What is the current environment in digital risk management? According to panelists at the NetDiligence Virtual Summer Summit, the two hot items are the COVID-19 pandemic and the rapid expansion of data privacy regulation. During the panel “Digital Risk Management: Lessons Learned in the Current Environment,” moderator Kara Owens (Markel) was joined by Andreas Kaltsounis (BakerHostetler), Nick Graf (CNA), and Sarah Kahler (RSA) for a look at current trends and predictions for the future.
Even before the COVID chaos began, some clear trends were emerging in 2020. For example, Kaltsounis described a general shift in the way that regulators are placing accountability for breaches. Companies previously attempting to label account takeovers a user problem are finding that they are increasingly expected to take responsibility, especially if they deal in sensitive data or processes. Kahler added that increasing sophistication of ransomware attacks have pushed companies to focus on resilience rather than simple recovery.
The COVID environment has created another host of technical and personnel issues. Graf noted the difficulties inherent in keeping remote devices updated and patched, and the risks of relying on a workforce whose homebased distractions might make them more vulnerable to social engineering. At the same time, regulators operating under the new CCPA and GDPR seem mostly unwilling to accept the pandemic as an excuse for delayed action after a breach.
Now that the early days of pandemic chaos have settled down, what might be the long-term effects? Owens speculated that work from home could be here to stay. The savings to companies, suddenly seeing the potential for a reduction in real estate needs, and the positive environmental impacts, in the form of reduced emission from commuter traffic, may push organizations to reorganize their workforces. If this plays out, what new security priorities will emerge? Graf’s answer focused on the technical side, noting that technical staff must find ways to push out patches, monitor proper installation, and ensure that devices, no longer centrally connected, are kept up to date and standardized. With a broader take, Kahler noted that other new corporate policies will need to be reexamined. Workforces must receive training and necessary security education, and this must include everyone – full-time, part-time, temporary, hybrid, and contracting. Furthermore, policy and training must adapt according to observed behavior, as standards for acceptable use are refined, and with an eye towards prioritizing resources.
For Kaltsounis, the future will be shaped by the regulatory landscape. States are already looking to the CCPA as a model for their own legislation. Furthermore, while the US federal government is unlikely to act legislatively, there are signs that the EU approach to privacy is gaining currency. Finally, as more countries adopt data privacy standards, the interplay across borders will be a hot issue. Data transfer across international borders has been complicated by the Shrems II decision, handed down on July 16 by the EU Court of Justice, and may indicate a move away from globalization towards localization.
All told, 2020 has been a time of rapid change, calling for agility and resilience. And, digital risk management professionals should expect more of the same in 2021.
