The CCPA Ripple Effect in the Enterprise: How to Prepare
Data privacy is top of mind this year for many businesses. This year, security breaches have already increased by 33% and the amount of exposed records have more than doubled. Meanwhile, government-backed privacy and security regulations are requiring more transparency and enforcing higher levels of culpability from all organizations that handle data. Although the California Consumer Privacy Act (CCPA) is intended for California consumers, enterprises across the U.S. are adjusting their cybersecurity procedures and policies in anticipation of further regulations – and to avoid critical costs.
Rising enterprise costs under CCPA
The CCPA states that a consumer has the right to sue if their data is leaked during a breach and it is found that the company did not “implement and maintain reasonable security procedures and practices appropriate to the nature of the information.” This means that a data breach will not only result in a loss of consumer trust, it will come with heavy financial consequences. As it stands, the typical costs of a cyberattack (which includes IT response, forensics and recovery, insurance and notification) already averages around $1.67 million. Now companies need to be prepared for the additional financial burden of litigation and settlement payouts.
While enterprises have been given a one-year exemption on some aspects, CCPA states that once the full force of the regulation comes into play, consumers will have the right to make requests that extend to the previous 12 months. Given that, and the significant amount of time it takes to roll out new cybersecurity programs at scale, some organizations have already begun to implement the following practices.
Defending with zero trust
The complexity of proper data management and protection is increasing as global work structures continue to evolve. As systems become more interconnected and employee mobility continues to rise, data not only travels more frequently, it often operates outside the bounds of traditional forms of security. Security models that worked well in the past – like firewalls – are no longer as effective at minimizing the risk of cyberattacks. Instead, organizations are turning to the concept of “zero-trust” as the basis of cybersecurity frameworks.
Traditional security models assume that everything within an organization’s network can be trusted by default. A zero-trust model, on the other hand, assumes that all data, devices, apps and users inside or outside of the corporate network are inherently insecure and must be authenticated/verified before being granted access. A zero-trust framework calls for companies to stop utilizing default configurations and instead operate with a “trust nothing” mindset that requires continuous monitoring of all network communications, users and systems. Zero-trust draws on tools such as multi-factor authentication, end-to-end encryption, identity access management, orchestration and other comprehensive system permissions and safeguards.