Data protection reform is quickly approaching, and companies of all sizes need to be fully aware of the changes about to affect the UK in terms of cyber crime and breach notifications.
A first proper look at the law is expected this side of Christmas, and security experts and law firms are bracing for impact.
Ross McKean, a lawyer at Olswang LLP, explained that the General Data Protection Regulation (GDPR) currently in draft form will mark a "fundamental change" in how data breaches are governed.
"There are proper teeth if you ignore this law and that's a big change," he said during an Oasis cyber security event at the Churchill War Rooms in London.
The law means that any controller or service provider that touches personal data must notify the authorities about any data breach or face revenue-based fines of up to two percent of turnover.
"This is a regulation. It is two years then, bang, it is law. There is not a particularly long window given that we have to go from tick box compliance to real compliance," he said.
"Changing the way the whole organisation deals with data, minimising what's collected and keeping it secure, requires a paramount change in the way we all engage with data."
Currently the Information Commissioner's Office can issue fines of up to £500,000 to firms found to be playing fast and loose with sensitive data. But these guidelines will become far more stringent in the new EU regulation in the wake of high-profile data breaches such as at Vodafone and TalkTalk .
"For the first time vendors are directly accountable, including with fines, under the regulation. In terms of data breach notification if there is a breach at a vendor they have to tell the customer and the controller individually," explained McKean.
No-one has seen the final text of the GDPR, but McKean said that well-placed sources suggest that if a business has taken steps to render data unintelligible there is no obligation to notify, referring specifically to encryption.
This would not have helped TalkTalk, which admitted that some of the data it lost was not encrypted, but many firms will take solace in this aspect of the law.
However, McKean explained that encryption is not a silver bullet. "There are plenty of examples where hackers have got in and stolen encryption keys, but it helps and it's certainly best practice," he said.
Furthermore, as data breaches increase, the most recent being major toy manufacturer VTech, McKean said it will become more important than ever to educate everyone in an organisation of the risks involved.
"It's really important to find something that resonates with as many people as possible in the business, from the board to middle management and right down to the new joiner," he said.
"There's so much coverage of this. Everyone is concerned about fraud and about their details being used fraudulently, so it's quite a fertile ground to build engagement. For the brave new world it's about doing the right thing but also about being seen to be doing the right thing."
A tailored response
Laura Aylward, senior investigative consultant at information security consultancy Context, explained that organisations need to have a more tailored response to combating cyber threats.
"In some cases you may have a very small team and in others a big team, you may outsource a lot of what you do, you may have multiple teams. Incident management teams vary across organisations and you should have a team that reflects your organisation's needs," she said.
"Fundamentally, regardless of the size or shape or name, the requirement of this team of people is to identify an incident or breach, categorise it and triage it to find out whether or not it's something that may lead to a major incident or data loss."
The tailored approach should be based on actual demand to better prioritise threats. "A common mistake is to hire all the people you can possibly afford with the budget, download any playbook you can find on the internet and buy every expensive black box to plug into your network," she said.
"Unless you are incredibly lucky you will probably fail because what you need to focus on instead is not just having all the people but having the right people at the right time.
"In my experience working with security operations centres is not necessarily the biggest or the best that achieve the most. It's about making sure you have the processes in place to actually respond [to threats]."
Nick Trim, founder and managing director of security firm Darktrace, warned that online threats and detection times are escalating out of control.
"A persistent human threat will always defeat firewall technologies. Traditional approaches have fundamentally failed to protect us," he said.
"There hasn't been a breach in the last five years on a company that hasn't invested heavily in existing technology, and we know that threats are evolving so rapidly that to try to keep up with a signature stack is probably fighting yesterday's battle."
"The idea that we can build a wall around our network that can keep out the threat as it persists today is a redundant assumption," he said.
Recent global breaches, including at Ashley Madison, the US Office of Personnel Management, Target and TalkTalk, have brought cyber attacks into the mainstream. The protection of sensitive data has never been more important as we quickly approach a new year and new regulation.
Microsoft seizes control of phishing sites linked with Russian state hackers
Fitness trackers over-estimate the number of steps their users take, analysis of 67 research reports suggests
Everything we think we know about the imminent Apple iPhone 9, iPhone 11 and iPhone 11 Plus launches
All the latest rumours about Apple iPhone Displays, CPUs, launch dates and even prices
Nvidia brings Turing microarchitecture into the high-end gaming segment