From the record-breaking number of data breaches to the implementation of a new European data protection law which has global ramifications, 2018 has proven a memorable year for the cybersecurity industry. And there have been plenty of lessons served up for the industry itself and South African organisations, too.
By Neil Cosser, identity and data protection manager: Africa at Gemalto
2018 marked the introduction of the General Data Protection Regulation (GDPR) in the European Union. While it doesn’t directly affect local companies, any South African company trading with EU partners has to comply with the provisions of that law. And even those which don’t have to comply can learn valuable lessons about basic security from it. There is no doubt that the GDPR will influence legislation in other jurisdictions. Of course, our own Protection of Personal Information (PoPI) Act has its own set of sanctions for infringements of data privacy.
That much becomes clear when one consider just how well compliance has been handled. Or, indeed, if compliance has been handled at all. Despite a lead time of two years to prepare for its inception, many European companies weren’t ready when GDPR hit. Law firm EMW says the Information Commissioner’s Office received over 6 000 complaints in around six weeks between 25 May and 3 July – a 160% increase over the same period in 2017.
When GDPR came into force, there were questions about whether it would in fact hold companies to account. The answer came in the second half of the year, with big companies, including Uber, fined for losing customer data. What 2018 has shown is the authorities have the power and they’re prepared to use it. South African companies doing business internationally have, in effect, been warned: find out if you are affected by GRPR and if so, find out what you need to do to comply.
In fact, the role of GDPR is to give more power back to the end user about who ultimately has their data, but it also ensures that companies start taking the protection of the data they hold more seriously. Unfortunately, while the issue around protecting data has grown more prominent, the methods to achieving this are still misguided. Put simply, businesses are still not doing the basics when it comes to data protection.
And that much has become clear in multiple domestic data breaches in 2018. In May, it was revealed that the details of nearly a million South Africans who had paid traffic fines was leaked online.
The ViewFines scandal doesn’t stand alone; insurer Liberty Life has had its e-mails hacked. Back in 2017, the Facebook ‘Cambridge Analytica’ scandal reportedly affected more than 60,000 South Africans. Ster Kinekor’s online booking system exposed the details of 7 million customers. And the Master Deeds incident showed that 60 million people had intimate personal data stored in an unprotected database.
The simplest protection is to apply encryption, key management and controlling access to data, yet too many companies are still not doing it. And it’s not just South African companies, but businesses everywhere (which, to say the least, is disturbing, given the large number of breaches reported every year).
In Gemalto’s latest Breach Level Index results for the first half of 2018, only 1% of data lost, stolen or compromised was protected through encryption. This basic measure is so essential because the use of encryption renders the data useless to any unauthorised person, effectively protecting it from being misused.
That’s why encryption is part of the GDPR regulation. Not only does it help any affected South African businesses avoid fines, but it is good practice for every organisation (and supports PoPI). With such a large percentage still unprotected, businesses have clearly not learned their lessons.
So, moving on from last year, what might the next 12 months bring the security industry? Based on the way the industry is moving, 2019 is set to be an exciting year as AI gains more prominence and, quantum and crypto-agility start to make themselves known.
- Quantum computing puts pressure on crypto-agility – 2019 will see the emergence of the future of security – crypto-agility. As computing power increases, so does the threat to current security protocols. One notable example here is encryption, the static algorithms of which could now be broken. Crypto-agility will enable businesses to employ flexible algorithms that can be changed, without significantly changing the system infrastructure, should the original encryption fail. It means businesses can protect their data from future threats including quantum computing, which is still years away, without having to tear up their systems each year as computing power grows.
- Hackers will launch the most sophisticated cyber-attack ever using AI in 2019 – Up until now, the use of artificial intelligence (AI) has been limited, but as computing power grows, so too do the capabilities of AI itself. In turn this means that next year could see the first AI-orchestrated attack take down a FTSE100 company. Órganisations must prepare themselves by embracing the technology itself as a method of hitting back and fight fire with fire.
- Growing importance of digital transformation will see the rise of Cloud Migration Security Specialists in 2019 – As organisations embrace digital transformation, the process of migrating to the cloud has never been under more scrutiny; from business leaders looking to minimise any downtime and gain positive impact on the bottom line, to hackers looking to breach systems and wreak havoc. As such, 2019 will see the rise of a new role for the channel – the Cloud Migration Security Specialist. As companies move across to the cloud, they will be especially vulnerable during the migration process itself. The channel has a role to play in educating companies that they’ll need help protecting themselves from threats. It’s these new roles that’ll ensure the channel continues to thrive.
A boardroom issue that needs to yield results
This year is going to be another big one no matter what happens, as companies still struggle to get to terms with regulations (like GDPR, but also POPI and other applicable regulations in territories with which South African businesses trade).
With growing anticipation around the impact of technologies like quantum and AI, it’s important that companies don’t forget that the basics are more vital than ever.
So, while 2018 has been the year where cybersecurity finally became a boardroom issue, 2019 needs to be the year where its importance filters down throughout the entire company. It is vital that cybersecurity awareness is actively endorsed by board and executive management in order to ensure buy in. Even then, breaches will continue to occur—but maybe 2019 could be the year the industry starts to turn the tide against the hacking community.