As the year draws to a close, it’s tempting to reflect on the major developments that helped shape 2019. But in the technology industry—and most of all, the cybersecurity industry—we look to the future, not the past. This week, several members of Egress’ senior leadership team sat down to talk about the trends and challenges they expect to emerge in 2020. As breaches become increasingly common and costly even as legislation like CCPA takes effect, it’s important to understand what to expect in the new year.
Moderator: Thank you for being here to discuss your thoughts on what we can expect over the coming year in the world of cybersecurity. At the table we have Egress CEO Tony Pepper, CPO Sudeep Venkatesh, and CTO Neil Larkins. I want to start out talking about the California Consumer Privacy Act (otherwise known as CCPA). As you well know, it will take effect in 2020, and businesses operating in the state of California will need to be compliant when it does. Can you talk about the effect these new data privacy laws are having on the market?
Tony Pepper: Of course. Consumers’ data privacy rights are gaining a lot more household awareness, which is why this sort of legislation has been so sorely needed. When CCPA goes into effect in January, we’re going to see a sweeping reaction across the U.S., particularly as states like Nevada and New York look to be quickly following in California’s footsteps with legislation of their own. CCPA isn’t something that’s going to go away, and businesses can’t risk taking the consequences of noncompliance lightly.
Next year we expect organisations to take some much-needed steps toward data compliance—even as the cost of compliance increases thanks to these new laws. Much like when GDPR first took effect in Europe, there are two schools of thought with CCPA: acceptance and denial. Some organisations have proactively joined the conversation, while others sit in the “wait and see” camp. It’s no secret which camp will be more successful, though—organisations that deploy data security technology-based classifications with AI-driven systems (as opposed to manual processes) will have the best outcomes.
Neil Larkins: Yes, and to your final point, the reason is because those manual, human-driven processes remain vulnerable to human error. People aren’t going anywhere, and as long as people are in organisations, data breaches will continue to happen. The human factor is going to become increasingly evident in 2020, because the reality is that your company has better odds of an employee making a mistake than it does of encountering a hacker.
New applications like Slack or Microsoft Teams continue to be introduced to workplaces, and each new application brings new risk factors and new opportunities for employees to make the sort of mistakes that can lead to financially and reputationally damaging breaches. Putting a stop to these insider data breaches will be an even bigger priority for CISOs and other security professionals next year.
Moderator: I’d like to dig into that a little deeper. A lot of those tools, especially Slack, have been widely adopted because they facilitate easier communication in the workplace and across departments. Is there a way to balance risk management and effective communication?
Sudeep Venkatesh: People are communicating and collaborating digitally at unprecedented levels, and employees are going to keep relying to tools like email and other applications as easy mechanisms to share information—and that includes sensitive data. Making email, in particular, safer for employees will become a greater priority for companies in the new year. We have seen and will continue to see developments in machine learning and advanced DLP technologies that can determine the risk of a data breach in real time, and hopefully prevent unauthorised disclosure and enforce security for assured compliance.
It has been interesting to see the “one-size-fits-all” approach to security continue to struggle. That sort of limited approach has led to more data breaches than ever before as people often find ways around using difficult or complex solutions. When we talk about streamlining communication, part of that means moving beyond onerous enrolment and sign-in processes, and we expect to see more enterprises trying to lower the barrier around authentication even as they improve the security around accessing content. Be on the lookout for smart authentication that focuses on human behaviour as opposed to the traditional multi-factor authentication strategies that we see today—all in the interest of reducing employee friction.
Moderator: Thank you, Sudeep—that’s an interesting way to frame the problem. Before we finish, I want to return to Tony for a moment to discuss one last data privacy point—specifically SARs [Subject Access Requests]. You’ve said in the past that this actually creates its own set of data security problems, can you touch on that in relation to CCPA?
Pepper: Yes, so, to give a brief overview, CCPA compliance and the threats I discussed a moment ago tend to get most of the attention when you’re talking about the law, but under CCPA and, actually, GDPR in Europe, citizens can request their private data. It’s called a Subject Access Request. It is mandatory for that data to be provided to them, which is potentially costly for businesses and also gives consumers much deeper visibility into the data collection process.
But what people don’t consider is that sending that data exposes it to risk: via potentially unsecured personal inboxes or filesharing services, for example. We expect that next year we will begin to see an entirely new category of data breaches - 'compromised citizens' as a result of SAR requests—when gigabytes of sensitive behaviour and social data are accessed by attacks to citizens’ own systems more directly. This could wind up having the opposite effect that GDPR and CCPA originally intended, which is a matter of real concern - and certainly something to keep an eye on.
Moderator: Thanks, Tony. And thank you all for taking the time to sit down and discuss what the cybersecurity industry can expect from 2020. We look forward to seeing what the new year has in store for Egress!