The total number of data records lost or stolen since 2013 is 9.19 billion and counting. Drilling deeper, we experience approximately five million records lost every day, or 59 records every second.
These incredibly threatening statistics have been on an upward trend year after year. They serve as validation of the worrisome threat landscape organizations endure. While these numbers alone act as a strong driver to improve cybersecurity posture, compliance requirements compound this by presenting looming consequences for entities with poor cybersecurity practices.
As organizations and government entities across the globe struggle to maintain confidentiality, integrity and availability of their systems and data, they are now facing a continuous flow of new and updated regulations and standards designed to enforce the implementation of appropriate levels of privacy and security controls by entities of all sizes, across industries.
With major breaches like Equifax (143 million records) and major regulatory changes like those presented by the European General Data Protection Regulation (GDPR), organizations across the globe must prepare and enforce cybersecurity diligence as 2018 is upon us. These are the factors:
- There will be continuous cyberattacks on organizations, government entities and critical infrastructure, and we will see new types of state-sponsored attacks.
- A quickly growing and poorly controlled attack surface poses a significant threat to the internet of things, and Congress is unlikely to propose new laws related to IoT security anytime soon. We should expect this poorly regulated surface to continue to grow.
- Healthcare has become a high value target for cyber criminals. In the first six months of 2017, the industry had more breaches than any other. It’s set to continue lagging in cybersecurity performance.
- With customers becoming more informed on cybersecurity risks, it’s paramount for financial institutions to develop and maintain risk mitigation practices that foster good cybersecurity health. Financial institutions will lead in terms of malware attacks, and will continue to have difficulty maintaining good cyber hygiene.
Go back to basics
Organizations preparing for the cyberattacks wave of 2018 should go back to security basics. Among other healthy cybersecurity practices, organizations should revisit their patching methodologies (timeliness of patching; prioritization of critical external facing systems). We need to ensure security is part of the process — a concept of continuous compliance that I have been a proponent of for years. As we transition to the cloud, we must ensure that all security controls are tested and implemented per best practices to stay ahead of potentially damaging vulnerabilities.
Brace for the impact of GDPR
GDPR will be the most notable compliance challenge in 2018. As the effective date — May 25 —looms, it will impact every organization that handles European Union (EU) residents’ personal data, even if the data processing occurs outside EU borders. Data impact risk assessment, which is a mandatory requirement under GDPR, is a critical deliverable especially if an organization experiences a breach. It is not a GDPR requirement, but we highly encourage conducting data mappings since it is impossible to protect data when its whereabouts are unknown. How is it used, how is it transmitted, and how is it destroyed (end of life) can be defined by its location and sensitivity. The role of the Data Protection Officer (DPO) is formalizing. Organizations must enable DPOs to manage the GDPR compliance program months before the effective date.
It is expected that most EU GDPR professionals will be aware of and preparing for GDPR in 2018, but most budgets will not be sufficient to support what is needed for compliance. Preparations will take longer than planned due to the stringent requirements GDPR puts forth. US organizations working with the EU must be ready and proactive in preparing for compliance.
Defeat ignorance surrounding IoT security
In an environment where an emerging technology is being rapidly adopted at a large scale, the speed of IoT device deployment is sometimes prioritized over necessary security practices during implementation. This means IoT devices are low hanging fruit for malicious actors. Even though the industry lacks a certifying authority or enforcement agency to ensure that IoT devices are secure and compliant, these devices must be inventoried, secured, and hardened out of the gate.
Be on alert
The health industry struggles to maintain compliance with HIPAA/HITECH with the watchful eyes of the Office for Civil Rights (OCR) and Health and Human Services (HHS). Ongoing audits, breach settlements and hefty fines confirm the need for better security and privacy controls. The “wall of shame” continues to grow with the list of health organizations suffering data breaches of 500 records or more. Let us not forget that 2017 was clearly the year of ransomware for the healthcare industry. Increased focus on security, user education and enterprise risk management strategies will force a decline in such attacks.
Catch up on regulatory compliance
Organizations across the globe need to implement a true governance, risk, and compliance (GRC) framework. Ongoing governance will ensure processes and procedures adhere to internal and external standards and policies. Assessing and mitigating risks is everyone’s responsibility. Enterprise-wide risk programs headed by a member of the C-suite will bring visibility to all potential operational, business and security risks.
Compliance will continue to drive much of what we do. As we strive to integrate security best practices into our daily processes and procedures, the more likely we can achieve compliance by simply conducting business as usual.
Fouad Khalil is the head of compliance at SecurityScorecard.