Two years ago the European Union (EU) introduced the General Data Protection Regulation (GDPR), a law designed to give individuals greater control of their data. Organisations, both inside and outside the EU, needed to process data in a way that was “lawful, fair and transparent”, with data controllers processing the minimum amount of data on individuals living in the EU.
The regulation also mandated the secure handling of data using “appropriate technical and organisational measures.” Users were able to request a copy of the data collected on them.
Public awareness of data privacy grew dramatically. While GDPR may only be compulsory for the data of EU citizens, it was also good practice if companies wanted to retain global customer trust.
Two years later, the draconian fines and sanctions included within GDPR have rarely been used (with a few notable exceptions) – so surely this is an indication that most companies have stuck to the regulations and that our personal data is safe…. [End of Article: note to editor – that was easy]
Not so fast!
There might still be a few (not so) small problems, not the least of which has been a recent EU court ruling that struck down Privacy Shield, which, when coupled with the lack of progress bringing forward federal privacy regulation in the U.S. … understanding all of this will help you navigate the evolving privacy and cyber security landscape. So, time for a few bold predictions and recommendations, these are my opinions and not those of Commvault, and you can hold me (but not Commvault) to them if you wish.
Problem 1: The move to the cloud is creating a massive data management headache
The pandemic has accelerated the move to the cloud, but if the right data management approach is not taken, it will create big problems. During the migration to the cloud, most organisations find it difficult to decide which applications to move to the cloud, in what order and how. Once they are in the cloud, these same organisations develop a data problem. Their IT budgets are under pressure, and while the number of applications tends to be relatively static, the data volumes are growing exponentially (and could grow even faster with 5G). Without a clear data architecture it is impossible to see where data is duplicated or to differentiate between data that needs to be accessed regularly, data that can be archived and data that can be discarded. GDPR requests to view or delete personal data can become impossible. And while data storage costs are not particularly high, ingress and egress charges are. Data architecture is also critical for access controls (with increasing levels of remote working) and backup and recovery services, which need to be able to prioritise different data sets.
During the migration to the cloud, most organisations have an application problem. … Once they are in the cloud they have a data problem.
Prediction: Following the pandemic, companies are focused on security and collaboration and are looking to the cloud for productivity improvements and cost savings. Most will fail to realise either if they don’t plan their migration with data management in mind.
What you need to do: Don’t rush the move to the cloud. Use the migration as an opportunity to map/profile your data and implement a strategic data architecture to underpin everything from access controls and integrations to backup and recovery.
Problem 2: Adapting to the new normal
Some sectors (hospitality and travel) have been hit disproportionately hard by the pandemic and may be facing a very different future, but almost all sectors will see an extended period of remote working and collaboration. Compliance requirements as to how data is stored, shared and protected apply equally for centralised, remote and cloud-based systems.
Prediction: In the short term, the rush to enable remote working may focus more on collaboration and improved efficiency and user experience, at the expense of data protection and compliance. Are your staff sharing personal customer information via email or messaging, because they cannot meet to discuss it face to face? Are they recording data locally if their home broadband is unreliable? Do you have the ability to protect and restore any local data sets? Are they using their own initiative to back up to local devices that are neither compliant nor secure?
Remote working can be a privacy and security nightmare.
What you need to do: Wherever possible, mandate the use of work devices that are secure and cloud-based systems where data management discipline can be applied.
Problem 3: Big tech firms appear above the law
Not a single case has been brought against the big tech firms (Facebook, Google, Apple, etc.) under GDPR by the data regulator in the country where most have their European headquarters – Ireland. Far from being a sign of good behaviour, it shows how under-resourced the local regulators are to take on tech giants with the means to keep them tied up in legal appeals for years to come.
Prediction: Until there is adequate resources to enable effective enforcement, the regulation will be meaningless. Although this may change as in the recent ruling in which Privacy Shield was overturned and the Irish regulator and its EU peers were told that they have a duty to take action.
What you need to do: Watch how these cases unfold, see what precedents are set and look out for a successful appeal by these activists against Standard Contractual Clauses (SCCs) or Privacy Shield (either of which would cause massive disruption).
Problem 4: Inconsistent global regulation
GDPR remains the gold standard that other regulations have sought to match, but while state regulations such as the California Consumer Privacy Act (CCPA) have emerged, there has not been enough consensus to bring forth American federal privacy regulation.
Prediction: Once against all privacy regulation, the tech sector is now getting behind efforts to craft federal regulation, seeing not only an opportunity to influence its wording, but also a chance to avoid an onerous patchwork of regulations across each and every state. U.S. Federal privacy regulation is coming.
What you need to do: Be prepared for it and for the changes that will be needed to conform simultaneously to both GDPR and its new U.S. equivalent.
Problem 5: The threat landscape is getting worse all the time, and so is the complexity
Companies are not only struggling to keep up with the evolving threat landscape but are also having to contend with a complex and often fragmented array of security solutions.
Complexity is becoming as big a problem as cyber crime, with many CISOs spending more time coping with the security tech than they do coping with the threats themselves.
Prediction: Organisations will eventually learn that they need to have deeper relationships with a smaller number of vendors with strategic suppliers in each area, such as Commvault in backup and recovery, which can provide more comprehensive protection.
What you need to do: Don’t skimp on cyber security or allow yourself to be blinded by numerous point security tech products, each with a long list of features, most of which you’ll never use. Instead simplify your management overhead and optimise your defences by aligning with a few high calibre strategic partners like Commvault.
Problem 6: Companies are taking a tick box approach to GDPR
Too many organisations think that GDPR was something that they did in a rush two years ago, rather than a mindset that they need to adopt with ongoing vigilance. Few organisations regularly test, assess and evaluate their cyber security processes as GDPR requires and many are just one slip away from a major cyber incident.
The foresight of data protection, preparation and prevention isn’t necessarily cheap, but it’s a whole lot cheaper than hindsight and the technical, legal and reputational cost of getting it wrong.
Prediction: We have already seen a few significant GDPR fines from European regulators as well as fines from the Federal Trade Commission (FTC) in the U.S. We are also starting to see massive class action claims – such as the £18 billion claim against easyJet for a breach involving nine million records. Far more fines and claims will follow as the number of cyber incidents increases. All too many firms will learn the hard way, leaving cybersecurity until it is too late. Cyber law will be booming.
What you need to do: Invest in prevention and sustain a high level of vigilance. Test, assess and evaluate your cyber security processes regularly. Understand your data, what you’ve got and where it is. And even if you are unable to avoid a cyber incident, ensure that you are well positioned to respond and recover, thereby minimising the impact.
Problem 7: Senior management is still failing to take data privacy seriously
The failure to take privacy seriously often comes from the top, with senior management seeing it as something that can be delegated to the CISO and forgotten about.
Prediction: Attempts to combat financial crime were ineffective until they introduced regulations like Senior Managers and Certification Regime (SMCR) to make company directors liable. Likewise, measures to combat health and safety abuse led to corporate manslaughter provisions – to hold not just companies, but also their directors, to account. While many will already see GDPR as draconian, this author believes that it is probably just a matter of time before we see the sanctions for privacy failures being extended to company directors as well.
What you need to do: If you are a company director, or have ambitions to become one, then make sure that your organisation gets its cybersecurity act together long before such legislation is introduced.
Problem 8: Cyber insurance isn’t fit for purpose
Warren Buffet once said, “I don’t think we or anybody else really knows what they’re doing when writing cyber [cover].” Unfortunately, things have improved little and the techniques currently used by cyber insurers to assess and price cyber risk are incredibly crude. To cover themselves, many insurers include a host of exclusions that make it almost impossible to claim for any incident, meaning that their policies are often not worth the paper they’re written on. For example, insurers used the “act of war” exclusion to avoid paying on NotPetya claims when the U.S. government said the cyberattacks were the work of the Russian military. With many claiming that there is now a cyber “cold war” between east and west, we may see almost all attacks coming from Russia, China, North Korea and Iran excluded in this way.
Prediction: A reckoning is coming. At some point insurers will face meeting a number of ruinous payouts or being exposed as ineffective. At this point, non-specialists will exit the market and those that remain will use cyber audits to price policies with greater rigour. This will drive up the cost of such policies, but at least they will then be effective.
What you need to do: Check your policy for the exclusions listed in the link above and work with a specialist broker to find a policy that matches your risk appetite. Also don’t count on insurance as the answer. The priorities are prevention, detection and recovery.
Problem 9: We are heading for a cyber arms race
We need to be rigorous in our cyber defences and we must be lucky all the time, whereas the cybercriminals are opportunists and only need to be lucky occasionally. Both sides are getting ever more sophisticated with artificial intelligence used both for detection and defence, as well as for detection and attack. The attackers are using metamorphic and polymorphic malware to avoid detection while the defenders are using techniques like Security Orchestration, Automation and Response (SOAR) to counter this.
Prediction: The security tech market is currently fragmented and overcrowded. Only the largest players will be able to invest in the level of innovation required to keep pace in this arms race. We will see a consolidation in the market with many smaller players either failing or being acquired.
What you need to do: Again, focus on a small number of strategic vendors, such as Commvault, each best-in-class and recognised leaders in their own field, which will have the resources to retain leadership in this arms race. Also don’t count on always being able to counter every threat, so ensure that your cyber incident management plan (including backup and recovery/disaster recovery) is well rehearsed.
Bill Mew is the founder and CEO of cyber crisis incident response firm The Crisis Team. He is also a high profile digital ethics campaigner, who focuses on striking the right balance between “meaningful protection” (privacy, security, etc.) and “the maximization of economic and social value” (innovation, digital transformation, cloud, smarter cities, govtech, etc.). As well as being one of the top global influencers on all these topics, he appears regularly on international broadcast TV and radio, having more broadcast airtime than any other technologist in the UK.