As I have written about before many times, the Cybersecurity Threat Landscape is constantly changing.  In fact, it has gotten so dynamic that that even IT Security teams simply cannot keep up with the influx of alarms and data that is coming in. 

That is why many organizations in Corporate America are now seriously thinking about deploying more sophisticated means in order to automate all of this just from the standpoint so that they can keep up.

One such tool is that of Artificial Intelligence.  This is an area of computer science that is gaining a lot of attention lately and is becoming the big buzzword in many industrial circles.  The idea here is that AI can help with task automation, and once enough data is fed into it, it can even learn and predict future outcomes as well. 

Although there are AI tools out there, many of them still have not reached the maturity point yet where they can take over an entire, process.  They can only augment it.

Another area where the Cybersecurity Threat Landscape is feeling an effect are in the rules and the regulations that are being adopted worldwide to secure Personal Identifiable Information (PII) and to bring Cyberattackers to justice. 

For example, countries in the APAC region such as that those of Thailand and Vietnam have adopted strict laws governing Internet censorship. 

Even here in the United States, one of the most recent laws that was passed was done so by the state of California.  It deals with securing IoT (Internet of Things) products, and mandates certain penalties if vendors do not comply with the standards that have been set forth. 

But one of regulations that has received the most attention as of late is that of the GDPR.  It is an acronym that stands for the “General Data Protection Regulation”.

Essentially, the basic premise of this regulation is to protect the PII that is stored in the databases of any kind of business entity, no matter how large or how small it may be.  The bottom line is that this kind of data is there, and it must be protected at all costs. 

With the GDPR, many organizations are subject to audits and other forms of scrutinization to make sure that they are following the terms of the rules.  If they are not, the penalties can be quite harsh, in which a regulatory body that is conducting the audit can impose up to 2% of the organization’s profit. 

While this regulation has been designed to protect the citizens of the European Union (EU), its impact is on every business that does business there, even if their base of operations is headquartered in a different country.

For example, if Company ABC has their headquarters in Chicago, but also has other office affiliates in Europe, then they too are subject to the GDPR as well.  But given its dominance and fear that it is supposed to strike, its impact on the end user (which are the people that submit their PII to an organization, for example if they purchase a product on an online store, their credit card info will be stored on their databases) is still not being felt.

This is to a certain degree this is substantiated by a very informal survey that was conducted by Tripwire, in which 400 people were polled on Twitter.  Here are some of the findings from it:

*22% of them believed that companies still do not care about protecting their information and data;

*Only 52% believed that some change will occur;

*42% of the respondents felt that the fines imposed by the GDPR are too low;

*43% of the people polled felt the fines were just right.

But the most startling statistic is that a whopping 71% of them felt that their data is not any safer since the passage of the GDPR and the fines that it has imposed thus far.  In this regard, there have been some serious penalties, $224 Million for British Airways and $124 Million for the Marriott Hotel Group.

My Thoughts on This

I must be honest; I am quite surprised by these findings from the survey.  To me, the fines imposed are quite substantial, but maybe to these huge businesses, perhaps these are still chump change to them. 

I can tell you one thing, if the same levels of fines were to be imposed onto an SMB, they would be very quick in making remediations and being compliant into the future, or they would be simply be wiped out. 

I guess it all depends on what how much money is, and what can be afforded until a real loss is felt.  In this regard, there was another interesting finding in this survey:  Organizations want to quantify to what level that they can tolerate a security breach before any fines or penalties are levied.  My opinion on this is why should it matter?  Being proactive on security is a must, and there should be no questions asked about this.

The fact that was even raised indicates to me that businesses, both here in the EU and in the United States really do not care if they lose any type of PII.  Many of them still do not grasp the true cost of a Cyberattack, or for that matter, the indirect costs that can be felt. 

One of these types of risks is that of the “Reputational Risk”, which was the topic of yesterday’s blog.  In fact, in another survey I wrote about, there was also a similar finding as well, which only provides more substance for my hypothesis.  But from the standpoint of the consumer, it is important to keep in mind that any laws or regulations that have just been passed will take years in order to feel the full effect.

The primary reason for this is that there is no legal precedent for them, and in fact, they are creating the precedent themselves.  As a result, there is this extra lag time.  A sharp criticism of these new laws and regulations is that they are too slow to adapt to the ever-changing threat landscape.  This is of course to be expected, as there would have to be updates to them on almost daily basis.

And as we all know, the governments here in the United States and the EU as well as their lawmakers are just too slow in either formulating and/or creating new laws on a timely basis.  But in a way, this could be also, because it gives time for these new laws and regulations to become and fully mature and tested so that some sort of legal precedence can be established for future legal cases.

In the end, it is in the best interest of organizations to be proactive about being compliant – after all, just like the IRS, you never know when you could be hit with an audit.