What will be the next big infosec issue?
Major cycles in cybersecurity come and go. Several years ago, we were covering nonstop stories about things like the payment card industry (PCI), thanks to mega breaches like Target and Home Depot. Payment terminal security was also a dominant trend…back when people still went into retail stores. These concerns naturally still exist, but these days ransomware has positioned itself as a front and center crisis for cybersecurity, and according to Nick Economidis, VP of eRisk at Crum & Forster, a likely candidate for the next trend centers on data collection and usage.
“We’re already starting to see this storm in the form of class action lawsuits arising from the collection of biometric information in the state of Illinois,” he says. Of course, biometrics is just one example. Data regulations around the world, from GDPR to CCPA, have introduced complex new wrinkles into how organizations must handle user data. Where legal frameworks caught up with PCI, Economidis predicts ransomware will become more manageable in the future as well, leaving data collection as the next challenge. We have already seen GDPR levy penalties against Facebook, and other big targets will likely be pursued as regulators look to make examples and firmly establish precedents. What will constitute fair collection and use of data; what practices need to be abandoned; how will cyber insurance expand, as it always does, to encompass new standards? Questions like these will need to be addressed in the coming years.
As companies move forward and attempt to grapple with the new state of affairs, it will also be crucial to consider, and possibly reconsider, their approach to security on the whole. Writing for Forbes, Darren Gallop relates a story where his company once lost out on closing a major deal at the last minute, because they hadn’t adequately addressed the customer’s cybersecurity concerns. Experiences like this just go to show how cybersecurity cannot be an afterthought for any entity. Policy, investment, and training must be part of the plan from inception. It will vary for everyone, depending on factors like the industry in question, company size and current growth position, customer location and subjection to local regulations, or the type of data processed and the compliance involved.
Attempting to add cybersecurity in as an extra ingredient after the dough is already baked will more than likely lead to a fruitless scramble. Given the various factors to consider, it’s important for business leaders to get out in front of the issue, anticipate what future concerns will come and prepare accordingly.