2018 will be the year of the GDPR, which officially comes into force on 25th May. Although this date might seem far away, it is essential businesses are ready as quickly as possible.
The regulation will require organisations to evaluate their rules for processing, security, privacy and data access as a whole – not to mention the obligation to report security incidents. Time is running out and many companies are realising they have no way to map their personal data – be it structured, unstructured or bulky – or control their processing in a complex virtual infrastructure, on-site or in the cloud. Businesses will need to implement a strategic approach to integrate security tools into the data lifecycle if they are to avoid a penalty and maintain a competitive advantage by playing the card of trust. If they find it difficult to attract the attention of decision-makers, mention the penalties: up to 20 million euros or 4% of the total annual turnover, whichever is greater.
But the GDPR isn’t the only trend to make a big impact this year. Here are four other trends that should be in the mind of every business:
There are three simultaneous evolutions in the cloud that need to be noted. The first concerns the adoption of cloud services. While some companies only use cloud computing (IaaS), others have completely adopted the use of services like Software as a Service (SaaS). It is therefore necessary for businesses to apply certain security principles with the cloud service providers, who ultimately are responsible for the data protection of these companies. Solutions such as the Cloud Access Security Broker (CASB), but also the audits of these cloud environments (security auditing, qualification of suppliers etc) are becoming more and more frequent and necessary for organisations.
The second is related to the use of cloud by the trades. Businesses need to determine now how cloud environments, as well as individuals, can help them achieve their business goals. In this way, ensuring the safety of the teams' workspace is paramount and it is essential to take advantage of intelligent work practices. For example, the Internet of Things (IoT)pushes the cloud to its limit and brings it closer to the processes and devices of our business environment. We must therefore support this development by providing the necessary security and by mastering them to optimally optimise and manage individuals and machines.
Thirdly, many companies, as part of their digital transformation, adopt the principle of DevOps which is also necessary to apply the principles of security: we talk about DevSecOps. DevOps is an increasingly popular development practice that allows companies to accelerate the production of applications and services. Unfortunately, this sometimes leads to security breaches that can have significant impacts both financially and in terms of reputation. In an increasingly mobile and cloud-based world, it will become critical to keep these developments secure. By taking safety into account at the beginning of the development lifecycle, organisations will save time and money. In addition, while not always obvious to many security professionals, third-party expertise will help overcome cultural resistance and arm organisations with the right processes and automated tools.
The rise of Operational Technology (OT) and adaptation of the industrial sector's security policy
The number of connected devices will continue to increase, especially in homes. From a business perspective, OT will make a difference for automated plants and critical infrastructures.
It is therefore necessary to consider these devices in the same way as traditional devices and secure them to protect people but also their use in large-scale cyber attacks. As these technologies are increasingly deployed and used, the security of these devices is still very immature in many environments.
A step-by-step approach is needed which includes a security policy to take into account the context of different industrial and operational environments. This will be done through a reconciliation with the various users of these systems through business auditing but also architecture ensuring a pragmatic security consideration.
Better preparedness for incident response
The large scale attacks in 2017 have given businesses a hard time, including questions about how best to respond to a cyber attack.
Our Risk:Value 2017 report shows that companies expect to take an average of 74 days to recover from a security breach. Proactive measures will need to be explored to better prepare for Advanced Persistent Threats (APTs) and minimise disruption. This will require a strong and flexible partnership with cybersecurity experts who will be able to respond quickly to an attack, if any.
Beyond proactively implementing solutions, there is a need to prepare for a security incident. To do this, organisations must first define different attack scenarios by criticality level or the control points and processes to engage in case of attack. This entire preparation phase will save valuable time the day an attack is made. This preparation also allows the various stakeholders to have an understanding of the environments impacted in advance of phase.
In addition, it should be noted that GDPR compliance requires the establishment of incident response plans and detection mechanisms.
Devices everywhere but still not secure
This year, it was necessary to note the effect of the massive ransomware attacks targeting the different peripherals including workstations and servers. Businesses need to take into account the security of these terminals as well as the network security: to put in place solutions at the same time as block attacks on a behavioural basis. This approach should be extended to both mobile devices and connected objects. These are at the heart of discussions currently and we clearly see the business benefits – data collection or advanced analysis in different areas. But as has been the case in the past, security is often considered an afterthought.
Businesses will begin to reap the benefits of these collections or other analysis to provide proactive responses. However, this will require security teams to understand and secure large amounts of data involving a different analytical approach.
Cybersecurity may not be the first reflex in the analysis of a probe or production line, but it must be kept in mind that, if it is possible for us to see the data and modify the controls, others can do it too.