The digital transformation we are experiencing will bring another record year of innovation and data proliferation. Artificial intelligence and 5G wireless took great leaps last year, and 2019 will bring mass adoption to several technologies.
A strategy to digest all the change may look like thinking exponentially yet acting incrementally. Some uncertainty needs to be a part of the DNA for 2019. As frequently as possible, your team should explore intersecting vectors of change. Work to figure out how to make incremental decisions. A continued study and review of disaster recovery, business continuity, backups, compliance and cyber defense will help you stay ahead of the curve. (You can explore more on these important topics here, which is one of my favorite resource links.)
We have progressed from the Internet of Knowledge to the Internet of Things and now, the Internet of Value with the implementation of blockchain technology in popular cryptocurrency applications. Tom Aumiller, director of information technology for Maloney + Novotny, explained, “Digital currency, and bitcoin specifically, is the most familiar implementation of blockchain. But the blockchain model lends itself to numerous other applications which require a secure, validated repository for information or assets that can be represented digitally. This might include real estate, intellectual property, etc. In its pure form, blockchain offers efficient authorization and a distributed ledger that resists tampering. The list of businesses evaluating and developing blockchain solutions reads like a who’s who of finance, technology and health care companies.
“The development of blockchain applications is in its infancy and the early winners may not be the long-term standard bearers (not many people remember Digital Research). Future cryptocurrency, or other blockchain applications, may be supported by money-center banks, governments or a consortium of private and public entities. As you trust these applications with your valuable assets or information, it will be important for you to know who you are trusting. Rules for validation, hosting, change management and access should all be transparent and auditable. Research any provider the way you would any other trusted resource.”
Michael Stovsky, partner and chair of the innovations, information technology and intellectual property group at Benesch, continued, “Blockchain will take more steps to come of age as enterprise wide solutions become commercialized. There are many companies working on these solutions and given the emphasis on data security and privacy mentioned above, blockchain based solutions enabling business partners to transact business and share confidential information and data will become more and more important. Already solutions developers servicing the supply chain, and various industries for which security is paramount, are on the precipice of launching enterprise solutions. No longer will blockchain be limited to cryptocurrencies as the uses of blockchain-based technologies including smart contracts become clearer to businesses seeking to capitalize on the distributed, highly secure technology. Ohio recently passed legislation recognizing the validity of blockchain based smart contracts as ‘writings’ under Ohio law which is a significant step forward. Soon a federal opportunity zone for northern Ohio is expected to take shape. The grassroots Blockland initiative and its extraordinarily successful first Solutions Conference will help put Cleveland and Ohio on the map in this burgeoning area.”
Stovsky spoke about 3D printing and other forms of additive manufacturing. He advised, “3D printing will continue to grow as companies move to reap the benefits of reduced manufacturing cost and better product that can often be achieved by contracting manufacturing of parts to better, faster, cheaper 3D and additive manufacturing vendors. Regions in which high capacity fiber optics enable the transmission of data dense files to 3D and additive manufacturing vendors with the latest technologies in place will finally enable the manufacture of products and parts at scale. Northern Ohio will benefit from this as existing 3D and additive manufacturers become more stable financially, expand their operations, and as traditional manufacturers in the region begin to shift manufacturing to these vendors. It will take time but expect this trend to continue.”
Aumiller recommended, “If your business handles sensitive customer data or processes, or if you have vendors who handle the same for you, then you may be familiar with third-party assessments. Sometime these may be an informal site visit and interview or completion of a questionnaire.
In other cases, you may receive or participate in some form of third-party assessment. Years ago, the financial audit community relied on the Statement on Auditing Standard No. 70 (SAS 70) – now Service Organization Controls (SOC) reports – performed by certified public accountants or certification to an agreed upon standard such as the International Organization for Standardization (ISO). In today’s environment of shared data and outsourced services, the variety of third-party assessments has grown – a lot. Some focus on key functions such as Payment Card Industry (PCI) compliance involving credit card transactions. Others focus on industry regulation such as Health Information Trust Alliance (HITRUST) for health care. Others are designed for vendor management around data security regardless of industry or type of transaction.
“Many third-party service provider contracts now require some form of assessment or audit compliance. It has become a cost of doing business for many entities. If you are asked to commit to, or if you are planning on using an assessment in your business, be certain to do your homework. Do not commit to something that does not fit your business purpose, your industry and any data requiring security. If you have questions, ask others in your industry (trade association) or a business adviser (attorney or accountant) about their experience before committing your time and money.”
Ohio data breach ‘safe harbor’
Ohio has recently joined a few other states, such as New York and California, in passing legislation that directly influences how companies design and implement their cybersecurity programs. Ohio is the first among these states to offer a direct incentive in the form of a “safe harbor” from certain legal actions that can be taken against companies that unfortunately have a data breach. Aumiller noted, “There are certain requirements for obtaining the legal ‘safe harbor’ but one of the most important requirements is that the business adopts any one of the six identified industry security standards when implementing cybersecurity measures
“An Ohio business that has not already adopted one of these cybersecurity standards needs to start to research which framework best fits how the business operates, and which one offers the most flexibility when making cybersecurity decisions and purchases. If the business has already implemented one of these frameworks, it is very important that the documentation of how well the implemented security practices meet the expectations outlined in the chosen framework.
“One thing that is abundantly clear from these new laws is that businesses can no longer ignore that governance and compliance is a vital part of ensuring that their customer’s data is as protected as it can be.”
Cybersecurity and privacy
Tim M. Opsitnick, executive vice president and general counsel of TCDI, wisely counseled, “Hackers today are increasingly more sophisticated, bold, destructive and indifferent to the damage that they inflict. Each individual, organization or business has a responsibility to do more to protect themselves and reduce the ominous rise in attacks.
“Cybersecurity is not just for big business. The largest businesses are now pushing down to their smallest suppliers the requirement to implement reasonable cybersecurity practices under threat of ceasing the business relationship. Regrettably, the increasing number of state, federal and even international regulations have added complexity to the business environment. Every company is different and only you know what is best for your organization.
“Cybersecurity continues to become more tightly integrated with the early development and operations lifecycle regarding software applications and Internet of Things (IoT) devices. As new products are developed and current products are updated, cybersecurity has become an important element in the process before deploying changes. The integration of security into the DevOps team will reduce potential cybersecurity vulnerabilities.”
Stovsky added, “Data security and privacy will again have center stage as data breaches continue to set records for number of people affected. The most recent breaches at Marriott, Panera, Facebook and Under Armour exceeded Anthem in scope – a feat few thought possible a few years ago. Hacking sophistication is increasing, particularly from bad actors abroad. However, many breaches are resulting from facts that have become altogether too common. These include email phishing and spoofing scams, diversion of wire transfers through fraudulent communications, and simple negligence by employees and contractors.
“Adding to the complexity is the effectiveness for enforcement purposes of the European Union (EU) General Data Protection Regulation (GDPR) and the new implementing law across the EU which places substantial new obligations, risks and penalties on U.S. companies that touch personal data about residents of the EU and the European Economic Area (EEA). California is the first state to enact its own legislation that in some ways mirrors the GDPR, but this has triggered consideration in other states and at the federal level where there has been a renewed call for unifying legislation that preempts state law.
“Boards of directors of companies, public and private, are now firmly in the cross-hairs of plaintiff and other class action lawyers and governmental regulators. The elevation of data security and privacy risk to the highest levels of management and to the board is now essential – as it is for other types of significant business risks. Ohio recently passed new legislation providing a safe harbor from civil damages for companies that comply with the data security standards set forth in this legislation and this will likely be a trend to watch – potentially moving companies to set up data centric operations or affiliates in Ohio as a risk mitigation strategy. The network and endpoint monitoring and vulnerability assessment and testing industries will continue to grow as a result.”