Preparing for the inevitable – what 2018 taught businesses about data protection

Most businesses struggle with implementing adequate data protection-Study
The number of businesses unable to recover data after an incident nearly doubled from 2016, according to the Global Data Protection Index.
What 2018 taught businesses about data protection

Around this time last year, commentators across the industry predicted that 2018 was going to be the ‘year of data protection’, and it was. Even halfway through the year, we had seen a number of high profile data breaches and the public’s awareness of the value and vulnerability of their sensitive data skyrocketed.

For cybercriminals, the landscape improved, as with just R18,000 worth of cryptocurrency, the black market offered them the capability to scale the digital perimeter of practically any target they chose. Attacks are changing, cybercriminals are utilising social engineering to prey on the weaknesses of the humans within organisations, and the endless variety in which 2018’s high profile data breaches occurred brought home the ever-increasing threat to businesses globally. Not only that, but the past year has illuminated the fact that attitudes to data privacy and protection needed a fundamental overhaul.

GDPR and PoPI – no turning back

It is impossible to address the topic of data protection through 2018 without referencing the General Data Protection Regulation (GDPR), which came into force May 25th – undoubtedly the biggest overhaul of the intricacies of protecting data in Europe, which has had far-reaching consequences for any company dealing with the personal data of EU citizens. Seen as a gold standard for personal data privacy, this regulation is something that we can expect to see governing bodies across the world emulate as the discussion around personal data protection races to the top of the business agenda. South Africa for example, is awaiting the imminent role out of the Protection of Personal Information (PoPI) Act which is largely based on GDPR.

Undoubtedly, the deadline on the 25th was a significant moment for data privacy during 2018 but despite the noise, debate and uncertainty in that lead up to the deadline, the sky did not fall in as the law came into effect. In the weeks that followed, businesses were still waiting to see the true fallout and the first high-profile victims. Arguably, it was two other events this year that have had the greatest impact on the way businesses perceive data security and personal data privacy.

The fortress is breached

The real turning points in 2018 were the highly publicised data breaches at Facebook and Google in September and October respectively. Despite both firms’ existing history of scrutiny over user data usage and privacy, it was these unexpected and widespread data breaches that had the most noticeable impact.

What became immediately obvious for businesses around the world was that this could happen to anyone. Even the largest, most powerful, influential, and securely-built organisations could find themselves so easily breached through minor errors. As we round off 2018, it has been these breaches which have brought home the reality of the threat, and the inconvenient truth that a data breach is almost an inevitability in a business’s future.

The paradigm shift

The key is not the possibility, but rather the inevitability of a data breach. What we are beginning to see is a different way of thinking regarding the protection of data, avoiding breaches, and complying with legislation. Until the data privacy revolution this year, businesses have focused on bolstering their perimeter security, firewalls, network security – doing everything they can to stop hackers getting in or data getting out. This is still a necessary precaution, but as we’ve seen, data breaches can happen in all kinds of ways, they involve human as well as technological targets, and it can happen to even the most secure companies and organisations.
There must now be a shift from solely focusing on prevention before a breach happens, to preparing for the day after the inevitable breach. If businesses accept this inevitability, something must be done with the data itself.

The ‘get out of jail free’ card

Returning to GDPR: Few would deny that it is a long and complex piece of regulation but many businesses that view compliance as impossible are missing one stand-out moment of clarity within the regulation relating to data encryption.

Clause 3 in Article 34 of GDPR states that in the event of a personal data breach, a business is not required to communicate the breach to affected individuals if measures such as encryption have been applied to render the breached data indecipherable. Encrypted data is stored as what appears to be random and meaningless binary so if this data finds its way outside the organisation, it is of no use to anyone. To put it simply, if breached data is sufficiently encrypted, it is practically immune to the definition of a data breach under GDPR.

The ramifications are a welcome development and even though other regulations such as PoPI do not have this clause, it is advisable for businesses in South Africa to start considering encrypting their data as they await the regulations to come into force. Thinking once again about the day after a breach, if a business can be confident that it has applied encryption to all personal data it holds, at rest and in flight, the horror stories of fines, lawsuits, and crippling reputational damage are immaterial.

2019 – The tipping point

Looking forward to the year ahead, as we shift towards mitigating the damage of an inevitable breach, I foresee that it will take another high-profile event to cement the importance of this practice in the minds of businesses. We are very likely to see the first large-scale lawsuit affecting a major company or institution, which has been found to be non-compliant under GDPR as the result of a catastrophic data breach of unencrypted data. It will be the cold, hard monetary figure of the GDPR fine which will kick businesses into action globally, to do more to protect users’ data.

Since end-to-end encryption of data will become a necessity rather than an option in 2019, organisations, not just in the EU but also around the rest of world, must start to think differently about their data protection strategies. It is only with this shift in mindset that businesses will have a robust data protection strategy in place, to not only secure data in flight, but also to develop a security platform which is ready for the future.