When it comes to data breaches, we seem to have settled into a pattern where each year passes the previous year’s record for total number of breaches. This year-over-year growth is great when it comes to stock performance or portfolio growth, but it’s extremely challenging in the world of corporate security.
Unfortunately, this trend shows no sign of slowing down. Yet we have identified the following seven factors that will impact the state of corporate security and data privacy.
- Using the public cloud offers no protection from data breaches
In a recent Ponemon research study, 31 percent of respondents reported their company had one or more data breaches involving public cloud applications/IT infrastructure. Additionally, 62 percent of respondents admit their organization’s use of cloud resources diminishes its ability to protect confidential or sensitive information.
- Cloud hosting providers do not protect your data “out of the box”
In most cases, cloud providers can spend more on security measures than their customers can. Many public cloud providers such as AWS and Rackspace have built tools and constructs that help companies comply with data privacy regulations such as HIPAA, PCI DSS, and GDPR.
However, it is the individual company’s responsibility to familiarize itself with the tools so they can build the same level of security into their application layer.
- Moving to the public cloud is not cheap
Nothing is free, and as the saying goes, you get what you pay for. The same is true for the public cloud: Once companies dig into an assessment, they will discover that there are many cost factors related to moving to the cloud. These can include infrastructure costs, data migration fees, integration and testing of applications, consultant fees (if necessary) and post-migration costs. Also, keep in mind that this is before any additional data protection measures are added in!
- Be prepared to comply with more international data privacy regulations
Development of international privacy laws and regulations has been extremely active over the last several years and should continue.
“The Privacy Laws Around the World” is a compilation of reports by Cynthia Rich, Morrison & Foerster LLP, that compares common and disparate elements of the privacy laws from 61 countries across the globe, including Europe and Eurasia (non-EEA), East, Central and South Asia and the Pacific, the Western Hemisphere (Latin America, Caribbean and Canada), as well as Africa and the Near East.
Clearly, security is a growing concern – and a top priority – for an increasing number of countries.
- Expect a record number of consumer lawsuits
Consider the case of the Equifax data breach. In the wake of one of the most highly-publicized and highly-sensitive cybersecurity attacks in history, there are now many lawsuits and investigations against Equifax, including more than 240 individual class-action lawsuits, an investigation opened by the Federal Trade Commission, and more than 60 government investigations from U.S. state attorneys general, federal agencies, and the British and Canadian governments.
Most interesting is a 50-state class-action suit that has been served on the company that names plaintiffs from every state as well the District of Columbia, all of whom claim to have been injured to varying degrees by the Equifax security breach.
- Data breach insurance policies may actually start paying out
In the recent past, insurance companies were able to hold back payments because the organization failed to follow “minimum required practices” as spelled out in the insurance policy.
However, as cyber-breach protection solutions become more sophisticated, organizations will be able to demonstrate not only full compliance of insurance regulations but also if records were impacted and specifically, which ones were. Therefore, it is highly probable that insurance companies will reimburse some companies this year to offset any losses.
- Stop expecting developers to be security experts
In an effort to secure DevOps there is the notion of “shifting left” and expecting application developers to learn how to insert advanced security features (like encryption) into their applications. In the long term, this just is not feasible. It is a drain on resources, forces developers to change their design and execution processes, and ultimately, slows DevOps processes.
What is a better solution is to provide developers with the simple, comprehensive tools to add security capabilities to applications without additional development.
All of these trends will continue to affect the overall security landscape. The list of data breaches will continue to grow and the types of data breach attacks will evolve. Organizations today should carefully weigh these trends and their implications, and consider new approaches to improving their overall security posture, especially SecDevOps as an organization’s enterprises become more complex and scalable.