CEOs of companies big and small must prepare for new data protection laws which, if ignored, could cost millions of pounds and even put firms out of business. Doug Drinkwater reports.
Share this article
Information security has become headline news over recent years. In this time, we’ve seen US retailer Target hacked, affecting 110 million credit card and debit card holders, North Korea blamed for breaching the networks of Sony Pictures Entertainment and the Apple iCloud hack which resulted in the leak of embarrassing selfie photographs.
And perhaps most notably of all we’ve read the disclosures from Edward Snowden on the mass surveillance activities of the US’ National Security Agency (NSA) and UK’s Government Communications Headquarters (GCHQ).
Yes, hacking has become a new and legitimate business for nefarious nerds, criminals and state-actors and rather costly for legitimate businesses; Target is still mired in legal action from its data breach in late 2013 while JP Morgan, which was hacked last year, recently committed its intent to double its security spend to over £300 million.
"The first refresh of the EU data protection law in twenty years and it carries some eye-opening change"
Meanwhile, one UK SME was put out of business as a result of a distributed-denial-of-service (DDoS) attack – which essentially sees hackers flood the website with too much traffic. A recent UK government-commissioned report last week put the average data breach cost for a large firm at up to £3.14 million, with up to £311,000 per breach for SMEs.
The sad, but inevitable, fact is that hackers will almost always find their way into a company via a backdoor. While companies seek to protect 100% of their assets, hackers only have to find one error, usually an employee with weak passwords or susceptible to phishing emails, to sneak onto the network in order to steal data.
Once inside, they’ll look for anything of financial gain. Usernames and passwords are usually a good start as these can be sold on the internet underground, otherwise known as the ‘dark web’.
The more sophisticated attacks are often conducted by nation-states, and these countries may be more interested in intellectual property (IP). For example, China’s well-renowned cyber-army, the PLA 61398 unit, reportedly stole tons of documents on the semantics and specifications of Israel’s Iron from contractors.
Hacking is therefore a costly lesson for business, although more often than not this ‘cost’ is hard to define, making it difficult for security managers to articulate the risks to their boardroom superiors, and to get more budget to issue fixes.
For instance, hacks often result in data loss and business downtime, but shares will likely rebound and quarterly revenues are not significantly affected. Most CEOs will see this as a sign that they’ve escaped scot-free.
However, brand reputation is another thing entirely – studies have shown that customers are put off doing business with breached firms, and a KPMG report found the same with investors.
Once breached, data protection authorities like the UK’s Information Commissioner’s Office (ICO) can fine companies up to £250,000, but this is relatively small fry for most companies. However, that could all be about to change with a proposed EU law which should shake up how companies view security and secure personal data.
New law, big changes
The EU General Data Protection Regulation is the first refresh of the EU data protection law in twenty years and it carries some eye-opening changes – especially for CEOs and CFOs.
Although still to be finalised by the EU Commission, the EU GDPR will stipulate that companies that have been breached could be fined between 2-5% of global turnover by their Data Protection Authority.
Elsewhere, it stipulates that breached firms should notify regulators of a breach within just 72 hours – a tough target considering most incidents remain undetected for weeks if not months. It also demands that firms with over 250 employees must hire a data protection officer.
On privacy, there have some bold changes too, most notably that customers have ‘the right to be forgotten’ and for data to be erased/transported if they move from one service to another.
Indeed, so radical is the new and proposed law that some security commentators have deemed the changes ‘commercially untenable’.
Nonetheless, with the EU Commissioner confirming that the law will become so in 2015, companies must move towards compliance. A Trend Micro report earlier this year revealed that half of IT security folk weren’t even aware of the changes.
This is bad news, especially considering security is often an afterthought for most CEOs, who have little in common with their security manager and who often see cyber-crime in the newspapers and think ‘it won’t happen to us’.
Add in the relatively punitive fines handed out, the lack of obvious financial loss, and perhaps you can see why cyber-security is not high on the agenda for CEOs and other board members.
The good news is that the ICO has hinted that it doesn’t intend to hand out mega fines. But rather than take the risk, here are some basics to follow so your firm is ready when the new law comes in:
These basics are:
Employ a person to handle the changes requested by the new law
Find out where your data resides (is it on premise or at a third-party contractor?)
Using the 1998 Data Protection Act as a guideline, find your missing compliance gaps
Conduct risk analysis on your firm’s use of personal data
Ensure your security team has the budget to make the changes