05 January 2015

2015 Predictions: Revelations and Regulations

Jay Kaplan

2015 will be the year of security revelations (and regulation)…

I’m not referring to revelations of new data breaches (that trend will certainly continue) but revelations that security enforcement has not kept up with the exponential adoption curve of new technology. 2015 will be the “uh oh” year of manufacturers, consumers, insurers, and governments alike realizing that security, while once pretty low on the totem pole of priorities, is no longer a feature but a requirement. 2015 will be the year that the government steps up their game from simply creating policies and recommendations to shifting to the creation of proactive enforcement programs with actual consequences. 2015 will be the “this is not enough” year of requirements; the revelation that compliance alone is not a solution will expand security budgets and change industry recommendations.

Here’s my rationale:

    • Mobile: No longer are mobile devices being used solely for communication. Smart phones have transformed how we entertain, how we exercise, how we pay, how we live. iPhones and Android devices have literally become an extension of who we are as human beings. With that, we’ve seen a mentality shift away from treating these devices as a product or gadget and towards a necessity to live normal lives.
    • IoT: Refrigerators, thermostats, and cameras are all moving online; that move has resulted in the integrity of our personal information to be questioned. When technology is so embedded into our day-to-day, and then weaved into a global online fabric, we are forced to ask questions about the implications of not protecting the integrity of these devices.
    • More IoT: As soon as we start talking about interconnected cars and life safety devices, we start to realize that failure to adequately protect from sabotage can lead to lost lives. When the impact of a malicious data breach moves away from losing sensitive data to people losing their lives, we have to immediately force a mentality shift and seriously examine the consequences of not being proactive.
  • Enterprise Tech: More than ever are large enterprises recognizing that by not protecting their corporate assets can lead to unprecedented consequences. Not only is brand damage irreparable, data breaches are leading to hundreds of millions of dollars in lost revenue. In light of the recent Sony attacks, we see consequences going as far as personally impacting individuals that interface with these organizations, putting into question their choice of companies to do business with down the road (in this example, actors doing work on behalf of Sony Pictures.)

Agencies like the FCC, which have instituted PCI requirements and HSS, which constructed HIPPA, have played important roles in levying fines against companies post-breach — this will soon shift to pre-breach for inadequate protection. IRS-like audits will become the new norm and companies will be forced to address the problem head-on.

Insurance companies will begin to recognize that treating data breaches like workman’s comp is an illogical comparison. Proactively evaluating the true risk of an organization by taking a much more holistic assessment of their overall security posture, and treating that assessment as one that mimics an attacker, will become a necessary step in order for insurers to take on cyber liability.

Will added scrutiny hinder innovation or perhaps cause the adoption of technology in the workplace and our personal lives to slow? Maybe. But one thing is clear, technology is here to stay and the security of that technology is an absolute necessity.