Why Regulations Are Not Enough And Businesses Have To Make Data Security A Top Concern
Why is cybersecurity not yet a top priority due to the fundamental role of digital systems and data economies we live in? Aren't the increases of global data breaches an indication of where we are heading to?
These points are not easy to answer, but currently companies don't face any or only limited penalties for poor protection of data as long as nothing is hacked or leaked. Cybercrime is on the rise, the sophistication of methods is growing every day and threats are increasing, not only for large corporations who have more solid infrastructures in place. So aren't we moving towards a future where businesses will have to possess adequate solutions to protect their architecture in order to avoid fines, loose brand image as well as reputation and therefore customers, ergo money?
The answer is clearly yes. And at the same time we see that regulations and laws in this regard are currently trying to catch up globally, for example with the introduction of stricter data protection regulations such as the EU’s GDPR, Brazil’s LGPD or California’s CCPA. Though even if regulated by these laws, businesses clearly struggle to adapt due to the lack of knowledge, resources and fundamentally adequate solution offerings on the market. Sadly, this often leads to businesses ignoring this important topic, assuming consciously the risk of the above mentioned negative impacts.
A recent report stated that cybercrime will damage the global GDP by $6 trillion in 2021, becoming the fastest growing crime in the world. And while criminals are increasingly moving online as that is where the real money is, it won't come to anyone's surprise that spam makes up over 50% of email traffic, globally. At the same time the trend for ransomware against companies is showing worrying trends, especially for small and medium sized enterprises which in general are not able to afford the investments into adequate security solutions, becoming victims to ransomware attacks every 14 seconds on average.
Knowing all this, the question arises: Who should be responsible? Our governments? Businesses? Consumers themselves? Well, this is hard to answer, as all parties are involved. But in the end the responsibility to safeguard all that information lies with companies, storing, sharing and processing their consumers’ data. Our data. This means that companies, and not only their IT departments, need to understand the implications of handling sensitive client data, along with the legal and regulatory implications of cyber threats, including identifying which risks to avoid, accept as well as mitigate.
Speaking about companies, this means to not only have the right tools in place in order to tackle the data security challenge but also train the weakest link in their security: Staff. The first line of defence to stop many attacks is to simply educate employees ensuring that all are well trained on aspects such as cybersecurity best practices involving phishing, data sharing, keeping software updated, using unique and strong passwords as well as enabling two-factor authentication and so forth. Though knowing human nature implies that people, hence companies, have to make mistakes before they learn, which in general proves to be too late, especially in the case of handling other people's sensitive data. Taking this into consideration, employee training is simply not enough. Technological solutions are required to mitigate the risks on all levels to avoid the billions of records which are leaked every year.
A quick fix would be to incorporate a 'cybersecurity by design' framework, which provides a company with a holistic set of pragmatic guidelines in order to enable an organisation to completely consider the full remit of protection and processes which should be in place to cope with the ever-present avalanche of cyber threats. Cybersecurity by design provides a number of core principles but ultimately it simplifies the detection of compromises easier by enabling companies to be more proactive about cyber threats.
For businesses this means that they can collect all relevant security events, logs and consequently design simple communication flows between components, detect malware command and control communications, making it difficult for attackers to detect security rules through external testing and react more rapidly in case of an attack. In the end though, companies will need a bullet-proof, compelling toolkit comprising several cybersecurity and compliance features surrounding a strong encryption technology, making it fool proof for users as well as to adhere to a set of principles using security softwares which an attacker cannot easily circumvent.