I wonder how many C-level managers went on this May Bank Holiday with a bit of trepidation. Not that the GDPR legislation has incidentally kicked in on a Friday ahead of a long weekend, but owing to the build-up of anticipation of what happens next.
Organisations large and small have been dutifully following the updates from ICO. Now that the regulatory change is in the past what has happened since? It is yet to be seen who falls first victim of the GDPR sword. Yet, it is clear for CEOs that it is not a matter of how but a matter of when, a breach affecting their organisation will occur.
Research shows that cyber threats are growing in their complexity and sophistication. Well-funded criminal gangs, state sponsored attacks and those seeking to breach security to publicise an organisation’s vulnerability and inflict reputational damage aim to compromise data.
We increasingly see attackers infiltrating organisations from within, thereby gaining access to their systems to understand their operations and plan the most effective breach. Those in cyber security roles agree that organisational security posture depends on people, more than on technical controls and threat countermeasures.
Recent analyses of cyber security threat landscape show that no industry segment is immune to cyber-attacks and the public sector tops the list for targeted security incidents1. This is largely attributed to the organisational cyber security culture and mindset of employees. In fact, the data on security threats published by ICO shows an increase in reported data breaches in Q4 2017-18, increased by 31% (from 74 to 97). The healthcare sector reported a rise in the number of incidents by 21%. These were largely due to the events caused by insider threats such as data being posted or faxed to the incorrect recipient, loss or theft of paperwork, and data emailed to the incorrect recipient. Similarly, a rise in reported incidents took place in the education sector by nearly 30% (from 96 to 127). The charities reported a significant increased incidents – up by 69% . These were caused by employee errors of data being emailed to incorrect recipients.
While no industry is immune to a data breach, the financial sector year on year experiences the highest volume of cyber breaches aimed at financial gain or espionage. According to the EY Cyber Security Survey (2018) organisations expect their cybersecurity budget to double in the next year. Another key insight from the survey is that only 12% of organisations are confident in their ability to detect a sophisticated cyber attack. The speed of technology developments present a particular challenge as organisations strive to keep up
to date, whilst managing the evolving security risks which they must keep pace with too.
Irrespective of industry, the attack vector starts with social engineering the weakest link in the security chain. Over 77% of organisations state that a careless employee is the likely source of security incidents.
The threats imposed by employee errors are preventable in many cases. GDPR puts an extra level of responsibility onto organisations for incidents due to data being sent to incorrect address, for example. Insider threats can also be caused by malicious intent, although accidental loss of data has been reported to be the prevalent cause of data breaches in the last ICO report. GDPR highlights the importance for employees handling sensitive data to be appropriately trained and have a reasonably good understanding of cyber security practices.
It is yet to be seen if the GDPR will be effective in changing the way companies deal with data protection and whether the financial penalties that will be placed on companies make them more diligent. GDPR might encourage organisations to nurture behavioural change on the part of their employees. It is believed that most people want to do the right thing so by using the regulations, nudge and by leveraging the aspects of awareness, there will be positive changes in corporations and its employees working together to elicit secure cyber environments.
© Source : EY Report3
Professor Vladlena Benson leads the Cybersecurity & Criminology Centre at UW Land holds the role of Academic Relations and Research Director at ISACA LC. Prof Benson’s research areas cover: information privacy; cyber victimisation; gender and culture differences in online behaviour; digital rights and the cyber vulnerability of young people. Her work also relates to religious orientation, digital behaviour and privacy on social media. Vladlena publishes widely in top ranked IS journals and has authored a series of books on cyber security. Professor Benson research has been covered by press, she writes for the Independent on cyber security and privacy issues. She is a strong advocate for increasing diversity. As a result of her work in this area, Prof Benson was recognised at the Women in IT Awards 2017 for helping the development of career opportunities for women in cyber security.