Last week we discussed that in spite of big spend on security solutions, organizations are still experiencing security breaches and how data-centric security can plug remaining gaps. Here is our Prediction #2 for Data Security in 2018.
Prediction 2: Cybersecurity regulation will become even more prevalent and strident
While there were dozens of regional and country-specific data security regulations announced in 2017 two of the biggies were NIST SP 800-171 and GDPR. And not everyone will be prepared for NIST SP 800-171 or GDPR once the clock strikes midnight.
There is a noticeable change in the focus of the newer regulations: they are holding organizations responsible for information they share with other third parties that travels and is stored beyond their own perimeter.
For instance, many manufacturing companies and sub-contractors will be required to comply with NIST SP 800-171 no later than December 31, 2017. One of the most notable impacts on companies from NIST SP 800-171 is that companies must protect technical specifications and IP even when it travels downstream to other sub-contractors and suppliers. And when you consider scope of the components that go into creating defence and aerospace products, we are talking about hundreds if not thousands of companies and sub-contractors who are scrambling to determine how to best comply with NIST SP 800-171.
Another example of the shift in the latest regulations is the General Data Protection Regulation (GDPR), an EU regulation designed to unify and normalize the data protection framework within (and beyond) the EU. Here again, the regulation is not content to protect EU citizen data within the perimeter or an organization; it holds organizations responsible for EU citizen data that is held on servers outside of the EU. And it isn’t enough to prove security over that data, organizations must also be able to revoke access to the citizen data upon request.
Despite a lot of talk around each of these regulations, there is still a lot of confusion and not enough resources dedicated to making sure companies are prepared. If companies are not prepared, it can cost them a pretty penny. For instance, repeated non-compliance with the GDPR can invite fines reaching up to 20,000,000 EUR or 4 percent of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Figuring out how to be compliant with not only NIST and GDPR, but all of the other regional and state-level cybersecurity and data privacy regulations will be a top priority for companies in 2018. If you want some additional perspective of the challenge consider this: in North America alone there are 20 sector-specific or national privacy/data security laws, and hundreds of such laws among its 50 states and its territories. California alone has more than 25 state privacy and data security laws.
In 2018, we predict that the shift from network, app, and device centric security to data-centric security will enable organizations to address multiple regulations while also improving their own security posture.