The ISF believes the number of data breaches will grow in 2017, and so will the volume of compromised records. The data breaches will become far more expensive for organizations of all sizes, Durbin says. The costs will come from traditional areas such as network clean-up and customer notification, but also from newer areas like litigation involving a growing number of partners.

In addition, public opinion will pressure governments around the world to introduce tighter data protection legislation, which in turn will introduce new and unforeseen costs. Reform is already on the horizon in Europe in the form of the EU General Data Protection Regulation (GDP) and the already-in-effect Network Information Security Directive. Organizations conducting business in Europe will have to get an immediate handle on what data they are collecting on European individuals, where it’s coming from, what it’s being used for, where and how it’s being stored, who is responsible for it and who has access to it. Organizations that fail to do so and are unable to demonstrate security by design will be subject to potentially massive fines.

“The challenge in 2017 for organizations is going to be two-fold,” Durbin says. “First is to keep abreast of the changes in regulations across the many, many jurisdictions you operate in. The second piece is then how do you, if you do have clarity like the GDP, how do you ensure compliance with that?”

“The scope of it is just so vast,” he adds. “You need to completely rethink the way you collect and secure information. If you’re an organization that’s been doing business for quite some time and is holding personally identifiable information, you need to demonstrate you know where it is at every stage in the lifecycle and that you’re protecting it. You need to be taking reasonable steps even with your third party partners. No information commission I’ve spoken to expects that, come May 2018, every organization is going to be compliant. But you need to be able to demonstrate that you’re taking it seriously. That and the nature of the information that goes missing is going to determine the level of fine they levy against you. And these are big, big fines. The scale of fine available is in a completely different realm than anyone is used to.”

Brand Reputation And Trust Are A Target

In 2017, criminals won’t just be targeting personal information and identity theft. Sensitive corporate information and critical infrastructure has a bull’s eye painted on it. Your employees, and their ability to recognize security threats and react properly, will determine how this trend affects your organization.

With attackers more organized, attacks more sophisticated and threats more dangerous, there are greater risks to an organization’s reputation than ever before,” Durbin says. “In addition, brand reputation and the trust dynamic that exists amongst customers, partners and suppliers have become targets for cybercriminals and hacktivists. The stakes are higher than ever, and we’re no longer talking about merely personal information and identity theft. High-level corporate secrets and critical infrastructure are regularly under attack, and businesses need to be aware of the more important trends that have emerged in the past year, as well as those we forecast in the year to come.”

While most information security professionals will point to people as the weakest link in an organization’s security, that doesn’t have to be the case. People can be an organization’s strongest security control, Durbin says, but that requires altering how you think about security awareness and training.

Rather than just making people aware of their information security responsibilities and how they should respond, Durbin says the answer is to embed positive information security behaviors that will cause employees to develop “stop and think” behavior and habits.

Successfully doing so requires understanding the various risks faced by employees in different roles and tailoring their work processes to embed security processes appropriate to their roles.

Source: CSO