2018 was an interesting year, with cybersecurity at the forefront in media. We saw dozens of high-profile breaches (e.g., Facebook, Orbitz, MyFitnessPal) and many more low-profile incidents. Cybersecurity preparedness assessments and testing have become a standard cost of doing business. Ransomware is a household term. The EU’s General Data Protection Regulation (GDPR) went into effect, and we saw the first GDPR enforcement action.
Here are some of the key privacy and security trends to prepare for as 2019 gets underway:
- 2019 is the year of privacy regulations — The California Consumer Privacy Act (CCPA) goes into effect on January 1, 2020, which means companies across the globe will have to develop their CCPA compliance programs this year. High-profile breaches continue to cause Congressional grandstanding in the U.S., which could very well result in a nationwide privacy regulation. Whether or not that comes to fruition, we expect more states to adopt privacy regulations like the CCPA.
- Microsoft Office 365 will continue to be heavily targeted — In the past two years, there has been a steady increase in attacks against Microsoft Office 365 users. While Microsoft has invested significantly in the security of Office 365, many companies aren’t taking full advantage of the available security settings. Attackers typically steal Office 365 credentials and find a login mechanism that can bypass multi-factor authentication (MFA), if MFA is in place. Then, the attackers download the victim’s full mailbox and utilize it to target individuals that the victim corresponds with. We’ve seen dozens of successful attacks in this vein. We expect the frequency of attacks to increase as more companies move to Office 365.
- Major vendors will announce major breaches — We have already seen some major vendors, both large and boutique, announce breaches that have impacted many clients. The trend is likely to continue this year, as more companies have developed detection methodologies that can identify a breach and lead to notifications.
- More acquisition failures will result from cybersecurity incidents — The failure of Colorado Timberline, a private equity-backed printing company that shut down due to a ransomware attack, resulted in the loss of significant investor equity because of the company’s inability to respond to a cybersecurity incident. Even public companies have suffered tremendous valuation consequences due to breaches. Private equity-backed or in-process companies often underspend on security and necessary IT upgrades to show higher profits and thereby better valuations. However, underspending in these areas at prospective portfolio companies exposes the risk for attacks which can result in tail events, such as a complete shutdown of the company.
- Major consumer data vendors will be exposed — A myriad of data providers that aggregate consumer data (e.g., location data from mobile apps, purchasing preferences from search results, and demographic/socioeconomic data) will likely be exposed for the data they hold and sell to thousands of clients globally. We have already started to see some of the data exposed through reporting by major newspapers, such as the New York Times. As consumers become more aware of the ability to de-anonymize their personal data, regulatory bodies will push back with new rules and stringent enforcement actions.
How ACA Can Help
ACA Aponix offers the following solutions that can help protect your company from cybersecurity risk:
- Cybersecurity and technology risk assessments
- CCPA compliance assistance
- Microsoft Office 365 security assessments
- Vendor diligence and management
- Phishing testing and cyber awareness training
- Cyber incident response planning
- Threat intelligence
For more information, contact firstname.lastname@example.org or your ACA consultant.
Upcoming Complimentary Webcast
Join Raj Bakhru, Partner at ACA Aponix on Thursday, January 31, 2019 at 2 p.m. ET for a live discussion on issues and trends from our second annual cybersecurity compliance programs survey, in partnership with the National Society of Compliance Professionals (NSCP).
ACA recently conducted a webcast on key takeaways from 2018 cyber incidents. You can view the replay here: Webcast: Lessons Learned from Recent Cyber Incidents: Google Plus, Facebook, Reddit, and What You Need to Know.
About the Author
Raj Bakhru, CISSP, is a Partner at ACA Aponix, the cybersecurity and IT risk division of ACA Compliance Group. ACA Aponix provides cybersecurity and technology risk assessments, vendor and M&A diligence services, network testing, and advisory services. Prior to ACA’s acquisition of the firm, Raj was Chief Executive Officer of Aponix Financial Technologists, which he cofounded. Before that, he led firm-wide software development and was part of the founding team at Kepos Capital, now a $2 billion global macro quantitative asset manager. Prior to Kepos, Raj served as a Vice President at Highbridge Capital, where he led the team building the firm’s proprietary order and execution management system. In addition, he previously worked on research and cross-asset-class algorithmic trading algorithms and software systems at Goldman Sachs Asset Management’s quantitative hedge funds.
Raj earned his BS in Computer Engineering from Columbia University and has received his CFA charter and his CISSP designation. In the course of his career, he has been frequently quoted in Ignites, HFMWeek, MarketWatch, The Cybersecurity Law Report, and other industry-leading publications on information security in financial services.