GDPR spurs companies to boost cybersecurity precautions

01 February 2018 Consultancy.uk

The rapidly approaching enforcement of the new General Data protection regulation in May 2018 has spurred companies across the UK to up their efforts to become compliant. A new study finds overlap between companies that have or are becoming compliant and improved cybersecurity behaviours – strengthening wider consumer and company data defences.

Cybersecurity has become an increasingly pressing issue, with businesses susceptible to various forms of attack – from direct hacks to social engineering. The threat landscape continues to evolve, with two major vulnerabilities, Meltdown and Spectre, recently uncovered, while attack vectors continue to rise. In terms of impact, one recent study placed global economic damage in the order of $440 billion, while businesses collectively foot a $280 billion bill for failures.

Given the risk to customers and clients from breaches of personal and sensitive information, governments in Europe developed the GDPR, which, when enforcement begins next May, impose stiff penalties on companies that do not meet compliance standards.

Connection between cybersecurity and GDPR

Readiness for the GDPR among businesses affected and cybersecurity complement each other – finds a new Marsh study, titled ‘GDPR Preparedness: An Indicator of Cyber Risk Management’, into current industry trends. The study involved 1,300 executives representing a range of industries and organisations worldwide.

The new legislation is one of the most sweeping changes to privacy rights and obligations to have taken place in years. The policy, which will significantly bolster EU residences’ rights regarding information about them, also offers a strong background for cybersecurity – with encryption becoming the norm while requirements for breach reporting (within 72 hours) bolsters event management capacities.

Attack not if but when

However, while being GDPR compliant creates a strong background posture for cybersecurity, current compliance levels remains relatively low – 8% say that they are currently fully compliance, while 57% say that they are developing a plan to become compliant, while 11% say that they have no plan.

The difference between companies that are fully compliant and have no plan in terms of key cybersecurity practices, is relatively stark. The number that have developed a cyber incident reporting plan stand at 49% for fully compliant and 10% with no plan, while for encrypted computers the difference is 69% and 38% respectively. Fully compliant firms were also found to be three times more likely to adopt some cybersecurity measures and four times more likely to adopt a cyber resilience measure.

Organisations continue to face considerable threat from the adversaries. In the past 12 months, 23% of respondents subject to the GDPR said that they were the victim of a successful cyberattack. Opening them up, when such breaches affect users’ privacy, in potentially stiff fines.

Organisation preparation levels by preparation level

The new rules will push companies to as best they can, to prepare their businesses for a more robust care for the rights of customers to privacy and personal security. The companies preparing themselves for compliance with the GDPR were also found to investing more to address cybersecurity related risks than companies with no plan. 78% of respondents in ‘compliance or developing a plan’ said that they have increased spending, while 18% say that spending is flat – for the no plan group spending increases stood at 52% while 38% said that it remained flat.

In terms of the completion of 14 key cyber risk actions taken by the different groups, the ‘compliance or developing a plan’ was much more likely than the ‘no plan’ group to have completed 10-14 actions, 22% and 9% respectively, while in the 4-9 actions segment, 54% and 36% respectively were said to be completed. A large number of ‘no plan’ respondents, 47%, have completed 0-3 steps.

Adoption of cybersecurity behaviours and techniques

The GDPR has also structured companies seeking to become compliant into various cybersecurity risk management actions. For instance, when comparing companies that have no plan and those that say that they are compliant or are developing a GDPR plan, 38% verses 56% said that they encrypt organisational desktop and laptops – something explicitly encouraged by the GDPR. While 17% and 56% said that they have engaged in penetration testing, something strongly implied by the GDPR.

Other cybersecurity management actions include conducting a cybersecurity gap assessment, cited by 38% and 67% respectively, and implementing / enhancing phishing awareness training for employees, cited by 50% and 66% respectively.

×

Boards of top UK firms must do more on cyber-awareness

06 March 2019 Consultancy.uk

A new report released by the UK Government has found that UK businesses need to do more to build awareness in their firms, if they are to fend off cyber-attackers. The study found that an all-time high of 72% of businesses now see cyber-threats as a top risk, but just less than half of UK boards do not have a comprehensive understanding of the critical assets at risk from cyber-attacks.

Digital technology has revolutionised modern business, with a rate of innovation present in many companies that arguably eclipses that of the industrial revolution. The huge opportunities presented by technology mean that many firms have rushed to digitalise their offerings; but while this means they are able to take advantage  of the latest trends, it has also opened innumerable doors for cyber-criminals looking to use technology to loot corporations from across the globe.

Illustrating the extent to which cyber-crime has boomed in the last decade, in the final quarter of 2018, a study commissioned by Bromium and presented by Dr. Michael McGuire at RSA found that the cyber-crime economy has grown to an estimated $1.5 trillion dollars annually. That is only a conservative estimate – but that conservative figure alone is so large that if it constituted a national GDP, instead of a collection of digital frauds, it would be the world’s 13th largest economy.

Amid this state of play, it is easy to see why cyber-security has become one of the key watchwords of any board room in the 21st century. The cyber-security consulting segment has boomed, with the world’s 10 largest operators in the segment bringing in more than $11 billion in related fees, as businesses tap external expertise to help find areas where they can improve their defences. As noted by a new UK Government report, the legacy of this spike in consulting activity is that almost all UK businesses now have a cyber-security strategy, with only 4% admitting otherwise. 

Cyber threats are increasingly seen as high risk in comparison to other risks that businesses face

This comes at the end of a sea-change in attitudes toward cyber-security over the last five years. According to the 2018 FTSE 350 Cyber Governance Health Check, in 2013, the largest minority of businesses felt cyber-threats represented a low operational risk, at 38%, compared to just 25% who saw it as a very high group risk. Now, the two opinions have seen a dramatic reversal, with only 6% seeing cyber-security as a low threat, compared to a huge 72% of businesses which see it as a very high risk. Considering the high profile hacks that occurred in the interim, this is perhaps not that surprising.

However, while cyber-awareness in general is at an all-time high, this is where the positive news ends. According to the study, while the vast majority of firms in the UK have a cyber-security plan in place, only 46% have a dedicated budget to enact that strategy. Should their financial positions change rapidly in the near future – something increasingly likely with the prospect of a No Deal Brexit still looming over the horizon – then that plan could fall by the wayside, with the funding shortfall exposing firms to even greater financial damage in the near future.

The study, released by the Department for Digital, Culture, Media & Sport (DCMS) in March 2019, was undertaken in partnership with Winning Moves and support from EY, KPMGPwC and Deloitte, working with their FTSE 350 clients to participate in the survey. The study also found that while most businesses have incident response plans, most are not testing them: 95% of FTSE 350 businesses have an incident response, but a mere 57% test their crisis incident response plans regularly. With companies facing the consistently evolving threat of cyber-attacks, that could leave major chinks in their armour undiscovered until it is too late.

Board understanding of business-critical assets

Similarly, many firms also seem oblivious to the threat posed by their wider supply chains, which if left unchecked, provide hackers with a blank cheque to access company data. A majority of boards do not recognise supply chain risks beyond the first tier, as 77% of FTSE 350 businesses told researchers they did not recognise the risks associated with businesses in the supply chain with whom they have no direct contact.

Meanwhile, almost half of UK boards do not understand the critical assets at risk from cyber-attacks. 54% of businesses in 2018 rated the board’s understanding of critical information, data assets and systems as comprehensive, while of that, only 12% said understanding was the best it could be. This compares to 43% of boards in 2017 and 32% in 2015/16 stating they had a clear understanding, suggesting that key progress is being made, but also that there is a great deal of room for improvement.

Commenting on the findings, Digital Minister Margot James said, “We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber-attack. This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber-security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”