Often when planning where cybersecurity efforts will be focused, the term crown jewels will come up: “protect the crown jewels; these are what matter most,” advises the security officer. The crown jewels are usually interpreted to mean the company’s most valuable data and assets – namely, intellectual property, card payment data and employee information.
Now, let me pose this question: how often in the news do we hear of this kind of data being exposed? The answer: less frequently than we hear of customer data being compromised. Coincidence? Or the by-product of an outdated school of thought that needs prompt reconsideration for 2019 and beyond?
Regulations dictating protection
A significant reason that emphasis is put on the wrong type of information has a lot to do with regulations and regulatory bodies putting the fear of fines within organisations. PCI DSS, for example, is a well-meaning standard, but it also forced companies to focus data protection efforts on payment card data. Of course, that’s not to say that when cards are breached there isn’t a cost associated.
In fact, it was due to bearing the burden of these costs that card issuers rallied to have PCI DSS implemented, with the threat of big penalties to any company that was beached. This in turn forced companies to disproportionately invest into protecting card numbers over actual customer information. The problem with this approach is that card data is pretty much a commodity. It naturally ages, and new cards will be issued as a matter of course. A breach simply accelerates the process. In this way, payment cards have a natural resilience built into them; therefore, there is an argument that this data does not necessarily equate to “the crown jewels”.
While regulations like GDPR are a step in the right direction towards focusing on protecting the privacy of individuals, it too wields a big stick with the threat of massive fines; and naturally, companies will do what they can to protect their businesses first and foremost.
Up until the first half of 2018, the letters G, D, P and R were well worn out on the keyboards of most security professionals and journalists. Then, the regulation came into effect and everyone breathed a collective sigh of relief. But like the villain in a horror movie, this doesn’t mean it’s the end. Rather GDPR is ready, knowing that most organisations are on thin ice, and when they fall through, it’ll be there to catch them.
Data collection in 2019
Scandals, such as Cambridge Analytica, have clearly demonstrated the power of available data on individuals in swaying public opinion. A logical starting point is from the beginning at the design decision level, which needs to be thought out better and not rely on outdated processes. This includes not using personal information for trivial functions.
For example, does every online registration require a user’s personal information such as date of birth? If not, then why capture it? Similarly, consider whether a user’s email ID be used as the userID? As email has become more important for users, so has the risk of it being targeted.
Maybe the data can be captured, but alternative methods used to protect it, like tokenising card data. So, if it does get breached, not only are the customer details protected, but businesses can continue with minimal disruption – allowing true resilience against such events. As the transition is made to protecting more data, it will have some big implications for 2019 that companies would do well to get ahead of.
There are many pressing issues in the cybersecurity world: critical infrastructure lies exposed, and IoT or smart devices continue to bring insecurity to the masses on a very personal level. 2018 already saw the state of California forbid IoT device manufacturers from using weak default credentials on their devices in attempt to protect citizens and their personal information. But this is likely only the beginning, with more standards and regulations likely to crop up across the world in disparate pockets, each trying to address a particular cybersecurity threat.
Hand in hand with regulations and the immense threat of fines, it could also signal the rise of cyber insurance in 2019. Driven not just by organisations’ own desires to add an extra layer of business protection; but often times it’s mandated by large organisations on smaller partners to take out cyber insurance. Therefore, it’s something likely to see exponential growth in the small and medium business sectors (SMBs). It will also have the positive consequence of pushing SMBs to look at their overall security posture and make improvements.
Furthermore, as organisations come to the realisation that all personal data they collect should be given the crown jewels status, they will rely increasingly on managed security service providers (MSSPs) to help fulfil their security needs. This will also be driven by an ever-increasing technology estate that needs to be secured, and a lack of available skilled talent to hire.
The spate of data breaches which compromised customer information in 2018 must be a lesson learned, albeit the hard way, for organisations in 2019. They must get better at defining the “crown jewels” and ensuring this includes all customer data, as well as recognising the trends that will arise from this transition. Data protection will be a huge theme for 2019, with the publicly mandated requirement for organisations to be as transparent as possible with what they do with customer data. Organisations who bury their heads in the sand or neglect to up the stakes in data protection for 2019 may land themselves in hot water.
Javvad Malik, Security Advocate at AlienVault, an AT&T company