How has GDPR Changed the Cybersecurity Playing Field?
Data breaches are still a common occurrence - even since the General Data Protection Regulation (GDPR) was enforced. Businesses still have their work cut out to protect their customers' data. What have we learnt from the past 12 months and how can the industry improve moving forward?
2018 was supposed to be a turning point for data privacy. Just over a year ago, GDPR was introduced by the European Union to better protect consumers’ data and urge brands to be more responsible for data privacy and protection.
As businesses rushed to become compliant, it quickly became clear that it was going to be a painful process for data owners who underestimated the scale of the task that GDPR presented.
One year on and most businesses seem confident that they’re compliant – or at least say that they are. However, over the past twelve months, some of the world’s best-known companies have come under fire for poor data practices and significant breaches - regardless of more scrutiny on data collection, storage and protection.
Take the American question and answer website, Quora, for instance. CEO Adam D’Angelo revealed user data had been compromised by a third party who gained unauthorised access to one of its systems in November 2018. The hackers stole 100 million users’ names, emails, encrypted passwords and other data from social networks that were imported. It was a massive reputational crisis and had a profound effect on customer trust.
Quora, however, was not an outlier last year. This was just the tip of the iceberg with many businesses experiencing large scale attacks, including Facebook, Ticketmaster and Vision Direct - further damaging consumer trust in brands across the board.
No business wants to experience a data breach or put their consumers’ Personally Identifiable Information (PII) in jeopardy, but even now, many organisations aren’t doing enough to prevent a data breach or GDPR infringement. So what have we learned in the last year and how can the industry improve moving forward?
Hackers have doubled their efforts to identify weak links
Whilst new regulation has shone a light on data practices and forced businesses to employ new processes, it hasn’t deterred hackers. Over the past six months alone we’ve seen even more cybercrime.
For many organisations, the increase in website attacks is a cause for concern and threats are only growing in sophistication - hackers are getting much smarter. Our new research has found that nearly 90 per cent of executives are either concerned or very concerned about the rise of high-profile breaches. Commentators argue that these cybercriminal gangs are developing Artificial Intelligence solutions to infiltrate businesses’ defences at scale. They are right to be concerned as it is certainly something we can expect to see more of in the future.
Many hackers target companies that don’t have fundamental security measures in place. For example, protection can mean overseeing unauthorised third-party technologies that are active on a business’ website. Organisations are having to learn the hard way that they need to have a holistic view of their website supply chain as only then are they able to understand where potential vulnerabilities lie. Businesses’ data defences are ultimately only as strong as the weakest link in their supply chain.
To be secure, businesses must knock down the walls they’ve built
Websites and apps that come under the care of marketing teams can present a blind spot for IT and security teams, as their core focus is traditionally on servers and infrastructure. However, it’s on these marketing platforms that consumers entrust their data.
Organisations are starting to understand the grave implications of not having this overarching view, but there is more work to be done. Upskilling and creating hybrid teams are key to ensuring that this holistic view of security is possible.
Without web defences, businesses are fighting a losing battle
One year on and we’re still banging the same drum but it’s essential that organisations listen and take action when it comes to website security. The only way businesses can mitigate the risk of a breach is by doing thorough due diligence and implementing the right precautions - from selecting a good team to investing in technology solutions.
The scale of threats across the landscape is a clear and obvious sign of what companies are risking by not doing so. AV-TEST Institute reported that 856 million malware variants were created just last year alone and this will rise in the months to come.
Ultimately, it won’t take long for cybercriminals to identify the shortfalls of a digital platform, particularly one where businesses have not demanded rigorous security systems be implemented and consistently updated.
GDPR has exposed the issues that many companies were not even aware of - and other EU laws such as the second payment services directive (PSD2) will likely uncover even further revelations. This, in the long term, is a good thing for data owners and also their customers.
It is companies who are the gatekeepers of customer data and this responsibility needs to be more widely accepted to prevent hacks and align teams to mitigate risk. Those that don’t will become the next data breach victims and face more consequences than just a hefty fine.