Every year seems to bring still more news about information security breaches. From Equifax to Intercontinental Hotels to Verizon, 2017 may well become known as the year that lived in InfoSec infamy.
That’s why, when my colleague Jim Polka and I sat down to look into our crystal ball for InfoSec-related predictions for 2018, it was a no-brainer for us that organizations will become increasingly proactive, rather than reactive, when it comes to information security. Jim and I are consultants in Doculabs’ InfoSec practice, and looking ahead to the coming year, we both expect to see greater alignment between InfoSec, privacy, and overall compliance. InfoSec, increasingly, will not be viewed in isolation.
Specifically, here are the four key trends we expect to see playing out in 2018:
- More organizations will reduce their data footprint to minimize risk.
- Organizations will pay more attention (and spend more budget dollars) on cyber insurance.
- More organizations will leverage preparation for GDPR to help improve data governance, privacy, and security capabilities domestically.
- More organizations will use analytics as part of their arsenal in the data loss prevention battle.
Do You Have Too Much Information?
More organizations will undertake or continue projects to be sure that they’re cleaning up data before there’s a breach. Indeed, now is a very good time to focus on this, as companies increasingly place more of their resources and processes in the cloud (whether private, hybrid, public, or “cloud of clouds”).
As more organizations adopt cloud-based solutions such Microsoft Office 365, they will also become concerned about the volume of data they have to protect. And because of the growth and integration of the Internet of Things (IoT) and with so many more devices now WiFi-enabled, the potential risk surface only increases.
This is true not only in industry—e.g. manufacturing, mining, and health care, areas where the use of IoT is ballooning—it’s also a problem for consumers. Indeed, in 2018 we may see more pressure on both retailers and the manufacturers of consumer products to “hard-wire” security into consumer devices.
Whether it’s a device powered by Google Assistant or Amazon Alexa, or the next generation of a “simple” baby monitor, these products are collecting—and distributing—data. Someone needs to be responsible for security and for reducing the amount of data that can be compromised.
The Growing Need (and Cost) for Cyber Insurance
The coming year is also likely to be characterized by spikes in the cost of cyber insurance. It’s hard to say by just how much the price tag will go up for organizations; estimates range from 10 to 20 percent, and much will depend upon the industry in which your organization operates.
It will be virtually impossible to lower premiums because the value of coverage is going up. Is $2 million in coverage sufficient? $3 million? $50 million? The only thing that seems to be true is that it’s no longer optional to carry cyber security insurance—it’s now part of the cost of doing business.
It’s possible that one thing that may help you lower those cyber insurance premiums is to prove you have a robust InfoSec strategy that you’re implementing. Such a strategy would include items like “white-hat” phishing to improve employee diligence, as well as breach response exercises to ensure information security policies and procedures are up to date.
Another approach is to reduce the footprint of what you’re protecting. If you root out duplicate and early version files, for instance, the surface area of what you’re protecting becomes smaller. Less information available leads to less severe breaches.
Finally, when it comes to data storage capabilities, most organizations can’t do security as well as Microsoft (if you’re using Azure) or Amazon (for AWS). It’s in the interest of both these vendors to be at the forefront of information security.
But if you’re using those resources, don’t get over-confident. InfoSec professionals need to remain vigilant and engaged. What about data in motion? And what about the fact—especially in financial services and health care—that the company, and not the cloud provider, is responsible for the data?
Of course, with the May 18 deadline for General Data Protection Regulation (GDPR) compliance fast approaching, companies doing business in Europe, or with Europe-based clients, have been paying attention to InfoSec concerns for some time.
What’s important here is that compliance with data management and privacy regulations doesn’t stop in May 2018—or at the boundaries of the nations of the European Union. Concerned about the growing number of serious data breaches at U.S. companies, no fewer than 48 state governments have enacted security breach notification laws, with additional provisions similar to those in GDPR almost certain to follow. And it’s not just Europe and the U.S., either; as reported in Bloomberg BNA, fifteen jurisdictions in the Western Hemisphere have now enacted similar laws.
The bottom line: Data protection regulation is coming, if not already here, for organizations of all sizes. (See Brian Johnson’s recent post on this subject, “U.S. Privacy Regulations: The Other Reason to Get Ready for GDPR.”) Companies should leverage the requirements of GDPR to help them focus on data management and privacy. Good information governance, in turn, will lead to better compliance—and that, by extension, will lead to better security.
New Tools for Data Loss Prevention
Another trend we see for 2018 when it comes to data loss prevention is a continued focus on checking behaviors, versus just relying on firewalls. More companies will also use the capabilities of data analytics to root out bad actors—whether from outside or within the organization. Let’s say an employee rarely prints documents; then one day that employee uncharacteristically prints 500 pages in a week. Providers of global computer security software products such as Symantec Corporation and McAfee, Inc., are now starting to add behavioral functionality to some of their products.
We all know the security problem is not going away. We’re certain to see still more data breaches in 2018. And we’re all but guaranteed to see some big ones—although, hopefully, not to the extent of what we saw in 2017 with Equifax.
That’s why our overall advice for 2018 is this: Continue to become more proactive. It’s a lot less costly to get a program up and running before a breach, than it is to create a good security program after a breach. It’s hard to play catch-up.
One way to become more proactive is to keep informed on the latest practices in information governance. You can do that by clicking here to sign up for the Doculabs newsletter, and get regular updates on our thinking on this topic.