After a year of high-profile cyber-security issues, rounded off by a PayPal data breach that exposed the personally identifiable information of 1.6 million customers, data security looks set to be at the top of business agendas throughout 2018.
With May's enforcement date rapidly approaching, the GDPR will inevitably be the biggest talking point this year. Jack Lemon, operations manager, London Digital Security Centre (LDSC) sees the GDPR as an opportunity, and a challenge that businesses must rise to if they want to succeed, saying: “Businesses and consumers should embrace the legislation and interpret it as a positive step, as it will force organisations to collect, protect, and use personal data responsibly.
“‘Bigger organisations' will expect their supply chain to be able to demonstrate how secure they are; otherwise they will start to lose out on contracts. The NHS in Wales has already stated that businesses now need to have Cyber Essentials as a minimum if they are to maintain their supplier status. With companies of all sizes becoming evermore digitally interlinked, organisations can no longer just build their security wall higher, they need to look at security as a whole – including the long tail of the supply chain. This links to GDPR.”
While Todd Ruback, chief privacy officer at Evidon agrees the GDPR will be a driver of change, he also emphasises that its enforcement won't necessarily reduce the frequency or magnitude of data breaches: “The GDPR will be the catalyst of tremendous change in how data is collected and used, and with less than six months to go until implementation, the sense of urgency is palpable. However, it's important to remember that the GDPR is the dawn of a new era in data use, and is simply a compliance date to aim for.
“Having said that, politically motivated data breaches will continue unabated, and we could easily see an escalation from economic driven data breaches to politically driven data destruction on a massive scale. If 2018 becomes the year of massive data destruction, look for this to have a big impact on the stock value of some companies and sectors. The private sector will certainly respond, but individuals would be wise to decentralise their personal data, especially financial data, and organisations should think through this worst-case scenario. Paper records could make a strong comeback in 2018.”
Scott Millis, CTO at Cyber adAPT believes the increased prevalence of cyber-attacks will drive businesses to take out cyber-insurance to protect themselves from the economic impact of breaches.
“There have been few times in 2017 when a cyber-attack hasn't been in the news. These attacks, coupled with this year's GDPR requirements for data protection, will lead to a dramatic increase in the demand for cyber-insurance in 2018.
“FedEx Europe had no cyber-insurance in place when their systems were taken down for four weeks following a breach, an example of how far a cyber-attack can compromise business continuity. As security tries to catch up with the latest technologies, there are too many opportunities for malicious opportunists: imagine a hacker controlling the infrastructure of an office block, or changing the balance of ingredients in a medical drug through its manufacturer.
For businesses, this cyber-insurance means understanding and prioritising the risks. It's not possible to insure against all potential actualities, so insurance providers will need to take steps to standardise metrics across the industry. Cyber-insurance will make great strides in 2018 and eventually become a standard requirement for businesses across the board.”
Lemon identifies three key risk factors that could increase vulnerability to data breaches; people, non-targeted proliferations, and the Internet of Things (IoT):
People – Providing the correct training and education will dramatically reduce the exposure and risk of businesses becoming victims of cyber-crime. According to GCHQ, 80 percent of all cyber-attacks are avoidable, with people being at the heart of this risk avoidance. All organisations, regardless of size, need to clearly set out and enforce standards and procedures internally. Simple things make all the difference (eg carefully disposing of memory sticks which contain sensitive data). Unfortunately you can have all the technical controls in the world, and the most secure infrastructure, but people will always find a way (inadvertently or deliberately) to circumvent them.
Non-Targeted Proliferation – The threat is not necessarily from new forms of sophisticated malware or ransomware, but instead criminals being able to exploit basic vulnerabilities in modern digital technologies, enabling them to steal data and commit fraud. The effectiveness of WannaCry and other mass “broadcast” attacks will only further increase unless businesses implement adequate security controls; which in most cases can be simple and cost-effective solutions. SMEs need to understand their risks before they become a victim; which according to government stats is 46 percent of all SMEs.
Internet of Things (IOT) – Should also be known as the Internet of Insecure Things. This presents the biggest threat, as it is inherently unsafe but increasingly being embraced by businesses, governments, and individuals. Unless a fundamental rethink occurs, there will be billions of interconnected devices undertaking all manner of tasks, from switching on lights in our homes, to being part of hospital surgical procedures and nuclear power stations. All use-cases are at risk of cyber attacks which could cause massive disruption, economic damage, and potential loss of life.
Lemon believes increasing awareness and clarity around the cyber-market is essential to reducing the risk of data breaches, suggesting: “One of the biggest challenges for the business community is acting upon the myriad of information in the public domain. The cyber-market can be confusing, causing some businesses (especially within the SME community) to switch off. This lack of action puts businesses at greater risk so advice needs to be given in lexicon, which business owners can easily understand and act upon.”
While the GDPR is certainly going to dominate the cyber-security conversation over the coming months, and will be a positive catalyst for change, businesses shouldn't become complacent and assume compliance will protect them from cyber-attacks and data breaches. There is far more that can be done in the year ahead to protect businesses and consumers from escalating cyber-threats.
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout