Cybersecurity outlook: data protection takes center stage

The Gartner Security & Risk Management Summit 2018 is coming up. Based on last year’s data breaches and how cyber security incidents have escalated in 2018, I would place a big bet that the talk coming out of the summit will be very heavy on the topic of data protection. Here’s why I think we’ll be talking data protection during and after the conference and what it could mean for your business.

The steady drumbeat of data breaches

Beyond the high-profile Equifax data breach, there is a long list of additional breach incidents from 2017. This is not a good look in terms of company brand and reputation, and corporate security and IT leaders are in the hot seat now. Detection, prevention, and mitigation strategies will be the focus as we move forward in 2018.

The data-inventory challenge

In recent years, organizations have struggled to get a good handle on where all their key data resides. With the rise of shadow IT in the cloud, this challenge only increases. An average organization can have hundreds of SaaS applications in use: what’s the likelihood the security team has a good inventory of the data stored within these applications?

The coming of GDPR

The European Union’s General Data Protection Regulation (GDPR) is now effective, impacting all companies that collect data on citizens in EU countries. The regulation includes provisions requiring businesses to protect the personal data and privacy of EU citizens. The GDPR also requires companies to erase personal data upon request, known as the right to be forgotten. A recent survey found that 34% of British citizens say they plan to exercise their right to be forgotten when the GDPR takes effect. So, organizations will need to address a variety of data storage, protection, and deletion challenges. According to an Ovum report, about two-thirds of U.S. companies believe that the GDPR will require them to rethink their strategy in Europe.

The intersection of humans and data

I think we’re all getting smarter about how we use, share, and store sensitive data, but there is still some truth to the phrase ‘humans are the weakest link’. The intersection of humans and data will receive particular scrutiny and investment in three areas:

• Security education. Beyond ensuring that all employees are aware of internal security policies and know the basics regarding strong passwords and avoiding phishing scams, I think we’ll see organizations focus more attention on delivering security education that is specific to employee role. For example, we’ve seen several examples in recent months of insecure cloud container storage due to human error. Education targeted to those roles responsible for establishing container storage can help in this example.
• Stronger authentication. For both employees and customers, organizations will increasingly move from requiring merely a weak username and password combination to strong multi-factor authentication methods.
• Malicious and negligent insiders. According to a survey by PWC, insiders caused more than 51% of data breaches. Regardless of motive, there’s a risk when users have access to sensitive data. Sixty-two percent of respondents to a 2016 Ponemon Institute survey reported having access to company data they probably should not see. Organizations need to do more to tighten up access policies, limit privileged access, and monitor online activities to detect and stop threats.

The rise of Cybercrime-as-a-Service

Cybercrime is no longer the domain of technical experts; novices can now easily obtain a variety of kits to enable DIY exploits. A larger pool of attackers will drive up threats to corporate data.

The importance of an incident response plan

When data breaches made the recent news, much of the bad publicity resulted from the organization’s response. Whether it was an attempt to quietly pay off hackers, a long delay in disclosing the breach, or confusion around breach remedies, how the response is handled largely determines the overall impact to brand reputation. According to data compiled by AT&T, 62% of organizations admitted to being breached, but only 34% believed they had an effective incident response plan in place. The GDPR requirements around prompt reporting of a breach will be one factor driving an upward change in this statistic in 2018. I think we’ll end this year with many organizations creating – or augmenting – their incident response plan.

Due to all of these factors, data protection will continue to be top of mind for CIOs and their teams through 2018 and beyond. To help mitigate and prevent data breaches, organizations are increasingly turning to user behavior analytics and user activity monitoring. User behavior analytics and monitoring software analyzes the ‘normal’ actions of systems and users, and alerts when anomalies are detected. The increased focus on data protection is one reason why the activity monitoring industry is poised to more than double from about $200 million today to $500 million in the next four years.