This time of the year is always a good moment to pause and take stock of what has gone before. For IT and security leaders, there’s been plenty to digest, from new data protection compliance requirements to escalating breach volumes. Several Australian companies were most recently on the receiving end of attacks, although the truth is that no organizations worldwide are safe from threat actors today.
The following 9 stories should provide some useful lessons learned that enterprises can use to draft their cybersecurity and privacy strategies for 2023 and beyond:
- PCI DSS compliance remains critical: The PCI Security Standards Council (SSC) released the long-awaited version 4.0 of its Data Security Standard (PCI DSS) in March 2022. Behind it are some laudable aims: to promote security as a continuous process rather than a check-box exercise, and to encourage a security-by-design culture in organizations. As organizations look to meet the standard’s requirements, they’ll once again note that data encryption or tokenization of card data can reduce PCI DSS compliance costs and risk exposure.
- The regulatory landscape is increasingly fragmented: Where once there was just the GDPR now there are dozens of lookalike regulations governing data security and privacy. These include the MENA region, where Saudi Arabia and the UAE both introduced personal data protection laws this year. However, compliance officers should note there are many regional differences. In Saudi Arabia, for example, breaches must be notified “immediately” and serious infractions could result in jail time for execs. Applying protection directly and continuously to customer data has never been more important.
- Healthcare continues to be a major target for attacks: Ransomware actors caused yet more misery for healthcare providers across the globe this year, stealing sensitive data and interrupting potentially life-saving services. These organizations are also exposed by their technology partners. One attack on an NHS software supplier earlier this year continues to cause problems for the health service’s critical NHS 111 service.
- Double extortion made data protection a critical control: Today, ransomware actors don’t just deploy a ransomware payload to scramble data, they steal it first in an attempt to force payment. Research released this year found that 66% of organizations had suffered a compromise over the previous 12 months. With double extortion now the norm, organizations must combine regular backups with strong data encryption, to mitigate the impact both of ransomware and data theft.
- Financial services is a huge draw for threat actors: Healthcare wasn’t the only sector on the hit-list for threat actors this year. Financial services firms would face ransomware, supply chain attacks and zero-day vulnerability exploits this year, warned one report. Once again, the key for organizations in the vertical is to apply protection direct to the data, and ensure it happens across all environments, including the cloud.
- The insider threat is greater than ever: Employees are often described as the weakest link in cybersecurity, and research out this year seemed to support this judgement. It revealed that 40% believe that following security best practice is not their responsibility. With the risk of something going wrong heightened by home working, organizations would do well to rethink their security controls. Adding encryption to the mix can mitigate the risk of accidental leakage, or a breach resulting from poor IT hygiene.
- Data breaches are more expensive than ever: IBM’s annual report revealed surging costs associated with the average data breach globally: to nearly $4.4m per organization. However, there was some good news lurking within the study. If organizations deploy data-centric security as part of “mature cloud security practices” such as data classification schema, organizations could save as much as $720,000 per average breach, the report claimed.
- NIS 2 is coming: The compliance work is never done for organizations. The latest set of regulations to rear their head this year related to the EU’s second directive on the security of network and information systems (NIS 2). It’s larger in scope than its predecessor, taking in a new set of sectors and organization types, and could levy non-compliance fines of up to 2% of annual turnover, or €10m, whichever is higher. Strong encryption is now part of a NIS 2-mandated set of enhanced security requirements.
- Cyber is the number one business risk of 2022: This year’s Allianz Risk Barometer was only the third in its 11-year history that “business interruption” has not topped the list of business risks. Instead, it was cyber incidents. Data-centric security should form part of any organization’s efforts to mitigate such risks, by ensuring that even if customer information or trade secrets and IP are stolen, they will be rendered useless to attackers.