Horizons Spring/Summer 2019

Cyber security in the next decade will bring new threats, increased regulation, a convergence of privacy and security, a talent shortage and a landscape littered with organizations that fail, organizations that prepare and survive, and organizations that are vigilant and thrive.

Increasing Threats Cyber criminals have a multi-billion dollar per year business based on convincing people to send them money, personally identifiable information and intellectual property. The fraudulent activity will continue to adapt to technology, morphing attacks from email to text and social media, attacking smart phones in greater numbers and infiltrating the Internet of things. Fraud isn’t new, the scenarios aren’t new, but every new technology development will be analyzed and the attacks changed to take advantage of faster, broader, more invasive communications and the criminals will continue to take advantage of the unprepared. Criminals will steal, block, disrupt, misdirect and subvert anything left unprotected. We may change the words from ransomware to cyber kidnapping or wire fraud to cyber theft, but the theft of information, money and intellectual property remain the targets. Predicting new threats only gets us so far – if the end goal is still information and money – there are ways to prepare your organization to survive, and for those willing to invest the resources in ongoing vigilance, there are ways to thrive despite increasing threats. Increased Regulation & Convergence The implementation of the General Data Protection Regulation (GDPR) in the European Union (EU) was quickly followed by other countries employing similar rules, along with individual states in the U.S. including Oregon, North Carolina, Virginia, Washington, Colorado and California. Combined with state-level rules like the New York Cyber Security Regulation, increased rigor in the credit card (PCI DSS) requirements, greater focus on healthcare security rules (HIPAA Security Rule) and new breach reporting requirements designed to improve consumer protections across the United States – privacy, security and breach reporting are converging. Right now, it still requires a matrix to map all the requirements to account for the citizens of each state, data subjects present in the in-scope areas, the different breach response requirements, and decision points based on how an organization operates and what kind of information you collect, create, process, transmit and store. During the next decade, it is expected that additional state level legislation will be consolidated in federal government regulations addressing the handling, protection and reporting of personally identifiable information. Looking through the existing and upcoming rules – the focus is on requesting permission (e.g., opt-in) to collect personal information, limiting the collection of personal information to what is needed, only keeping the information necessary and then destroying the information when no longer needed or upon request.

Spring/Summer 2019

7