Why is GDPR only now making the board pay attention to cyber security?
Dr Guy Bunker, CTO, Clearswift, shows us how the recent, high profile GDPR fines are the reason board members are finally sitting up and taking note of data compliance.
Cyber security is a topic that still dominates the press and we are increasingly seeing global organisations put in the spotlight because of targeted breaches.
However, recent research from Clearswift has found that, although 70% of financial organisations in the UK have been hit by a data breach in the last 12 months, it is only recent high-profile GDPR fines that have made the board sit up and take note of cyber security, with 32% of respondents citing this as a primary reason for an increase in board level involvement and/or provision for IT security spending.
One year on and it’s interesting that only after seeing the financial ramifications of a breach under the new GDPR regulation are boards are sitting up and taking note.
Recent fines against well-known brand names such as British Airways and Marriott International have clearly sent shockwaves through the financial industry, and while it’s a shame that such high-profile failings seem to have been what was required to make a difference to organisations’ thinking on compliance, this late reaction has the potential to be the catalyst for real change.
It would seem, based on these findings, that financial sanctions take precedent over perceived or statistical risk when it comes to implementing measures to mitigate cyber incidents.
For those that remember the ‘Y2K bug’, which appeared to be a damp squib with virtually zero fallout on the day, the same seems to have been applied to GDPR – would the regulators really fine organizations for a breach? In the case of Y2K, the lack of fallout was due to preparation, whereas a lackadaisical approach to GDPR ends up having quite the opposite effect.
The research highlighted that the ICO’s recent judgements, a £183m proposed fine for BA and £99m – proposed fine for Marriott, were a key turning point for senior business decision makers within enterprise financial organisations in addressing their own cyber security. What appears to have happened here is that, by giving out such large ‘intentions to fine’ notices, the ICO has delivered a message that it is not afraid to reprimand household names.
As a result, businesses across the financial sector have realised that there is an urgent need to make sure they are complying with the necessary regulations. In short, businesses don’t want to hang around and wait to see how the ICO will handle similar cases – they would rather invest now to avoid a future penalty.
It is, of course, one thing to state your company’s commitment to GDPR compliance, and quite another to ‘put your money where your mouth is’ and this seems to ring more true than ever in this instance. Financial organisations have finally understood the ramifications of suffering a cyber incident and the need to increase spending on cyber security.
When asked about spending levels, the majority of the financial businesses surveyed argued they would like to see an increase in cyber security investment (73%). Additionally, almost one in five (17%) UK firms surveyed reported that their budgets currently stood ‘well below the adequate level’.
Fortunately, this figure then dropped dramatically (to 5%) when looking at firms with over 5,000 employees, a possible sign that larger firms have already made additional investment to deal with the increasingly dynamic cyber threatscape. This supports the idea that ‘finance trumps all’, as those companies with the greatest deal to lose have been quicker to batten down the hatches.
Regardless of business size, the recent high profile GDPR fines have also highlighted the need for organisations to make cyber security education a priority. Employees, if not aware of the risks, may inadvertently allow malicious code and malware to be installed on the corporate network.
The threat of employees making a mistake was also prevalent in the data, with almost half (42%) of the cyber security incidents reported in the last 12 months originating from employees failing to follow security protocol or data protection policies.
Investment in cyber security technology, whilst a crucial layer in any firm’s defences, is only one element of the ‘safety net’. The education of employees is key to long-term sustainable change and proper training and education in how to carry out routine processes without putting sensitive data at risk, is vital.
We would be well-placed to remember that a proportion of any cyber security investment should go towards ensuring individuals are not just aware of, but also adequately-drilled in terms of how to handle all data traversing the organisation’s network.
Having seen the ICO bare its teeth, organisations are finally paying attention to the seriousness of compliance and data breaches and are looking to sure up their cyber defences.
A wake-up call like this, even though its financially motivated, is enough for board members in the financial sector to realise that more time, effort and investment is needed to secure customer data and mitigate against today’s biggest cyber threats.