Outlook for year 2023

The year is drawing to a close and there is no better time to reflect on the past 12 months. At the same time, now is a good time to look ahead and think about the tasks and obstacles ahead. While the IT world in 2022 was characterized by cybercrime, the sovereign cloud and data leaks, the new year will bring a number of challenges for the industry. Experts are certain that 2023 will see a change in cyber security. In our view, there are three key factors that will provide the impetus for these changes:

1. OPTIMIZING MULTI-CLOUD MANAGEMENT THROUGH A DATA-CENTRAL SECURITY APPROACH

This is why the focus should lie on the security of the data!

For companies of all sizes and in almost all industries, migrating to the cloud is no longer just an emerging trend, but an inevitable decision. In the past, IT security requirements were defined by the storage of data on local servers. However, with the use of the cloud, this physical security barrier has largely disappeared. Companies must now develop strategies to ensure that data - often at the record level - is protected regardless of where it is stored or processed. They should not rely on their Cloud-Service-Provider (CSP) to keep their data secure. The shared responsibility model is a security and compliance framework that clearly defines the responsibilities of CSPs (e.g., Amazon Web Service, Microsoft Azure or Google Cloud Platform) and customers in securing all aspects of the cloud environment, including hardware, infrastructure, endpoints, data and operating systems, among others. Simply put, the model specifies which party is responsible for providing security for specific components. The Cloud-Service-Provider is responsible for defending and monitoring against security threats that attack the underlying Cloud-Infrastructure. Companies and organizations are obliged to protect the data and other assets stored in the cloud environment. Eric Ahlm, Senior Director Analyst at Gartner, also notes in a cybersecurity forecast for 2023 that "data-centric security is essential for data protection in today's world where data is always and anywhere available. In 2023, corporations must focus on overlaying their core security architecture with a data-centric view." In the future, more than ever, businesses will need a security approach that focuses on the security of data, rather than the security of networks, servers or applications.

2. ACHIEVING CLOUD COMPLIANCE THROUGH THE USE OF STATE-OF-THE-ART TECHNOLOGY

Cloud-Services from insecure third countries can already be used in a GDPR compliant manner today!

It is highly likely that the events of the coming year will cause more confusion in terms of data protection and data transfer, rather than finally bringing the long-awaited hope of clarity. It is predictable that new drafts and revised approaches to regulating EU-US data flows will only result in more lawsuits and complaints. The loss of the US adequacy decision has made it clear how difficult it is under data protection law to interact with providers from countries that cannot guarantee a level of protection for personal data that is adapted to EU conditions. This obstacle has been able to be overcome for years by companies adhering to the current state of the art. The European Union Agency for Cybersecurity (ENISA) has defined the state of the art together with the German IT Security Association (TeleTrusT). The published document on the "state of the art" in IT security provides specific information and recommendations for action. For cloud-based data exchange (§ 3.2.11) and data storage in the cloud (§ 3.2.12), for example, it recommends an encryption gateway that allows fully internally controlled data encryption and does not restrict important functions. Companies that protect their sensitive data with the help of an encryption gateway can use cloud applications from insecure third countries in compliance with data protection regulations. The personal reference is removed from the data before it is stored in the cloud, so there are no restrictions on its use and storage in a multi-cloud environment. Companies can operate without restrictions regardless of the current legal situation and derive the greatest possible benefit from GDPR-compliant data use.

3. DEFINING THE ENHANCEMENT OF CYBERSECURITY AS A CORPORATE GOAL

Why do we need to create space for cybersecurity in the corporate culture!

The coronavirus pandemic has greatly accelerated the digitalization of the world of work. Many companies have introduced hybrid working models that initially only focused on securing end-user devices. It is now clear that the transition to location-independent working environments is associated with much higher data security requirements. Especially in times when cloud applications such as Microsoft Teams, Microsoft 365 and Salesforce have become an integral part of everyday working life, companies need to find simple solutions that enable them to effectively secure their data in home office environments. This is because the operational impact of security incidents can be serious - both for the company itself and for its customers. Every year, cyberattacks cause trillions in damage and can render companies incapable of acting within a very short space of time. As the year draws to a close, advanced cyberattacks have repeatedly brought factories, offices and branches to a standstill. For this reason, the topic of cyber security is an absolute must at board level and must be understood and pursued as a strategic corporate objective. Selective compliance with the legally required minimum level is not enough! Furthermore, awareness must be raised in all parts of a company. IT solutions that are as secure and easy to use as possible can help to increase acceptance. In this way, selective encryption, for example, can help to optimally protect sensitive data in a multi-cloud environment.

Disclaimer:
Insofar as this document contains legal explanations and advice, this constitutes non-binding information without any guarantee of completeness or accuracy. In this respect, it does not constitute legal advice and Eperi GmbH does not claim to represent or even replace such advice.