New statistics from the UK government’s Department for Digital, Culture, Media and Sport (DCMS) have shown a reduction in the percentage of businesses suffering a cyberbreach or attack in the last year.
The 2019 Cyber Security Breaches Survey shows that 32% of businesses identified a cyberattack in the last 12 months – down from 43% the previous year.
The reduction, the government says, is partly due to the introduction of tough new data laws under the Data Protection Act and the General Data Protection Regulations (GDPR).
A total of 30% of businesses and 36% of charities have made changes to their cybersecurity policies and processes as a result of GDPR coming into force in May 2018.
However, of those businesses that did suffer attacks, the typical median number of breaches has risen from four in 2018 to six in 2019. Therefore, businesses and charities suffering cyberattacks and breaches appear to be experiencing more attacks than in previous years.
Where a breach has resulted in a loss of data or assets, the average cost of a cyberattack on a business has gone up by more than £1,000 since 2018 to £4,180. Business leaders are now being urged to do more to protect themselves against cybercrime.
The most common breaches or attacks were phishing emails, followed by instances of others impersonating their organisation online, viruses or other malware including ransomware.
Digital Minister Margot James said: “Following the introduction of new data protection laws in the UK it’s encouraging to see that business and charity leaders are taking cybersecurity more seriously than ever before.
“However, with less than three in ten of those companies having trained staff to deal with cyberthreats, there’s still a long way to go to make sure that organisations are better protected.
“We know that tackling cyberthreats is not always at the top of business and charities list of things to do, but with the rising costs of attacks, it’s not something organisations can choose to ignore any longer.”
We spoke to industry experts about the impact of GDPR, one year on…
Riaan Badenhorst, General Manager at Kaspersky Lab Africa
The digital realm and its continued progression has led us into an age centred around data. Data is everywhere and companies realising the potential that data holds are implementing as many relevant strategies as possible, to use data, and its value, to their benefit.
The reality is that data is a valuable commodity, if utilised correctly. The more personal data a company holds, the more opportunity it has to analyse that data for the purpose of understanding its target audience, to better target and sell to consumers. And if one thinks about how convenient it is to deal with a brand or provider who actually understands their needs analysis and offers an applicable solution required, it’s a ‘win-win’ situation for all.
While digital offers so many benefits, it has also brought with it some risk and the realities of cybercrimes – that seem to be growing in relevance, number and sophistication by that day. Unfortunately, the type of personal data that is useful to a business is also lucrative to the cybercriminal world and is targeted for cybercrimes.
Data based on loyalty programmes to payment data and aspects like date of birth, medical records and anything a business uses to personalise the customer experience is highly attractive to cybercriminals. In many cases, such data becomes a kind of criminal currency, exchanged and traded on the black markets of the Darknet.
Data subjects often don’t realise this, how their data is being handled or who has, or can gain access, to it. Over and above this, in some cases, organisations are careless about how data is being managed and shared. This creates ample opportunity for cybercriminals and cyberattacks of all kinds.
The General Data Protection Regulation (GDPR) was implemented as a means to address this challenge, among others, and to ensure that data is being safeguarded effectively for the protection of user information.
While there is now a regulatory step to follow, and of course some work required around this, considering how cybercrime is growing, and how it continues to affect and impact consumers across the globe, the regulation should not be seen as a hindrance.
Rather, it advocates the meticulous security and privacy of personal data, which is essential to the process of beating and/or minimising cybercrime.
For any cybersecurity provider worth its salt, the GDPR will in fact play a key role in supporting the cybersecurity industry’s principle of respecting and protecting people’s privacy.
Data protection should always be at the forefront of a business’s data related strategy. GDPR now makes the business more accountable but also supports the broader fight against cybercrime.
Alan Calder, CEO of Vigilant Software
Sadly, not what it should have been. The ICO has a 12 to 15-month investigation cycle, so it’s still dealing with regulatory action against breaches that happened under the old Data Protection Act.
What we got was a big drive up to and on May 25 where organisations tried to get something like GDPR compliance in place but in truth, from a regulatory standpoint, very little has since happened.
Many organisations are going ‘well we didn’t really need to do that, there’s no fines, there’s no regulation so we’ll just go back to what we were doing’, which means a lot of them are in for a nasty shock in a couple of months’ time when fines and so on start appearing.
Apart from an increase in the number of data breaches reported to the ICO in the UK, both by data controllers and through complaints from data subjects, the reality is that I don’t think we’ve seen any significant change in corporate behaviour.
I think most of the change is still to come, and that the maxim ‘the GDPR is a journey, not a destination’ will be proved true over the next three to five years.
If you look at the ICO’s website, you’ll see there’s new regulatory action being taken every month, so it’s not as though the ICO is not doing anything – it just takes time. If a breach is reported on May 26 2018, there’s no way you’ll get a decision and a fine much before June 2019, because the Information Commissioner has a backlog of investigations.
She must decide which ones to investigate and the ICO itself has a relatively small team so there’s a lot of organisations she doesn’t have time to investigate. She has to find out the truth, negotiate an outcome, issue it – and all that takes time.
Karl Lankford, Director, Solutions Engineering, BeyondTrust
One year on, GDPR still presents challenges for organisations as many are still not truly in compliance. A lot of companies continue to have problems due to the ever-increasing volume of data, which makes it increasingly challenging for businesses to get a complete view of where all data resides and who has access to it.
This can be compounded with an increase in outsourcing, merger and acquisition activity taking place frequently across sectors, creating increased uncertainty around data ownership in the new entities.
As such, organisations are in this unique, unenviable position where there is an ever-increasing volume of data, coupled with increasingly empowered consumers that understand why their data needs to be protected, resulting in amplified pressure to demonstrate compliance. Not only this, but the reputation and revenue of businesses is now on the line if they haven’t committed to a requisite long-term compliance strategy.
Due to this, businesses can’t rest and have to act quick in demonstrating compliance. Google being fined €50m for failing to provide users with transparent and understandable information on its data use policies is testament to this. While such a fine isn’t necessarily a huge amount of money for a company of Google’s size, it’s still significant and serves as a clear warning to other organisations.
The impact of fines to high-profile businesses has brought GDPR into the limelight, massively increasing its awareness and understanding, not just among businesses but among consumers too.
The ICO published figures for Q2 of 2018/19. There was a total of 4,056 data security incident reports in this period vs 687 for the same period in Q2 2017/18. This increase is representative of a new, cautionary approach that makes it less likely for a breach to slip through the net.
Despite challenges in achieving compliance, GDPR is working and there are rewards to be reaped.
Businesses that can demonstrate full transparency of consumers’ data and ensure its security over the past year, becomes a huge competitive advantage.
As younger data-savvy generations become consumers of these products, such transparency demonstrated by companies will become ever-more important to them, influencing their loyalty and buying decisions.
Salvatore Sinno, Chief Security Architect, Unisys
GDPR introduced strong enforcement of compliance requirements, stressing the importance of creating trust that allows the digital economy to grow inside the European community. The objective was to bring consistency to the current data protection laws across EU member states and guide how organisations should store customer data and how they must respond in the event of a data breach.
From a consumer point of view, GDPR has proven to be a positive experience as the average customer has seen a drastic reduction of unsolicited email, mail or phone calls. In our experience, organisations that effectively planned their compliance strategy and reviewed their personal data processing capabilities have been able to use GDPR as an opportunity to streamline the value chain and identify new ways to provide customers with value-added services. For these organisations, GDPR has helped get their data processing in order and improve trust in their business.
However, have businesses implemented additional security controls to address the risk presented by personal data processing, such as accidental or unlawful destruction, loss, alteration and unauthorised disclosure?
One year on, we have seen an increase in the number of organisations requiring ad-hoc security expertise to carry-out specific data protection impact assessment to evaluate the origin, the nature and the severity of the risks related to the processing of personal data. Moreover, GDPR is driving a new approach to security inside the data centre network and cloud environments, called zero trust. Effective Zero trust implementation for GDPR adopts software-defined security solutions that use encryption to enable multiple ‘secure communities’ to share the same network without other groups being able to access – or even see – their workstations and servers.
In reality, GDPR was a huge task that took an uncountable amount of man hours to ensure compliance. The critical challenge was to recruit or work with the right teams and trusted partners as well as source advice from industry bodies and government to provide security capabilities, training, processes and strategy to match the new requirements.
Where organisations were able to choose the right partner and the proper security controls, GDPR has been a positive opportunity and has increased profitability by reducing overlapping and redundant processes. However, many organisations, especially small to medium business, are still transforming or assessing the way they handle personal data. For them, the journey has just started, but the clock is ticking to close these gaps.
Andrzej Kawalec, Director of Strategy & Technology, Europe, Optiv
A year ago, organisations were hurriedly reviewing policies, security procedures and mining their marketing databases in a desperate bid to be GDPR compliant before the deadline.
Following the deadline day however, the conversation instead shifted to sustaining and maintaining new processes and regulations that were implemented, and looking at which areas within the organisation were still not GDPR compliant, this led companies to focus on how their teams operate and educating them on privacy best practice, which was overlooked before.
The industry held its breath to see how the EU would interpret the reporting and fine requirements, and who would be the first to face a 4% of global revenue fine. This didn’t materialise immediately but we’ve seen cases in Ireland and France that show regulatory bodies finding their feet in how they apply the law.
For many organisations, the year following GDPR has been focused on building organisational muscle memory to understand how to re-design and rebuild processes so that they can be GDPR compliant. For example, amidst the flurry of consent emails that were sent out, many organisations had concerns that they would be hit by requests to forget customer information or supply data, which would lead to tiresome system removals and processes.
This failed to materialise however and we’ve found that this hasn’t really happened at any significant scale. Consumers are not using the regulation to manage their data and privacy exposure as effectively as they could be at all, and it’s these kinds of learnings that are informing organisations how to develop their processes in line with GDPR.
In regard to online security incident response, a lot of time and effort went in to ensuring any incident would be reported in the timeliest manner possible, as such, we’ve seen organisations’ appetite for risk management and a resilient cyberoperations programme grow, and this is a direct result of GDPR.
Many still view GDPR as a cumbersome set of rules to follow, or to work around, but it’s more of a sea change in the way we talk about privacy. Viewed that way, organisations cannot simply ‘check the box’ to comply with these regulations and expect positive results anymore.
If we look broadly and globally at data privacy, GDPR has really been the tip of the iceberg. We are seeing major shifts in attitude, whether at government levels by proposed legislation or by the way businesses operate and reconsider what privacy means in this rapidly transforming digital world.