Changing your cybersecurity mindset is critical in 2020
The highly-regulated financial industry met a critical crossroads in recent years – the need to improve efficiency and reduce risk forced banking executives to find a compliant way to close the innovation gap by initiating partnerships with startups to access new technologies. Now, with GDPR already in effect in Europe and the official kick-off of the California Consumer Protection Privacy Act last month, it’s the technology industry’s turn to make a change.
For many technology companies, these regulations act as a much-needed catalyst for re-evaluating data privacy and security practices and analyzing company processes as a whole.
As new regulations take shape, it’s beginning to look like the new decade will be much more than just a revolution of technology. Rather, we are teetering at the brink of an industry reset, which we’ll see manifested in a number of ways in the year ahead.
Regulation and the Battle to Define “Personal Information”
While the CCPA was technically created to protect the privacy rights of California residents in the wake of high-profile data breaches and increased consumer awareness, the legislation has subsequently become the rule for businesses operating anywhere within the United States. The reason being, creating an entirely new security framework on a state-by-state basis would be painfully inefficient and would open Pandora’s Box to a myriad of complex issues in implementation and enforcement across state lines.
The CCPA has been a necessary step in the right direction for American consumers, granting them the data privacy rights they deserve in an increasingly digital world. Yet, court officials are now grappling with the broad definition of what constitutes “personal information” (PI) that actually requires consumer consent for collection, storage and distribution.
There will definitely be some growing pains as courts begin making decisions on class-action lawsuits filed by consumers about what does and doesn’t apply to inappropriate data collection. As a result, this will narrow the broad scope of the CCPA, and set precedent for legal oversight and compliance for future legislation.
Increased Scrutiny of Legacy APIs
When it comes to maintenance, old APIs are among the most ignored aspects of any product. Alarmingly, they also happen to be a great entry point for hackers since they lack the most up-to-date code needed to defend a company and protect user data. Engineers previously ignored the great risks associated with legacy APIs because they are difficult to fix – either customers still depend on them, or no one currently at the company understands the code used to write it.
These two factors make it hard for companies to justify the investment needed to fix legacy APIs, especially when there are deadlines to meet for getting a new product to market. However, any and all APIs are vulnerable to attack; they are designed to make data exchange easy, meaning the more APIs, the larger the surface area to enable a breach.
The combination of increased attention to data privacy and security is finally causing major enterprises in high-risk industries, especially banking, to rethink their outdated approach and invest in deprecating or fixing legacy APIs to reinforce protection of their systems.
Balancing the Scales for Tech Debt
Having tech debt is not necessarily a bad thing. Many fast-moving companies often view it as an indicator of strong product demand, yet a healthy balance must be maintained. Vulnerabilities and performance issues can emerge as a result of prior negligence, which ultimately takes a toll on the bottom line.
Companies are beginning to see the big picture, and are making more of a conscious effort to manage their tech debt and address the resulting vulnerabilities. For executives, 2020 is a fresh slate – an opportunity to reflect on security based on the experiences of the decade prior while also considering the upcoming changes on the horizon, for a more refined approach in the decade to come.