What Do You Know About GDPR?

I recently attended a lecture by a former FBI special agent on the topic of cybersecurity. Sounds cool, right? (It was!)

I’ve been paying close attention to the topic that is now top of mind for many since last summer, when I wrote this story for BizVoice® on fraud and cybersecurity issues, including what businesses should be doing to help prevent potential cyberattacks.

While I sat in a small room with 20 or so people who seemed genuinely surprised by much of what the former agent was saying, not much of it came as news to me (and I’m not bragging – I just went through my shocked phase last year when researching my story). But one thing I’d never heard before was something known as GDPR, an acronym for General Data Protection Regulation.

GDPR was passed in the European Union (EU) and takes effect in late May. It expands the rights of individuals under the regulation with regard to data privacy and places new burdens on companies or businesses that handle private data. And you might be thinking, “I’m in Indiana, not the EU.” And that’s true, this regulation primarily impacts users in the EU. But it also impacts any businesses or organizations that operate in the EU.

Indianapolis-based DemandJump recently posted a blog focusing on GDPR and how it impacts companies here in the United States, with links and a video to help others learn more about the potential impact:

From an internet user standpoint, this policy only affects those people located within the jurisdiction of the EU. However, companies that do business in the EU – regardless of where they are located – must also abide by the same rules, which has left many in the global technology industry reeling to meet these strict privacy standards by the May 25th deadline.

The GDPR is one of the first major legislative acts of its kind, but it certainly won’t be the last. The question is not whether the United States and others will pass a similar bill, but when.

At DemandJump, we have always believed in and respected the privacy of internet users, and we hold ourselves accountable for individuals’ rights to privacy and security. We also understand there is some sensitivity around data right now, and, well … we love data.

The truth is, data can be an amazing asset when used and handled responsibly, helping to automate, expand, speed up, and generally improve the world we live in. But those improvements should not come at the risk of individuals’ privacy.

Luckily for everyone, they don’t need to.

What is Data Privacy?

Check out this video from our very own Brad Wilson, Director of Engineering and Data Protection Officer at DemandJump about data privacy and GDPR.

In the context of GDPR – and the broader discussion about data privacy – the main goal is to put control over personal data back into the hands of individuals. This means that if any individual does not want to be recognized or known by a data consumer, they have the ability to instruct any system to “forget me”. This would trigger a string of technical actions which would anonymize their information, making it very difficult for any person, business or technology system to identify that person individually.

Fundamentally, this movement is not so much about restricting the usage of personal data as it is about giving control back to individuals. It’s about companies being open and transparent about what personal data they have on individuals, and about the way they handle that data.

For 10+ years there has been a lot of fuzziness and disparate regulation around data privacy and transparency. The EU is saying “no more”, and it’s highly likely that other regulatory bodies will follow suit.

Cybersecurity and data privacy experts will come together for the Indiana Chamber’s inaugural Cybersecurity Conference (in partnership with the Indiana attorney general’s office) on May 1-2. There’s still time to register for the two-day conference held in downtown Indianapolis, with focuses on responding to litigation following a data breach, vendor management, lessons from the defense industry and much more.

Chamber Adds Cybersecurity Conference

People are most familiar with the Indiana Chamber as an advocacy organization. After all, that has been a primary concentration for 96 years.

But business information – in the form of employee training and regulatory compliance publications – has been an important and growing part of the mission for more than a quarter of a century. Many of those offerings have focused on human resources and safety topics, with a more recent emphasis on skill development.

A new addition in 2018 is a partnership with the Indiana attorney general for the inaugural Cybersecurity Conference (May 1-2 at the Indiana Chamber Conference Center). It’s a good sign that the topic is a timely one when the conference expands to a full two days before it even kicks off.

Cybersecurity needs in today’s business world are robust; potential solutions are complex. Business, government and legal viewpoints and conversations will take place.

Among the key topics:

  • Governor Holcomb’s Executive Council on Cybersecurity
  • Cyber threats: The No.1 risk to small businesses
  • Fighting the security battle
  • Responding to litigation and enforcement actions following a data breach
  • The dark web
  • Best practices you can implement now
  • Cyber insurance
  • Legal consideration in the Internet of Things (IoT)
  • How will General Data Protection Regulation (GDPR) be enforced?
  • Ransomware: Wire transfer fraud and phishing are hitting Indiana businesses

Check out additional information, the full agenda and sponsorship opportunities. Register to attend here. Our thanks to presenting sponsor Ice Miller and additional sponsors: University of Southern Indiana Romain College of Business, WGU Indiana, Qumulus Solutions, Matrix Integration and Purdue University.

Cheers to the Network Security Administrators

Here’s a little tip – don’t check your work email on your mobile phone while riding in an airport shuttle on the way back to your car from vacation.

Don’t quickly open any emails saying you had a recent sign-in attempt and need to remedy your information.

Don’t click the link! DON’T do it.

I did it.

Yep, it was me. The person who studied and learned about fraud, email phishing, social engineering (and a lot of other terrifying cybersecurity issues) for a 1,200-plus word story for BizVoice® magazine last year. The person who has warned everyone about these issues since learning all those terrifying things. The one who pays close attention when data breaches are discussed in the media.

It was me. I did it. Ugh.

Thankfully, I realized what I’d done nearly immediately. I clicked on the link, but I didn’t enter any information and I quickly alerted our network guardian angel administrator, Jeff. Then I panicked all the way home from my relaxing vacation.

But Jeff let me know he was keeping an eye on it, and that I hadn’t broken everything (I was sure I had). Such a relief I have rarely felt in my adult life.

After a self-admonishing mea culpa when I returned to the office, I was again put at ease upon being reminded that this happens more regularly than I realized and that it’s a very easy thing to fall for.

That is NOT an excuse for complacency, of course. Think before you click! Make sure you know your company’s security protocols, think critically about the email address the email is coming from (does your security administrator typically handle anything related to Microsoft? Then Microsoft is probably not emailing you directly!). Just pay attention.

I was reminded firsthand that our information technology and network security administrators are on the front lines of keeping our dumb mistakes at bay.

Thank goodness for that.

If you’ve got a great networking security team supporting your workplace, thank them when you get the chance. You probably don’t always know or understand what they do, but when things get dicey, you’ll really appreciate their expertise.

(If you don’t have a network security team, you’re risking a lot. Check out that BizVoice story I mentioned above for more about the pitfalls of not being covered by good security measures.)

Ten Cybersecurity Predictions for 2018

In looking back at 2017, one of the enduring outcomes is that cybersecurity cemented its place in the national conversation.

cyberattack under scrutiny

Though there were a number of major cyber breaches or hacks in the past year, the most far-reaching and potentially devastating was from Equifax. Yahoo Finance reports that over 145 million people were impacted, with stolen data ranging from contact information to Social Security numbers.

The breaches impact consumers as well as businesses, which can face dire consequences if not adequately prepared for such attacks. BizVoice magazine looked at cybersecurity concerns and efforts in two recent editions (find those stories here and here). We interviewed Nathan Stallings of Matrix Integration for one of those stories; the technology infrastructure and advisory company assists its clients in preparing for and preventing such attacks.

Stallings shares his “Top 10” cybersecurity predictions for 2018:

  1. Resources (people and money) for preventative and proactive measures will continue to shift from the network perimeter to within the network. Network Access Control (NAC), network segmentation, and Security Information and Event Management (SIEM) products and/or services will be the top three solutions for most organizations.
  2. Cloud security will become even more important as workloads transition to the cloud, whether public, private, or hybrid. The challenge will continue to be defining the security responsibilities of the cloud provider versus the organization.
  3. Companies will begin to shift their cybersecurity strategy from “prevent and protect” to “detect and recover”. I believe that there is a risk of moving too far away from “prevent and protect” which, in turn, will make “detect and respond” exponentially more difficult. The best strategy is a well-designed combination of the two approaches.
  4. Ransomware will be significantly worse. Variations of WannaCry and NotPetya along with Ransomware as a Service (RaaS) will result in at least a doubling of the number of ransomware incidents from 2017. The cost of ransomware damages globally will likely exceed $5 billion in 2017 and will be substantially higher in 2018. There were approximately 4 million ransomware attacks in 2015, 638 million in 2016, and the estimate for 2017 is a 250% increase. The number for 2018 will be well over 2 billion attacks. Organizations should focus on prevention methods like security awareness training, detection methods like managed security services, and recovery. Recovery may well be the most important and relies heavily on the ability to fully eradicate the ransomware and having a sound data back-up strategy.  
  5. Security awareness training of staff and contractors will become increasingly important as hackers turn away from direct attacks on network infrastructure and web applications and target the end-users with sophisticated “phishing” techniques.
  6. Significant attacks on Internet of Things and personal assistant/artificial intelligence will increase dramatically.
  7. The National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) will continue to gain widespread acceptance and adoption because it is designed to complement, not replace, an institution’s risk management process and cybersecurity programs.
  8. More PCI compliance audits for credit card transactions as the PCI DSS compliance requirements become even more stringent.
  9. Additional high-profile breaches as large organizations continue to fail at the fundamentals of cybersecurity.
  10. Large healthcare organizations will continue to struggle to balance patient care, the needs of physicians and other medical personnel to quickly access critical information, and patient privacy with cybersecurity fundamentals. 

If your company isn’t prepared to stop a cyberattack, is it prepared to recover from one? An old saying seems applicable for this new challenge: “An ounce of prevention is worth a pound of cure.”

Digital: A Disruption to Embrace

34813851

The Kauffman Foundation’s Jonathan Ortmans offers thoughtful perspective on entrepreneurship and technology topics. Below is a summary of his latest entry.

One of the great drivers of innovation today is the promise of digital disruption of complex and regulated industries. Digital disruption is not only behind the public sector’s move toward open government and open data, but is also the rise of civic-centered startups that are changing the rules of the game for traditional industries. It is time for a new wave of policymaking that anticipates a whole new set of issues for policymakers.

A new sense of urgency is called for as policymaking for the digital economy accelerates in response to what entrepreneur Steve Case calls “The Third Wave” of the Internet revolution.

As 1776 co-founder Donna Harris explains, “as digitization moves from basic applications like social media and e-commerce to more complex industries like education and healthcare, entrepreneurs tackle harder and harder problems. And that means government is more involved and that legacy institutions will inevitably play key roles … Frameworks established decades ago no longer apply, and leaders at all levels need to be proactive in understanding and regulating for a digital economy.”

Creating new regulatory frameworks for the digital workforce is a challenge. As I discussed recently, a Princeton/NBER survey found that the share of workers engaged in alternative work arrangements (e.g. independent contractors and freelancers) was 15.8 percent in 2015, up from 10.1 percent in 2005. Beyond the safety net challenges posed by the so-called “gig economy,” the impact of the broader digital economy reminds policymakers that they need to write new rules for an era where digital disruptions are giving individuals greater power and freedom to write their own destinies. The possibilities of the digital age include new remote, flexible and on-demand work opportunities – and a clear shift of power from institutions to individuals as transparency increases.

Yet most cities, let alone the federal government, are not ready to leverage digital disruption. Innovation That Matters, a pioneer report in understanding digital disruption in the United States, ranks 25 American cities’ readiness to capitalize on the inevitable shift to a digital economy, and provides metrics that city leaders can use to evaluate their progress in developing their digital economies.

The greatest policy risk of all in digital disruption is ultimately policymakers reacting too slowly or providing what Harris calls a mediocre legacy of a “patchwork of laws and tensions.” There are some exceptions to follow from smaller nations that are leveraging the fact that small is beautiful and also more doable. Nations like Estonia for example, have their top authorities leading their countries digital economies, through initiatives in digital infrastructure and even an e-residency program for global entrepreneurs.

Getting the public sector up to speed with the digital revolution is not an easy process. Internal capacity and cybersecurity are two large roadblocks. And it will take many intra-preneurs in government to make the necessary changes, as well as increased rapprochement to civic entrepreneurs who can help one of society’s most traditional sectors – government – react responsibly and responsively to digital disruption. Let the work begin.

Read the full post online.

JOIN US: Learn more about the Indiana Chamber’s new Technology & Innovation Council. Want to participate? Contact Mark Lawrance at mlawrance(at)indianachamber.com.

Print