With data breaches in the news on a weekly basis, and GDPR, the EU’s new data-protection regulations due to take hold on May 25th, cyber security has moved centre stage.
“Unfortunately, events such as that between Facebook and Cambridge Analytica are becoming ubiquitous and the only positive side is that, with each one, awareness grows,” says Brían Gartlan, partner, risk and advisory services at BDO.
“Likewise, increased prevalence of ransomware attacks has seen companies that thought they were flying under the radar in terms of not being a likely target become much more concerned about the possibility.”
The result is a more proactive approach. Increased awareness of things like phishing or email fraud, where a communication appears to come via a trusted colleague, is encouraging organisations to run tests of their own.
One of the ways this is done is through the running of regular simulated exercises, sending out an email to everybody and seeing who clicks on the link. “It will be an email that looks like it’s from someone senior, but if you look closely enough you’ll see that in fact it’s a bit different,” says Gartlan.
Up to 15 per cent of people will click the link, according to John Bolger, senior manager, risk and advisory services at BDO. “Typically, the first few people get caught and word spreads to colleagues, but that’s good too because it helps raise awareness,” he says.
The advent of GDPR, compliance with which must be met by May 25th, is according data-risk similar attention. “We are getting calls from across the sectoral spectrum, from estate agents to pharmacies to industry membership bodies, colleges and healthcare facilities, all of which are now realising just how much client data they hold and recognising the reputational and possible financial damage they risk,” says Gartlan.
Penalties
GDPR breaches can result in penalties of up to €20 million, or 4 per cent of a business’s turnover. But the risk of a breach isn’t just technical, but cultural too. “People need to know that what they do outside of work can have a bearing,” says Gartlan.
For example, a staff member may visit an retail website that is poorly protected, and for which they may use a password similar to the one they use at work.
Hackers into one can therefore figure out a way into the other, getting access perhaps to the person’s emails, gaining contact information and even writing styles and terminologies that could be used to make a fraudulent email look authentic.
“So for the recipient, the fraudulent email is coming from your address, sounds like you and can wreak havoc, especially if you’re getting an email from someone like a managing partner. It’s a way to get in the back door of a business and these days it’s very easy to see where people work,” says Gartlan.
The rewards for the hacker can be huge. “We have seen cases where hundreds of thousands of euro were lost to this kind of engineering of legitimate accounts. And while there are very strong technical solutions available, the weakness is still in human behaviour. Thankfully, the hacker’s job is getting more difficult as people become more aware,” says Gartlan.
Large corporate clients can also avail of BDO’s cyber-security centres in Norway, Israel and the US. By monitoring and detecting web chatter, they are able to identify sectors and even individual organisations that are in a hacker’s sights, before they strike.
“It’s really cutting-edge stuff which can pre-empt an attack. They also run ‘war games’, whereby they simulate an attack because people are much better at responding if they have been through a procedure,” says Gartlan.
While GDPR has helped concentrate minds in relation to data risk, the May 25th deadline is not a finish but a start line.
“It’s a journey, not a destination,” says Mike Daughton, a partner in KPMG’s Risk Consulting practice.
“It’s about how people are going to have proper procedures in place after May 25th to allow them monitor and maintain compliance.”
Compliance is about figuring out what personal data you hold, why you hold it, what you do with it, who you share it with, how long you keep it and where it is stored. It brings with it mandatory data-breach reporting to the Data Protection Commissioner within 72 hours, another new requirement for businesses.
Limit reputational damage
This will help lift a lid on what has traditionally, like all forms of fraud, been a topic that companies are reluctant to admit to. Brushing it under the carpet was seen as the best way to limit reputational damage.
“Traditionally, the tendency has been not to share this information widely, because of the impact it can have on a business both reputationally and financially but GDPR will change that, and not just GDPR, but lots of other regulatory requirements that are emerging around the world, such as in the US where a company must address the issue in its financial report,” says Daughton.
It’s why where previously cyber risk was seen as an IT issue, “it is now seen as a business issue and increasingly a board-level issue”, he says.
And its importance is likely to grow. “The way cyber threats have been developing is such that on one side we are seeing enormous strides in technology, including cloud computing, artificial intelligence, automation and the internet of things, all of which are generating more data, and all of which are therefore increasing the vulnerability,” says Daughton.
“On the other, we are seeing cyber attackers becoming much more sophisticated and targeted in their approach. It’s the perfect storm.”
For businesses, getting it right requires investment in people, processes and technology. “Companies have cottoned on to the fact that it’s not possible to lock this down. It’s about being able to protect, detect, respond and recover. Companies are approaching the cyber threat much more broadly now. The view is, if it happens, what are we going to do to recover.”