Security has hit a low point this year, as 2019 saw the 2nd, 3rd and 7th biggest breaches of all time measured by the number of people that were affected.
The largest breach of the year occurred in May when First American Financial Corporation leaked 885 million records of documents related to mortgage deals going back to 2003, exposing Social Security digits, wire transactions and other information, according to a post at Krebs on Security.
A month later, around 540 million Facebook user records were exposed on the Amazon cloud server including account names, IDs and details about comments and reactions to posts, according to a report by UpGuard.
The companies that were hacked due to poor security practices received some hefty fines. Facebook was fined a record-breaking $5 billion over privacy breaches this year. Meanwhile, Equifax agreed to pay $575 million in a settlement for a 2017 data breach that affected 147 million people.
In August, Capital One notified users that a data breach breach affected about 100 million people. Fortunately, government officials stated that they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
This year, online companies, internet users and regulators waded through the first full year since the enactment of the General Data Protection Regulation (GDPR) in 2018.
Reporting found that the impact of the GDPR, though, has been minimal to this point. Compliance has been slow, enforcement has been lax, and organizations are finding that learning about data origin, residence and use can be hugely daunting and difficult. Although 91 fines have been issued, the one major $56 million fine was imposed on Google for “lack of transparency, inadequate information and lack of valid consent regarding the ads personalization.”
Moving forward, the lessons learned regarding GDPR will once again be tested in the upcoming California Consumer Privacy Act (CCPA) that will go into effect as of Jan. 1. The law is designed to give users the right to know all the data a business collects on them, the right to delete their data and the right to refuse the sale of that data.
A large bottleneck in improving security is the lack of skills in the workforce to take on cybersecurity positions. The 2019 (ISC)² Cybersecurity Workforce Study estimates that the cybersecurity workforce is currently made up of 2.8 million individuals, but 4.07 million professionals are needed.
The way software development companies are approaching security is also evolving.
The 10th iteration of the BSIMM10 report found that the security aspect of DevOps is evolving with a new wave of engineering-led software security efforts originating bottom-up in the development and operations teams rather than top-down from a centralized software security group (SSG).
The responsibility for security has shifted to developers within their organizations, according to Gabriel Avner from WhiteSource in a post. Many are using tools that can scan the product’s code and issue alerts to developers about potential vulnerabilities in their code, allowing them to test earlier in the SDLC.
In its top ten technology predictions for 2020, Gartner said that AI security will be a major development. AI security includes protecting AI-powered systems, leveraging AI to enhance security defense, and anticipating nefarious use of AI by attackers.