Against a backdrop of companies pivoting for compliance with the EU’s General Data Protection Regulation, the past 12 months brought an increase in data breaches along with new cyberattack trends that look set to define organisational approaches to data privacy and cyber security long into 2020.
GDPR compliance as a journey, not a destination
Certainly, 2019 illustrated how compliance with the GDPR requires ongoing attention, which brings its own set of challenges; the biggest of which has been resourcing, both financial and in personnel.
Finding the right people to do the work is continuing to prove difficult as demand for seasoned privacy professionals increases. When it comes to GDPR, and the UK and Europe specifically, organisations should monitor the European Data Protection Board website, which also has started reposting information from national DPAs, as well as ongoing guidance.
The penalties for non-compliance and the potential reputational risk are severe and companies cannot afford to let their privacy programmes lapse.
Learning from big companies’ mistakes
Regulator action from the past year illustrated the severe damage that organisations can incur when the right care is not taken to protect user data.
In July news broke of British Airways’ notification from the Information Commissioner’s Officer of its intention to issue the carrier with a record-breaking fine of £183 million, after customer data was stolen from BA’s website.
Also in July, Marriott International received notification from the ICO of an incoming fine of almost £100 million, after the hotel chain disclosed that their Starwood reservation database had been compromised over a period of four years between 2014 and 2018.
The breach resulted in approximately 339 million guest records globally being exposed, of which around 30 million related to residents of 31 countries in the European Economic Area (EEA).
Following an investigation, Information Commissioner, Elizabeth Denham said:
“The GDPR makes it clear that organisations must be accountable for the personal data they hold. This can include carrying out proper due diligence when making a corporate acquisition, and putting in place proper accountability measures to assess not only what personal data has been acquired, but also how it is protected.
“Personal data has a real value so organisations have a legal duty to ensure its security, just like they would do with any other asset. If that doesn’t happen, we will not hesitate to take strong action when necessary to protect the rights of the public.”
David, data and democracy
Midway through 2019, we obtained understanding of the power of data as a political tool, when The Great Hack film brought the Facebook / Cambridge Analytica scandal to the big screen.
A year on from the revelations hitting the headlines, whistleblower, Christopher Wylie, who worked with a Cambridge University academic to obtain the data, told the Observer:
“We exploited Facebook to harvest millions of people’s profiles. [We] built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”
It’s wasn’t just a film for GDPR pros and computer geeks; the show laid bare what happens when personal data is employed as a weapon for mass surveillance, how it can be used to build fear and change reality within our digital world. The results threaten to erode democracy at its most fundamental level.
In an exclusive interview with PrivSec Report following the film’s release, The Great Hack star, Professor David Carroll commented:
“Cambridge Analytica was a cataclysm in terms of causing an awakening, where before there was a sense of negligence on the part of consumers and technical companies.
“Consumers and businesses were reckless because there was no penalty, not even bad press, for data breaches, and so the whole system has been realigned.”
A new era in innovation
Of course, 2019 left us in awe of what promises to be achieved with data and its use in AI and machine learning.
Biometrics rose as a key theme, with innovations such as fingerprinting for customer authentication being increasingly seen as a solution to a creaking log-in and password process.
Recent advances in applying fingerprint biometric sensors to smart cards mean authentication credentials are only held on the card itself – removing the need to store data in a central database vulnerable to breaches and a popular entry point for hackers.
It’s not just humans adapting to smart entry systems. In 2019, we saw the creation of an AI-driven cat-flap which stops a pet from entering the building if it’s carrying prey in its mouth.
The device was the brain-child of Amazon worker, Ben Hamm, who taught a computer algorithm to learn whether his kitchen-bound kitty was bearing gifts.
Upon calculating the presence of unwelcome guests, a computer system linked to the cat flap is able to activate a 15-minute lock-out – more than enough time for a cat to find an alternative resting place for a late shrew.
Evolving cyber-attack threat
We leave 2019 under no illusions as to the principle cyber-attack method being used by hackers against the average consumer today. Phishing is on the rise, and it’s an approach which is still able to trick 61% of US computer users, one study found.
Whether coming from email or through social media, hackers are continuing to focus their efforts on duping people to open a link or watch misleading content. The intention is to steal user data to create tailored phishing attacks for financial gain, and it’s a tactic that seems to be working.
One thing 2019 did not contain was another massive-scale data breach. On one hand, this could illustrate that we are getting better as a global community in shoring up cybersecurity, that lessons are being learnt. But the data-world turns too quickly for lessons to stay relevant for long.
As the US prepares for the California Consumer Privacy Act, due to come into being on the 1st of January, we recognise that lessons have a short best-before date in the world of cybersecurity. What was enough yesterday won’t cut it today, and will simply spell your downfall if relied upon tomorrow.
On such a dynamic landscape, it’s clear that more work needs to be done through 2020 and beyond in order to stay on pace with compliance while putting up the best fight possible against the ever-present cyber threat.
The post #Privacy: Looking back over a busy year for data privacy and cybersecurity appeared first on PrivSec Report.