The issue of cyber crime has moved from an IT concern to a major boardroom issue. Businesses in all sectors and of any type are vulnerable and the risks are significant.
A number of high-profile events have helped sharpen business focus on cyber crime in recent years, says Tony Hughes of KPMG. “Three out of four large Irish companies increased their spending following the WannaCry ransomware attack in 2017, with budgets being increased by up to 59 per cent. At the same time, the SME sector has still to fully engage with the issue – with recent surveys indicating that 49 per cent of SMEs budget for around €1,000 per year on cyber security, with 22 per cent having no budget in mind at all.”
Not only can these breaches result in financial loss, they can cause reputational damage too – a business that’s had data stolen won’t be very attractive to potential clients. Irish businesses can no longer afford to be lax when it comes to online security, especially with the introduction of the EU General Data Protection Regulation (GDPR) on May 25th. This requires any organisation that holds personal data to report breaches to the Data Protection Commissioner – failure to do so can result in fines of up to €20 million. “It’s a journey, not a destination,” says Mike Daughton of KPMG.
“It’s about how people are going to have proper procedures in place after May 25th to allow them monitor and maintain compliance.”
Compliance is about figuring out what personal data you hold, why you hold it, what you do with it, who you share it with, how long you keep it and where it is stored. It brings with it mandatory data-breach reporting to the Data Protection Commissioner within 72 hours, another new requirement for businesses.
This will help lift a lid on what has traditionally, like all forms of fraud, been a topic that companies are reluctant to admit to. Brushing it under the carpet was seen as the best way to limit reputational damage.
“Traditionally, the tendency has been not to share this information widely, because of the impact it can have on a business both reputationally and financially but GDPR will change that, and not just GDPR, but lots of other regulatory requirements that are emerging around the world, such as in the US where a company must address the issue in its financial report,” says Daughton.
It’s why where previously cyber risk was seen as an IT issue, “it is now seen as a business issue and increasingly a board-level issue”, he says.
And its importance is likely to grow. “The way cyber threats have been developing is such that on one side we are seeing enormous strides in technology, including cloud computing, artificial intelligence, automation and the internet of things, all of which are generating more data, and all of which are therefore increasing the vulnerability,” says Daughton.
“On the other, we are seeing cyber attackers becoming much more sophisticated and targeted in their approach. It’s the perfect storm.”
For businesses, getting it right requires investment in people, processes and technology. “Companies have cottoned on to the fact that it’s not possible to lock this down. It’s about being able to protect, detect, respond and recover. Companies are approaching the cyber threat much more broadly now. The view is, if it happens, what we are going to do to recover.”
Meanwhile according to Tony Hughes “The arrival of the GDPR and the associated penalties has certainly caught the attention of business leaders. Focus to date has been on good housekeeping of the ‘information estate’, with efforts being made to capture personal information in information registers.”
Hughes describes GDPR’s underlying principles of privacy by design and security by design as conjoined twins which are inseparable. “There is very little point of doing one if you are not doing the other. This is the bedrock of GDPR. Organisations have to look at what they are doing with cyber security that works for GDPR as well. GDPR is a great opportunity for organisations to take a look at cyber security and gain an understanding of what assets they have, both physical and data.”
The cyber security tech industry is experiencing something of a boom time, although a one-size-fits-all approach rarely works. KPMG, for instance, takes an approach dubbed “Cyber Resilience” that ensures businesses are supported at all times, including in a post-breach situation. “Our full offering is designed to help organisations identify, protect, detect, respond and recover from a cyber-related incident,” says Tony Hughes. “This involves the design of target operating models for cyber security in a business, IT audits, privacy management, core technology testing, forensic services, business-continuity planning and evolving and future technology risk.”
People are more important than technology when it comes to cyber security. Vigilance, therefore, has to be embedded into the culture of all organisations. “You need to turn your staff into centurions in the cyber battle,” says Tony Hughes. “Cyber security is about people, process, governance and technology. Everyone goes to work in the same way, to do the job as best we can. People don’t consider themselves to be at the front line in cyber security. There needs to be a lot more training to develop awareness of what nasty things look like. Companies also need to create an open culture. If you do something wrong it is much better to report it early. A cover-up only makes matters worse.”
According to Tony Hughes “All organisations have to be breach-ready. Companies and their employees need to understand what to do in the minutes and hours after a breach,” he says. “They need to have a business-continuity plan. They need to know how to respond to customers who might come after them for a GDPR breach.”
People can also be first line of defence, Hughes adds. “It’s very important that people are made aware of threats, including bad actors, out there.”
The message has to be: think before you click says Hughes, who recalls a time when “You could identify the fraudulent emails pretty easily through the bad spelling and so on.” However he goes on to point out that “The internet has allowed the bad actors to collaborate and become organised and pool knowledge so their activities are becoming much more sophisticated. People need to be aware of that so they are not caught out.”
The other issue he points to is people’s demand to conduct almost every aspect of their lives online. “The current generation of millennials has grown up with digital services and they want everything online and they want it to happen instantly. They want to be able to open bank accounts, buy tickets, do shopping and so on, all instantly. That presents challenges. How do you make these things secure when they happen in the blink of an eye? We have to look at new forms of biometric security like fingerprint-, iris- and face-recognition that mobile phone makers are looking at.
“The human has to be first port of call though. Organisations have to work to make the human the strongest link in the cyber security chain. You can’t rely on a black box for security – you have to link it back to people and support them with governance, processes and technology”.
Hughes notes that personal information has potentially significant value, and this is naturally attractive to cyber criminals. The question comes down to how to protect it from them. “Is trying to keep everyone and everything out the way to go?” he asks. “The experts talk a lot about fruit and vegetables in this regard. There is the coconut approach, which protects everything inside a hard shell. Then there is the onion, where people get bored peeling the layers of skin. And then there is the avocado, where you just protect what lies at the heart of the matter. GDPR offers the opportunity to look at the data you hold and decide on the best way to protect it.”
He doesn’t necessarily perceive GDPR as a problem for organisations. “It’s good time to get clarity and to establish what’s important. You’ve got to know what you have. If you can’t show people what data you have been holding on them you are not going to be able to mitigate the fine in the event of a breach. The GDPR should help organisations become more secure.”
While C-suite level is well aware of the potential risks, boards often don’t always understand how to structure their organisations in order to deal with cyber-security says Hughes. “They know it’s a thing but they may run scared of it. We try to break it down into three things for businesses – people, process and technology. By people I mean governance – the right people in the right positions, they then need to support those people with the processes, policies and procedures and only then do you think about the technology, as that underpins the processes and the people. However, lot of boards put money in, they buy that black box and as long as it flashes and they are not being attacked, well and good.”
It need not cost the earth to protect against attacks says Hughes. “Businesses need to look at their digital assets, which can be information but also appliances. Most important is their information – that is the life blood of any business. The cost of recreating that is very costly. It can cost very little if you have the right people in place. Identify the bad actors, who has access to the information and what can they do with it? All boards should be breach-ready, they have to understand in the minutes and hours after an attack, what do they do?”
The repercussions and reputational damage to a business cannot be overstated, concludes Hughes; “With social media, everyone is a paparazzo so a company’s ability to respond quickly is critical.”
An extended version of this article appeared in The Irish Times and is reproduced here with their kind permission