of dollars have been filed due to GDPR breaches. Those businesses that are still working on catching up, should they experience a breach, will face fines that are much more severe than they were pre-GDPR.
GDPR is considered the most important change to data privacy regulations in more than 20 years. It consolidated all privacy laws in the EU into one consistent regulation, expanded the privacy rights granted to individuals in every EU country, and placed many new obligations on organizations that market to, track, or handle personal data of EU residents, no matter where the physical organization is located.
And GDPR was only the first domino to fall in what will be an increasingly regulated world for enterprise organizations. For example, in the United States, the California Consumer Privacy Act (CCPA) passed in June 2018 and goes into effect on Jan. 1, 2020. It takes many of the protections in GDPR and applies them to residents of California. Canada has also since introduced similar legislation called the Personal Information Protection and Electronic Documents Act (PIPEDA).
It is clear that GDPR was simply the tipping point for new, much stricter data security regulations, and it’s safe to say 2019 will see more governments introduce data privacy regulations of their own.
SR: How will the ways companies approach cybersecurity change?
CC: Over the past several years, the economic impact has not been enough to pressure businesses to invest as heavily as they should have in cybersecurity. The fines have not been severe and the loss of customers has been minimal.
A major change has been that the companies that suffered cyberattacks in the past year have received negative news coverage, leading to a substantial loss of customers and damage to their reputations. Some of the most covered news stories of the past year revolved around data breaches involving companies such as British Airways, T-Mobile, Saks Fifth Avenue and Lord & Taylor, and Google+. And the exposed data included information such as names, email addresses, passport numbers, credit card numbers, and encrypted passwords.
All this news coverage around the breaches also led to more coverage on real action – such as the GDPR. Consumers began to realize there were ways to better regulate and protect their data. Thanks to these conversations continuing, we now having pending regulations such as the CCPA. These acts and regulations that are enforceable by law levy substantial fines that can now severely impact an enterprises’ bottom line.
The trend toward harsher consequences will continue in the coming year to ensure companies are taking data retention as seriously as possible. As a result, companies will incorporate more comprehensive and resilient cybersecurity methods into their best practices.
A possible return of ransomware should also push businesses to take a hard look at their data protection procedures. Perhaps the most famous ransomware attack, WannaCry, occurred in 2017 and hijacked 200,000 computers in 150 countries. According to a report from Cybersecurity Ventures, we can expect a ransomware attack on businesses every 14 seconds by the end of 2019, up from every 40 seconds in 2016.
SR: When thinking about data, it’s hard to ignore the cloud – how should businesses better secure it?
CC: When it comes to the cloud, this year’s focus needs to be IT teams re-tooling their approach to better understand how security operations work.
A Gartner study predicts that, by 2020, 95 percent of breaches in the cloud will be caused by companies not configuring correctly—in other words, many companies will store their data in a perfectly secure cloud but will not take the necessary steps to ensure they are doing so securely.
Automation is key to cloud security, and engineers are focused on maintaining systems to that end. Because of this, a good amount of responsibility shifts to the end user companies that must move past legacy IT solutions to configure security in the cloud.
But it’s important to also realize that cloud security is, and will remain, a shared responsibility model; the burden of data security falls on cloud service providers as well. As cloud adoption increases, there will also be an uptick in the need for third-party management around cloud service providers, driven by the constant threat of crippling data breaches.
The digital supply chain is evolving, and there is a greater need to assess vendors for effective security protocols. We will continue to see this through 2019, as enterprises put additional contract obligations on cloud service providers and require adherence to stricter security privacy and availability obligations. GDPR and CCPA are strongly influencing these heightened security measures as well.
SR: What are your overall thoughts on how data security and risk management will evolve in the coming year?
CC: Many of the developments in data security throughout 2018 have set the stage for 2019. Entering this year, we’ll continue to see an increasingly regulated world for enterprise organizations – and more investment in cybersecurity and cloud security to fight the constant threat of hackers.
The approach companies take to securing customer data, as well as their own data, is improving, but we still have a long way to go. Plans and protocols must be agile, and organizations will need to consider the lessons we’ve learned over the past several years and build on them to be successful in 2019.
Thank you again to Cory Cowgill for his time and expertise! Cory Cowgill is Chief Technology Officer at Fusion Risk Management, a provider of business continuity and risk management software and services.
Latest posts by Ben Canner (see all)
- Why Due Diligence Matters to Determining Third-Party Risk - August 15, 2019
- The 11 Top Enterprise Threat Intelligence Platforms of 2019 - August 14, 2019
- What Makes Next-Generation SIEM So Essential? - August 8, 2019