Posted on Feb 1, 2019
A message from SecurityScorecard's VP of Compliance - Fouad Khalil - on the state of compliance in 2019.
My 2018 predictions shed light on the 9.2 Billion total number of records lost or stolen since 2013. We predicted that this number will continue to rise as we unfortunately report today the total number sky rocketed by 32% to 13.5 Billion records. It is expected that this number will continue to rise.
While major data breaches rocked 2018, organizations across the globe focused on privacy. Thanks to GDPR, which took effect May 25, 2018, and US States passing similar laws – it is expected that the privacy trend will continue well into 2019 and beyond.
As you consider the expected rise in cyber-attacks, privacy will evolve the same. Managing privacy in 2019 will become the new normal. Data breaches and privacy-related incidents will not slow down thanks to newly issued laws and regulations. As organizations contemplate compliance with these requirements, it is critical to recognize that point-in-time compliance does not cut it any more. Continuous assurance is critical to ensure best protection against threats and risks that may lead to breaches.
In 2019, the consumer will be well informed about their privacy rights. They will better understand what controls they have over their personal data made available by laws and regulations like GDPR. Consumers are expected to exercise this right and take action in changing their security settings wherever they feel is the utmost risk to their personal data. Organizations across the globe must create and mature their privacy and security programs in support of these rights.
Multi-cloud deployment practices and the continued risks arising from them is a multi-year trend we’ve witnessed and 2019 is not any different. These deployments will continue in 2019 but organizations are moving in the direction of private clouds versus public or hybrid. Many organizations struggling with the exponential rise in cost and the unmanaged risks associated with cloud deployments and continuous compliance with policies and procedures is critical and must be part of the deployment process.
Supply chain and vendor ecosystems will continue to be your weakest link. Organizations are sharing data of all classifications without complete visibility into the partner or supplier control environment. We cannot just rely on questionnaire responses or SOC reports – Trust But Verify!! Organizations need to become more diligent in continuously monitoring their vendors and suppliers state of compliance with regulations, standards and simple security and privacy requirements. It has been reported that 70% of all data breaches is linked to a vendor or supplier.
The Asia-Pacific region has been out of the privacy and regulatory spotlight in 2018. This will change as more and more counties in the APAC region are drafting new cybersecurity and privacy laws with a sense of urgency (given the privacy breaches alone reported in 2018). For example, the Association of Southeast Asian Nations (ASEAN), with over 700 million active mobile connections and with a flourishing digital economy, is taking an initiative to establish an ASEAN Digital Data Governance Framework to promote transparency in data privacy and cross-border data sharing amongst member states.
In summary, continuous assurance (real-time monitoring) is a critical component in ensuring compliance with regulations and standards and for minimizing the cyber risks that may lead to unauthorized access which may lead to a data breach. Organizations must make privacy part of their risk strategy as regulations continue to brew and consumers are becoming a lot more knowledgeable of their personal data privacy rights. Lastly, our accountability does not end at our perimeter – we are accountable to protecting what’s important throughout its lifecycle (from creation, processing, storage, transmission and handing over to partners and suppliers).
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.