It should come as no surprise to anyone. Investing in cybersecurity and preparing for privacy and incidents are determining factors in what the outcome of a security incident will be. It will affect responses from regulators, commentators and clients.
Yet, while cybersecurity spending is growing at around 10% a year – and privacy at around 16% – research shows that many feel this is still an under- investment. In a way, it’s not hard to see why. Both areas are cost-centers. Evangelists are sometimes seen as Cassandras, forecasting a doom that may never come, but is expensive to remediate. To carry that analogy through – it did. Troy burned… and, let’s face it, it’s a brave CEO who believes their organization will never be breached.
So while growth rates are encouraging, they are also symptomatic of playing catch-up. The General Data Protection Regulation (GDPR) was a wake-up call. It brought these issues into the boardroom for the first time – not least because of the investment required to run even the smallest compliance programme. But it was not the first privacy regulation and more are coming – India, Singapore, Brazil and China are all bringing forward new or amended regulations in the next year to 18 months. In the US, the California Consumer Privacy Act will be in force from 1st Jan 2020; among various others.
These regulations are themselves playing catch-up – almost inevitably, as the threat landscape changes and new vulnerabilities emerge. As the local privacy geek, I’m frequently asked what the regulations say about specific security measures – in most cases, very little as regulators shy away from specifying technology that could be obsolete next year.
So, what to do? According to Gartner, around a third of the $124bn spend is on consultancy to establish what companies need, and advise on the regulations. This must be welcome; effective governance, risk and compliance advice that is relevant to your business – and comes up with an effective programme of work – is critical. Putting resources into the right place to deliver protection will help to provide assurance to customers and employees alike.
There are several planks to this. The first is ensuring that you understand the regulatory landscape which is complex if you are working across multiple countries. This will shape the types of controls you need to have, and how these interact with individuals, whether consent is required, the types of monitoring that can be put in place and, perhaps, the level of government ‘interaction’.
Next is to limit risk – this is about lifecycle management and minimization. If you’re not holding data, you can’t lose it. Limiting collection, having a retention schedule and securely deleting data should be part of any good privacy programme. Reviewing these practices should be an ongoing task – driven by privacy policies, undertaken by your front-line teams (whether HR weeding and shredding, or IT decommissioning old databases), and then reviewed by your risk and audit teams.
The third is detecting a problem. Once your data is on the dark web or a tabloid frontpage, it’s too late; even the best PR will only help to limit damage. Instead, understanding what ‘normal’ looks like in terms of network and endpoint behavior will give you a chance of detecting anomalous behavior that could be a threat – whether it’s a port that’s suddenly active, an employee installing software they’ve downloaded, or a printer suddenly taking a great deal of interest in your network at 11.21 every evening (one for the X-Files fans there…).
Endpoints are an obvious way in – this is why social engineering attacks are so popular. Once you have a set of credentials, you can sit on an endpoint and wait for the next, better set to come along. Spotting that early is key – but it also means monitoring the endpoint, which, by extension, monitors the user, and their day-to-day activity. This could, in theory, be used for other purposes – throw in mobile and wearable technology, and it could move well beyond ‘time and motion’ into ‘movement and emotion’. This would be seen by many to be unacceptably intrusive and high-risk processing. Layering in controls around access to the data and minimizing retention will be required to allay privacy concerns, particularly in European jurisdictions.
The answer may lie in Artificial Intelligence (AI) itself – letting the machine take care of certain actions and, only escalating when thresholds are met. Another answer may lie in the tokenization of data – removing, as far as possible, the ability to identify the end-user until necessary.
Finally; prepare to fail. Breaches happen. Understanding that and preparing for it will be the difference between handling it well, or not. Putting in place an incident response plan and understanding how to minimize data exposure – and risk to individuals – will help you to control damage, and provide a better narrative. The ability to show you are working to demonstrate compliance will assist you in conversations with regulators and customers.
In any case, any and all of this requires investment and planning. Big-name breaches and increasingly robust regulatory action, in combination with consumer expectations all cry out for business to be taking this seriously. Those that do, will perform well – even if they do suffer a breach, which is often a differentiator between customers walking away or not. Those that don’t, can expect to see regulators circling.