Cybersecurity is the single biggest risk organisations are likely to face over the next year, according to the European Confederation of Institutes of Internal Auditing’s (ECIIA) annual Risk in Focus 2019 report. While the related topics of data security and compliance were not considered by many companies to be the most important, they were rated within the top five more consistently than any other risk apart from cybersecurity.
According to Cybersecurity Ventures, a publication which researches and reports on online crime, the global cost of damage resulting from cybercrime is expected to double to $6 trillion between 2015 and 2021. Malicious actors are becoming ever more sophisticated, whether they are organised criminals or even nation states, with IT security in a constant race to anticipate and address the evolving threats as they emerge.
The ECIIA says that companies are now moving away from legacy systems and are making good use of penetration testing and ethical hacking to ensure their systems are being brought up to standard. However, this has simply led to hackers attempting to exploit systems in other ways, often by targeting key suppliers or technology partners. Last year, instances of malware being injected into supply chains grew by 200 per cent, according to the internet security company Symantec. It is therefore becoming more incumbent on organisations to examine their own connections and relationships with suppliers, with their network only as strong as the weakest link in the chain.
Cloud-based risk rises
According to the report, the risk of cybersecurity has also increased as cloud-based services have grown in popularity, with Microsoft reporting a four-fold increase in attacks on its customers’ Azure cloud-based accounts in 2017. While the technology and security of the cloud servers themselves are capable of withstanding powerful cyber-attacks, the majority of data theft has come as a result of easily guessable passwords, followed by phishing attacks and breaches of third party services.
The ECIIA recommends that organisations should assess whether they have moved away from legacy systems to a more robust, harmonious IT system that has been developed with security as a core consideration. Risk managers should ask if there is strong governance, procurement oversight and development of networks and infrastructure, whether the system is sufficiently capable of detecting possible breaches and how robust security and password management are when it comes to cloud services. Finally, it is just as important to make sure suppliers and business partners have at least an equally strong approach to cybersecurity.
Dynamic data protection
Under the EU’s General Data Protection Regulation (GDPR), both the data controller and data processor are jointly and severally liable for any damage caused by a data breach. The consequences can be severe – apart from punitive fines of up to €20 million or 4 per cent of annual turnover, the EU can freeze business operations to prevent further data processing, resulting in significant disruption and loss of value.
In addition, this May saw China publish detailed guidance for compliance with its own cybersecurity law, which came into force in 2016. While it is largely inspired by GDPR, any companies that deal with the personal data of Chinese citizens should closely examine whether they meet the new regulations. Similarly, US firms wishing to share EU data must be certified under the EU-US privacy shield scheme.
A number of high-profile scandals have unfolded in the last 12 months around the theft or misuse of personal data, putting the issue at the forefront of both the news agenda and consumer awareness. However, according to TrustArc, a privacy compliance and data protection consultancy, only 27 per cent of businesses in the EU reported being compliant a month after the new regulations came into force, and while 93 per cent expect to have rectified this by the end of next year, compliance with international data standards is now a matter of both regulation and reputation.
Just as cybersecurity has changed as companies and their ecosystems develop, so data compliance will require a similarly dynamic approach. The amount of personal data being generated, captured and analysed will only increase in the coming years, meaning companies must develop robust data strategies and governance, allowing them to revisit the issue of compliance as it evolves.
Key questions that risk managers should ask about data compliance should not just be limited to GDPR, but should include international standards such as China’s Personal Information Security Specification or the EU-US privacy shield scheme. Is the organisation secure in terms of how sensitive data is shared and secured, and are senior management fully aware of the need to remain compliant? Is there a data strategy, and do the compliance and data management functions communicate to ensure any company changes continue to comply with the relevant regulations?
Data offers businesses an unprecedented level of opportunity and growth. But eternal vigilance is now the price organisations must pay to use it.