It was a great year for deceit in 2017 as hackers launched multiple successful attacks against corporations, organizations, governments, and individuals on an unprecedented global scale.
The media cyber security darling — or demon — was the WannaCry crypto-worm, which held hostage the files of thousands of Windows users around the world until a Bitcoin ransom was paid. In all, WannaCry took over more than 200,000 computers in 150 countries, including those of FedEx, the UK National Health Service, and Telefonica in Spain. Damage estimates range from hundreds of millions to billions of dollars. Meanwhile, a major breach at Equifax generated headlines and had security managers rushing to patch vulnerabilities in their systems.
Unfortunately, there’s no indication 2018 will be any less “interesting” for businesses. Regulators have had to respond in kind to the escalation in the frequency and severity of cyber-attacks. End results: more and tighter security-centered regulations across all sectors.
GDPR era
On May 25, 2018, the General Data Protection Regulation (GDPR) comes into effect. This set of data privacy laws, roughly four years in the making, applies to any company with business connections to Europe. Says Ira Goldstein, Herjavec Group’s SVP of Technical Operations: “GDPR applies to any company in the world that receives data from the EU. You could be a company with offices in Europe that’s sharing internal data, or you take data from a client based in Europe, or you could just have a customer who’s there.”
Canadian organizations whose activities fall within the scope of the GDPR have but two options:
- to restrict their activities so that they fall outside the scope of the regulation, or
- to come into full compliance.
If the latter, organizations should be aware that there is a cost; some American companies have had to spend millions to fall in line with the GDPR. Canadian companies must be aware that doing the same will come at considerable cost.
“No executive wakes up and says I can’t wait to spend money on security today,” says Herjavec Group Founder and CEO Robert Herjavec, “but it’s no longer a choice. The biggest driver of security in the coming years will be compliance.”
GDPR and PIPEDA
In Canada, most companies must already be in compliance with the Personal Information Protection and Electronic Documents Act (PIPEDA), which regulates how businesses may collect, use, and disclose the personal information they collect. Although for now, PIPEDA has been deemed “adequate” by the European Commission, meaning it matches up adequately to the GDPR, PIPEDA’s status will likely be revisited.
More than ever, organizations are vulnerable to being breached. Insider mistakes and the misuse of system privileges, combined with a sophisticated and increasingly AI-powered hacker, are forcing companies to rethink their security policies and practices, and government agencies to introduce regulation after regulation.
Security and compliance made simple
Compliance with these regulations is not something organizations can negotiate or get around. However, most companies don’t want to (and shouldn’t have to) dedicate enormous amounts of time and energy to security compliance. This is where Herjavec Group’s Security Consulting Services can help. With the right approach, identifying risks and gaps and maintaining rock-solid day-to-day security is not impossible, and may actually be quite simple. Visit Herjavec Group online to get started.