By: Nicky Downing, CEO at Guideline Biztech
Cyber security is the process of protecting networks and devices from emerging risks and cyberattacks. The evolving nature of the digital landscape makes this potential threat critical to an organization, and information management has taken centre-stage as of late in terms of the potential risks associated with cyber security.
A mature cybersecurity system has multiple layers of defence spread across the organisation, but many organisations fail to understand the serious compliance and risk management implications of cyber and information security. The ever-growing threat to the organisation that it poses in the pursuit of its overall business objectives and continuity cannot be understated, with an estimated 10 billion cybersecurity events (breached records) occurring in the last year.
Cyber risk and compliance exposure, in the chaotic modern business world, is a complex mesh of vulnerabilities that crosses through different departments and functions within the business and its operations. The effect of a seemingly isolated information or cyber risk can soon become ubiquitous – causing trouble throughout all levels of the organisation.
In the context of just GDPR, the momentum in increased fines culminated in the data protection authority of the United Kingdom announcing its intent to impose significant fines against two companies for violations of the EU GDPR. The ICO had decided to levy British Airways with a record £183.39 million (about R3.48 billion ZAR) fine for GDPR violations relating to a 2018 data breach. due to security failings, which exposed a half-million customers to data harvesting from a fraudulent site. The UK’s information commissioner topped off the breaking news by urging caution to organisations, warning that similar fines could be levied unless organisations better protect the personal information and data of customers.
A day after the release of the fines levied against British Airways, it was released that Marriott International faces up to a $124 million fine (about R1.836 billion ZAR) for GDPR violations relating to a significant breach within its Starwood Hotels and Resorts subsidiary. The breach is said to have allegedly affected over 300 million customers and guests globally.
Earlier this year, France’s CNIL (National Commission on Informatics and Liberty) announced a €50 million (about R956 million ZAR) fine levied against Google for failing to comply with the tough new privacy laws. Shortly after this had happened, a published report came out of Germany stating that authorities had levied 41 GDPR related fines to organizations who were not compliant as of this past January.
These attacks, however, are not just left to the risk and compliance burdens of large corporations. According to an annual study calculating cybersecurity costs holistically, 43% of online attacks are now aimed at small businesses and only 14% are prepared to combat a cyber breach – highlighting the need for organisations of all sizes to make cybersecurity a top priority. The consequences for small businesses in the case of a cyber incident is estimated to cost on average $200,000.00, (nearly R3 million ZAR) threatening to potentially put 60% of small businesses out of business, or at least put the organisation in a financially dire situation.
An effective cyber-breach can cause serious structural damage to your organisation. The affects can range from reputational damage hurting consumer trust in your organisation, to compliance and financial affects that have serious implications on your organisation’s bottom line. The impact of a cybersecurity breach can be split up into three categories:
- Financial. Cyber-attacks often result in substantial financial loss. Not only has corporate information likely been stolen (and possibly even financial information e.g. card and/or banking details), but the organisation will also generally incur costs associated with improving and repairing the affected networks and systems. Recent experience with new data privacy laws, such as GDPR, tells us that there is a serious financial cost to non-compliance within cybersecurity and data protection.
- Reputational. Trust is an essential element of building understanding within an organisation and its clientele. A cyber-breach can cause serious damage to your organisation’s reputation and erode the trust your customers have in you. This could, as a result, potentially lead to loss of customers, lower sales numbers, and, in turn, a reduction in profits. The possible effects can even have serious implications on any partners, investors, and third-parties with a vested interest in your organisation.
- Compliance. Data protection and privacy laws require you to manage the security of all personal data you hold – whether on your staff or your customers. If this data is accidentally or deliberately compromised, and you have failed to deploy appropriate security measures, you may face fines and regulatory sanctions.
The challenges of personal data protection/privacy are growing as organisation’s not only have to respond to the EU GDPR, but also to California’s Consumer Protection Act (CCPA), New York Privacy Act (NYPA), South Africa’s Protection of Personal Information Act (POPIA), and more.
Although your organisation might not be headquartered in the jurisdiction of any of these laws, companies with a local operational presence in the EU or with an offering that is being directed to the EU, are subject to the GDPR’s territorial or extraterritorial reach. Consequently, such companies must work on complying with GDPR requirements. These companies have been required to comply with global data protection policies which have been adopted by their global management, effectively requiring them to comply with many material aspects of GDPR.
It is becoming increasingly clear that this growing list of data protection and information management legislation presents a massive risk and compliance obstacle for organisations.
Organisations cannot rely on only managing and continuously monitoring cybersecurity. Unless this monitoring and management is part of an integrated strategy that approaches information security, risk and compliance from a holistic lens, the organisation’s actions won’t be truly effective and fall short of meeting international standards.
The full scale of vulnerabilities and requirements that weigh down information and cybersecurity must be addressed in a standardised and well-established information management and cyber security architecture.
Questions to ponder
- When last was a penetration test performed to test your organisation’s network security?
- How can you collaborate with your IT department to raise continued awareness of Cybersecurity to both existing and new staff?
- What measures do you have in place to ensure that client information hosted by 3rd parties are governed effectively?
- Have you completed a Cyber Risk | Information Security Maturity Assessment?