It should come as no surprise to anyone that investing in cybersecurity and preparing for breaches are determining factors in the outcome of a security incident. It will affect responses from regulators, commentators and clients.
Yet, while cybersecurity spending is growing at around 10% a year – and privacy at around 16% – research shows that many feel this is still an under investment. In a way, it’s not hard to see why. Both are cost-centers. Evangelists are sometimes seen as Cassandras, forecasting a doom that may never come, but is expensive to remediate. To carry that analogy through – Troy burned… and it’s a brave CEO who believes their organization will never be breached.
Regulatory burden continues to grow
So, while growth rates are encouraging, they are also symptomatic of playing catch-up. The General Data Protection Regulation (GDPR) was a wake-up call. It brought these issues into the boardroom for the first time – not least because of the investment required to run even the smallest compliance programme. But it was not the first privacy regulation and more are coming – India, Singapore, Brazil and China are all bringing forward new or amended regulations in the next year to 18 months. In the US, the California Consumer Privacy Act will be in force from 1st Jan 2020, and with other US states piling in with their own variations, there is also the prospect of a federal privacy law.
These regulations are themselves playing catch-up – almost inevitably, as the threat landscape changes and new vulnerabilities emerge. As the company privacy geek, I’m often asked what the regulations say about specific security measures. In most cases it is very little as regulators shy away from specifying technology that could be obsolete next year.
Three steps that companies can take today
So, what to do? According to Gartner, around a third of the $124bn spend is on consultancy and advice on the regulations. This must be welcome; effective and relevant governance, risk and compliance advice is critical. It helps businesses to build a program and put resources in the right place to deliver protection. That helps to provide assurance to customers and employees alike.
There are several planks to this. The first is ensuring that you understand the regulatory landscape. This will shape the types of controls you need to have, and how these interact with individuals. Jurisdictions will have different views on whether consent is required and what that means, the types of monitoring that can be put in place and, perhaps, the level of government ‘interaction’.
Next is to limit risk. This is about lifecycle management and minimization. If you’re not holding data, you can’t lose it. Limiting collection, having a retention schedule and securely deleting data should be part of every privacy program. Reviewing these practices is an ongoing task – driven by privacy policies, undertaken by front-line teams (whether HR weeding and shredding, or IT decommissioning old databases), and reviewed by risk and audit.
The third is detecting a problem. Once your data is on the dark web or a tabloid frontpage, it’s too late. Even the best PR will only help to limit damage. Instead, it’s important to understand what ‘normal’ looks like in terms of network and endpoint behavior. This will give you a chance of detecting anomalous behavior that could be a threat – whether it’s a port that’s suddenly active, an employee installing software they’ve downloaded. Or a printer suddenly taking a great deal of interest in your network at 11.21 every evening (one for the X-Files fans there…).
Is AI the key to solving the perennial endpoint problem?
Endpoints are an obvious way in – this is why social engineering attacks are so popular. Once you have a set of credentials, you can sit on an endpoint and wait for the next, better set to come along. Spotting that early is key – but it also means monitoring the endpoint, which, by extension, monitors the user, and their day-to-day activity.
This resulting data could, in theory, be used for other purposes. Throw in mobile and wearable technology, and it could move well beyond ‘time and motion’ into ‘movement and emotion’. This would be seen by many to be unacceptably intrusive and high-risk processing. Layering in controls around access to the data and minimizing retention will be required to allay privacy concerns, particularly in European jurisdictions.
The answer may lie in Artificial Intelligence (AI) itself – letting the machine take care of certain actions and, only escalating when thresholds are met. Another answer may lie in the tokenization of data – removing, as far as possible, the ability to identify the end-user until necessary.
Plan for failure rather than fail to plan
Finally; prepare to fail. Breaches happen. Understanding that and preparing for it will be the difference between handling it well, or not. Putting in place an incident response plan and understanding how to minimize data exposure – and risk to individuals – will help you to control damage, and provide a better narrative. Being able to show your workings, and demonstrate compliance will assist you in conversations with regulators and customers.
In any case, any and all of this requires investment and planning. Big-name breaches and increasingly robust regulatory action, along with consumer expectations all cry out for business to be taking this seriously. Those that do, will perform well – even if they do suffer a breach. And that is often a differentiator between customers walking away or not. Those that don’t, can expect to see regulators circling.
This article was originally published on the NTT Security website here.
NTT Security is the specialized security company and the center of excellence in cybersecurity for NTT Group. With embedded security we enable NTT Group companies to deliver resilient business solutions for clients’ digital transformation needs. NTT Security has 10 SOCs, seven R&D centers, over 1,500 security experts. NTT Security is part of the NTT Group (Nippon Telegraph and Telephone Corporation), one of the largest ICT companies in the world.