Happy New Year! If you’re reading this, it means you made it through the holidays. If you’re lucky, your organization also made it through the holidays…and did so data breach-free. There are many companies that can’t say the same. For an exhaustive list, I suggest you check out the Identity Theft Resource Center’s 2015 breach tally. It’s a real eye-opener.
The end of 2015 brings a new year, and with that new year comes a fresh start. In the spirit of renewal, this blog is focused on what I like to call “IT Security New Year’s Resolutions.” It takes into account lessons from 2015, business and technological developments, and my own personal observations from my three years with Vormetric.
Resolution #1: Think Globally, Act Locally
Don’t role your eyes just yet. This popular mantra isn’t just a catchy slogan for socially conscious marketers…or Whole Foods. It’s also a data security imperative. First, a background.
Any successful global enterprise or organization has become so in part because it has built the trust of its customers. In the post-Safe Harbor age, retaining this trust is especially important. As you may recall, Safe Harbor was an arrangement between the European Commission and the U.S. government, recognizing any U.S. entity certified as complying with its data security principles to process personal data transferred from Europe to the United Sates.
The European Court of Justice’s decision to strike down Safe Harbor puts power back in the hands of EU member countries (as opposed to creative U.S. lawyers) and opens the door to much tougher and more restrictive data security and data residency regulations. Case in point: on December 15, the EU agreed on the General Data Protection Regulation (GDPR). European Council ratification is expected in early 2016; should this happen, the GDPR will take effect in 2018.
The new agreement – which I like to think of as Safe Harbor on steroids – governs the legal flow of data across boundaries, and implements tough penalties for companies that don’t comply with its set of laws. Although strict, one of the best strategies for remaining compliant with the GDPR is to ensure all customer and employee data is a) inaccessible to those outside of the EU b) can’t be physically moved outside the EU. This is best accomplished by encrypting that data and limiting access to only users within a given jurisdiction.
Organizations handling data originating from the EU must tread carefully, as the misuse or leakage of this data – perhaps due to sloppy data protection, for example – will lead to major penalties. These penalties include fines up to 4 percent of turnover or $20 million (whichever is higher) and requirements that breached companies notify authorities of data breaches within 72 hours. Of importance is that encryption allows companies to avoid breach notification, provided it has been “competently implemented.”
With this in mind, in 2016 businesses that have yet to embrace encryption must come to terms with this “New Data Order”. They must resolve to “think globally” (recognize and understand the multitude of laws governing data residency worldwide) and “act locally” (when necessary, keep certain sets of data within limited physical boundaries).
For an excellent breakdown of what the GDPR means for businesses and individuals, please check out John Dunn’s Computerworld article. For more information on encryption implementation, I suggest you check out our primer, “Selecting the Right Encryption Approach.”
Resolution #2: Think Outside the (Threat) Box
Remember when it seemed like hackers were only out to make money? Companies must now contend with attackers motivated by political, psychological and moral aims (see: The Hacking Team, Ashley Madison, and the Office of Personnel Management).
Later this month, we’ll announce the results of our fourth annual Data Threat Report. For now, it’s safe to say the DTR backs up the notion that we live in a cybersecurity world made all the more fraught by the aforementioned motivations, and complicated by the cloud, Big Data, the vast proliferation of mobile devices and the “Internet of Things” (IoT).
If when thinking about cybersecurity your network and endpoints are still the first mediums that pop into mind, you’ve been living under a rock. Did you also miss that almost 800 organizations were breached in both 2014 and 2015, and that those attacks were by no means limited to endpoints and networks?
In 2016, you must resolve to think outside the threat box. This means recognizing modern-day cyberattacks are designed to infiltrate all sorts of conduits, whether they be networks, endpoints, data centers, cloud storage centers or Big Data environments. To do this, you must literally change your mindset – and get creative. It’s not 2006 anymore.
Though there are many unknowns in the year ahead, you can start by getting educated on the plethora of security options at your disposal. My colleague and Vormetric’s CSO Sol Cates lays it out for you here. Please, dive in.
Resolution # 3: Embrace Emerging Technologies, but Guard Against New Threats
The cloud, Big Data and the IoT aren’t going anywhere. There are good reasons why this is the case. When leveraged responsibly, these environments have the potential to improve business efficiencies, make for a more flexible work environment, increase revenue and widen your customer base. Just know that with great technology comes great responsibility.
Instead of taking an “it won’t happen to me” approach (what I also like to call the “do nothing, then cross your fingers” approach), in 2016 you must resolve to proactively deploy platforms to protect these emerging technologies.
I’ll use the cloud as an example. Security is the chief impediment to a more pervasive adoption of cloud-based services and delivery models – but it doesn’t have to be. By addressing security concerns, service providers can establish strong market differentiation, expand their presence in existing accounts, and boost market share.
To put your organization in the strongest (cloud) position possible, I recommend you start by answering these four questions.
Big Data is another big area of concern. Some of this can be chalked up to the fact that the industry as a whole is still figuring out how to best define Big Data and harness its potential. Then there’s the nomenclature: “Big Data.” The notion of a never-ending supply of data is enough to make any good CSO squirm. But instead of remaining paralyzed by indecision or a fear of the unknown, educate yourself on your Big Data security options. This puts you in a position to make the best business decision possible.
With respect to the IoT, my colleague Andy Kicklighter said it best in his May blog: Organizations that have put in place the policies and procedures for both the use and safeguarding of data stemming from the coming IoT tsunami will be both better perceived by the public, at an advantage against competitors, while also being ready for regulators. Properly structured policies, followed to the best of ability, will show good faith in preserving public rights and trust.
Resolution #4: Be Prepared to Answer Tough Questions
The U.S. government is increasingly making noise about encryption’s overall role in the marketplace. In my opinion, the rhetoric coming from government officials – particularly FBI Director James Comey – could be much more nuanced and informed by a better understanding of how technology works. Needless to say, my 2015 sentiments remain the same in 2016: front door or backdoor, creating intentional vulnerabilities will be detrimental to all parties involved.
If your company utilizes encryption as a form of data protection, be prepared to answer tough questions. They might come from shareholders, they might come from your board, they might come from law enforcement and they might come from the press. For now, the great encryption debate is here to stay. In 2016, you must be prepared to answer this question: Are you a Tim Cook or a John Chen?
This isn’t a question I can answer for you. Preferably, it should be made in tandem with your senior team, and reflective of your company’s mission, goals and values. Just know that in 2016, it is most likely coming your way.
The year is young, but this we know: in the cybersecurity world, much will happen between now and the start of 2017. Whether or not the coming months trend in a positive or negative direction is dependent on a number of variables. Some of those variables – like the weather, geopolitical upheaval, legal machinations, etc. – are out of our control. What is within our control is how we choose to protect our data, our attitude towards that data and our balancing of risks versus rewards.
It’s 2016. Will you resolve to be more secure?