Beyond GDPR: The Changing Nature of Privacy and the Growing Cyber Threat
As the deadline looms, companies are scrambling to ensure they are compliant with the new GDPR regulation, but are we missing the bigger picture? ISACA Scotland explored the changing nature of privacy and the growing threat to personal data at the organisation’s Beyond GDPR event in Edinburgh last week.
While attitudes to and understanding of the new General Data Protection Regulation (GDPR) varies widely across the UK, a growing number of companies and organisations are ensuring that they’re ready for the May 25th deadline.
At last week’s ISACA Scotland event, which took place at a packed RBS’ Gogarburn conference centre, the focus was not on the the detailed implementation of data protection, reporting and rules, but instead took a step back and considered the environment into which GDPR is being introduced.
The key theme of the evening was change. Technology is evolving incredibly quickly, the threat to data is increasing, businesses appetite for risk is dropping and the legislators are playing catch-up. Into this already volatile ecosystem, GDPR will introduce and entirely new way of looking at data and the roles and responsibilities of the organisations which control it.
Hazel Moffat, DLA Piper
The first speaker of the evening, Hazel Moffat, the head of litigation and regulatory for DLA Piper. Hazel noted the pace of change around privacy is changing incredibly quickly. Alongside the evolution of technology, generational change is playing a major role in attitudes.
What older users might consider completely inappropriate may not bother millenial and younger consumers in any way, the trade between data and free services, is something the younger generation seems far more comfortable with – for now. Privacy may not be dead, but the notion of what privacy is continues to change on an almost weekly basis.
The theme of change continued. Hazel started with an outline of the technologies which are changing the face of privacy, from Artifical Intelligence (AI), big data analytics and the Internet of Things (IoT) as significant disruptors. Added to that, the regulatory landscape is also changing significantly as governments and legislators attempt to secure infrastructure and open data up to innovative new business sectors. In addition to GDPR, businesses in the UK will also need to understand and balance the requirements of the Networks and Information Systems (NIS) directive, designed to protect national infrastructure and PSD2 and MiFID II in the financial markets.
More Data, More Breaches, More Litigation
Hazel also touched upon the changing nature of the threat. More and more companies are suffering from major data breaches, losing more and more customer data. The first six months of 2017 saw more data lost than in the whole of 2016. As these breaches grow ever more serious, more executives and directors are paying the price, with senior and board level staff losing their bonuses, losing their jobs and increasingly finding themselves in court, with lawsuits around privacy and data breaches becoming more common.
Focus and flexibility are the key to staying ahead of the changes, said Hazel. Ensure your company understands the risks it faces and be prepared to deal with the when something happens, no the if something happens. If you can show you took all of the appropriate precautions and had all of the necessary procedures in place, you will live to fight another day.
Richard Hollis, Risk Crew
Richard Hollis, the director of Risk Crew was the second speaker of the evening. Talking about ‘What’s next?’ beyond GDPR, Rich focused on the difference between ‘data’ and important information which affects people’s lives. He argued that by abstracting data out and not considering the fact that it represents a real person, we can all too often fail to care enough about that data and as a result allow it to fall into hands where it can do great harm.
One major reason for the apparent disregard for information regarding people’s real lives, is the simple fact that data = money and, as Rich put it, personal data = more money!
The changing nature of the threat was a major topic for Rich. A veteran of the security scene, he lamented the days when the biggest threat was spam e-mail. These days he noted, there’s no real boundary around data. Thanks to the cloud, WiFi and personal devices, information online has never been more accessible – or insecure.
Rich highlighted the terrifying fact that the threat actors too have changed, grown and evolved. While script kiddies and rogue employees may still be a threat, one of the biggest changes is the fact that nation states are now increasingly responsible for a number of attacks.
“Are they on your risk register?” asked Rich, because the next attack you face may be state-sponsored espionage or a weaponised Advanced Persistent Threat (APT).
More Data Lost Than People in the World
Vendors too came in for criticism. If the hardware and software your data uses are not secure, patched, updated and trustworthy, then you are starting from a position of weakness.
Rich followed by pointing out that since 2013 the world has had 9.74 billion data records stolen. Given there are only around 7.6 billion people in the world today, the scale of the threat and the challenge of securing data already seems beyond our grasp.
When new technologies such as drones armed with packet sniffers, which can suck all of the personal device data out of a building by flying over it, meet new data capture devices such as medical or brain implants, the ability of threat actors to capture data and find new attack vectors just keeps growing.
The Changing Nature of Data
The types of data being captured and stored is changing. From basic, anonymised information, which identifies types of people, we’re now getting to a point where your data, which is unique to you, may be at risk. Rich related a story about a heredity site offering free subscriptions to anyone who would provide them with a mouth swab. Effectively capturing that individual’s unique DNA sequence. People were, reported Rich, “queuing up” to get their subscriptions, having no idea what would be done with that data, how it would be stored or who might eventually have access to it (without it being breached or compromised).
Anatomy of a Revolution
GDPR may, suggested Rich, be the start of a revolution in which the value of data is recognised and which could start to create the infrastructure and realise the value of personal data and the significance of data to each human being on the planet. The focus on the consumer and the rigorously monitoring of those responsible for data, along with serious financial and criminal consequences, could mark the beginning of a new era.
For many in the audience, shocked by Rich’s presentation, the feeling could be that May 25th can’t come soon enough.
ISACA Scotland are to be congratulated the Beyond GDPR event was valuable reminder that we exist in a world which is constantly evolving and in which the growing amount of data we generate, store, share and voluntarily give up, could have enormous long-term consequences.
Without succumbing to the hysteria and hyperbole which is starting to emerge in some sectors, Beyond GDPR provided attendees with great overview of the changing nature of privacy and the ways in which the real world is changing when it comes to the information valuable to you and your family.
The one constant is change. If you can’t see it coming and you cannot adapt, you’re not going to survive.
Kevin Murphy, the President of ISACA Scotland, told DIGIT: “The sheer numbers in attendance reflects how serious the business community are considering how best to secure personal information in their estate; this was great to see!
“I was also delighted by the reception our fantastic speakers received. It is testament to strength of the Scottish Chapter and wider technological community we can attract speakers of international renown.”