As the year draws to a close, we can all look back at 2018 with great satisfaction knowing that we have successfully ticked GDPR off our to do lists and consequently developed a robust Information Security plan… right? Wrong!
If 2018 taught (re-taught) us anything, it’s that compliance is not synonymous with security – an old lesson that should have been reinforced with the highly anticipated GDPR compliance deadline. Regardless of the regulatory standard (PCI DSS, HIPAA, GDPR etc.), becoming compliant is really just a snapshot of how well your current security programme adheres to a specific set of security requirements at a given point in time. Threats evolve at a far faster pace than compliance standards, making security a very much fast-moving target. To ensure the confidentiality, integrity and availability of your most critical information assets, it’s vital to understand that a comprehensive security plan requires both maintained compliance of regulatory requirements and an active security programme that encompasses all necessary controls.
Now, looking forward, here are the top 5 trends we expect to make a big impact in Information Security in 2019:
Prediction #1 – We will see the real impact of GDPR
Don’t breathe a huge sigh of relief just yet – the effects of GDPR are just beginning. Since May 25th we have seen a flurry of organisations hit with ICO sanctions such as Facebook, Carphone Warehouse and Uber to name a few, however, much of these fines were issued under GDPR’s predecessor, so we can expect to see the first of the major fines under the new regulation in 2019. We can also expect to see increased numbers of empowered customers and ex-employees exercising their Subject Access Request rights - a possible nightmare for unprepared organisations.
Privacy concerns dominated global headlines in 2018, spurred on in part by GDPR and sharper public understanding. As penalties toughen, privacy and data protection will appear higher up the board agenda.
Prediction #2 – Reduced security budgets
There’s a lot of uncertainty in the media surrounding Brexit and what it would mean for UK businesses if we are to receive a no-deal. But there is one thing that is almost certain, the fallout from Brexit will lead to the slashing of security budgets, and more stringent demands on providers as companies go overseas. This is where organisations should think in terms of being security smarter, getting the most from your budget by spending wisely. Good security shouldn’t be a tick-box exercise but a process that fully supports the business goals; look for a provider who can understand and help your enterprise and is fully focused on your requirements.
Prediction #3 – ePrivacy regulation compliance
After several postponements, the new European Union ePrivacy Regulation (ePR), designed to modernise the currently outdated 2002 ePrivacy Directive, is set to come into play in 2019, catching many companies unaware as they play catch up to GDPR.
The main objective of the new ePR is to increase privacy protection for users of electronic communication which will hugely impact business activities such as: direct marketing, website audience monitoring and cookie tracking. If the regulation comes into play after Brexit, it’s likely that the UK will transpose the legislation in UK law. Although, if this is not the case, most UK business will still be implicated by ePR as the regulation has global reach, affecting businesses around the world that provide services to Europeans, so if you have not yet started your preparations for compliance, now is the time. For more information on the new ePrivacy Regulation click here.
Prediction #4 – Bigger breaches despite increased awareness
The breaches we have seen this year will look tiny in comparison to what will be uncovered in 2019 and will have a more severe impact. Why? Well, as the threat landscape continues to increase beyond expectation, many of us are still forgetting the basic preventative measures such as employing effective software patching practices, updating out of date operating systems and ensuring applications are appropriately configured – leaving attackers to take advantage of these easily fixable vulnerabilities. Even if you’re on top of the technical controls, this doesn’t always protect against physical attacks and exploitable vulnerabilities through staff and others who have access, as many breaches occur due to human error or insider threats. It’s necessary to extend awareness throughout the entire organisation and foster a secure culture; it might not stop a breach but it’s likely to reduce the impact significantly.
Prediction #5 – Improved security by design for IoT products
Not everything is expected to be all doom and gloom in 2019. Increased awareness of security issues surfacing in critical environments and with the launch of the Governments IoT code of practice, we are expected to see a lot more development teams integrate “security-by-design” into their controls. There is still a lot more progression to be made in this area, however steps are being made in the right direction through fear of penalisation. Moreover, we’ve found developers make great security promoters, once they’ve received the training necessary to understand and recognise the issues.
So, there you have it, our predictions and trends to watch for 2019 and beyond. How do they compare to yours? Let’s continue the conversation over on our LinkedIn page here: https://www.linkedin.com/company/commissum/