This year has seen headlines that would make many re-evaluate their risk posture; did the Cambridge Analytica news make you reconsider whether to be on Facebook? Did the Magecart attacks determine how much you used your credit card online? Are you still feeling safe using the internet despite cryptomining software being used?
In trying to get an idea of what the year from a perspective of risk looked like, Infosecurity talked to Peter Lefkowitz, chief digital risk officer at Citrix, who said that he saw the year in risk in two parts – 1. privacy, security and compliance, and 2. in terms of the changing social media landscape.
On the first point, he said that the introduction of the GDPR in May of this year had been prepared for by companies for the previous two years, and this had “been a big shift” for companies to consider accountability and consent, “and be more focused on security and vendor management.”
Ultimately, the GDPR allowed people to get a better idea of how to control their data, and know more about what companies were using their personal information for. In terms of risk, the posture of a company should be to ensure that data is accounted for and securely stored, while for a data subject, to feel less at risk because of the capabilities of the new compliance regulations.
His second point was around the press and events surrounding Facebook and social media from this year, and the privacy and security of our personal information. However, he said that there is a danger we will “worry about throwing the baby out with the bathwater for social media and large scale analytics” as we take action on how our data is used.
Ultimately, the Facebook and Cambridge Analytica story demonstrated the use of personal data without users’ consent, and how much of a quantity the member of a social network or user of a free service is.
Also reflecting on another news story from the year, Lefkowitz said that issues like the Spectre and Meltdown bugs show that there is a concern about the security of devices, and in that case they were well handled “and got quite a bit of attention.”
He claimed that in the case of Spectre and Meltdown, and even looking back to 2014’s Heartbleed bug, when issues are handled well they fall out of the media attention “and if I asked 10 people in the street to tell me about Heartbleed, no one would know anything!”
Lefkowitz explained that this was a good thing as “issues are fading” in terms of the public consciousness.
Asked about the impact of GDPR, he said that this made people more aware of risk, and they “became savvier about their online presence and asked more questions.” For businesses though, GDPR is hard to comply with, he said, but it is ultimately “good for technology and being forced to have stronger programs and to be more transparent on what we do” will drive confidence among the public.
Overall, has 2018 been a good year for risk? Lefkowitz said that it is has been “more acute” but its been a year when we have extrapolated more. He said that while we don’t want to view “the entire world through a prism” there is more going on in technology and connected businesses “that are truly advantageous for us at a social and economic level.”
In terms of the year, did we become more aware of our risk posture? He said that this was a “consolidation year” and used the analogy of a sports team who build a new team one season, and aim for the championship the following season.
“We took the measure of GDPR and risks reading about in the media, and will be more transparent on compliance, and I hope 2019 be another winning season with compliance programs so we can really innovate.”