Any business leader will be kept awake at night by issues facing their organisation, and rising steadily up the list of concerns in recent years has been the threat of a data breach. Not only are almost all business operations now conducted online, but the consequences of mishandling or losing data are becoming more and more severe. In fact, earlier this year the World Economic Forum's (WEF) Global Risk Report 2018 listed cyber crime as one of the five most likely risks facing the world in 2018.
This isn't going to come as a surprise to many. Over the last few years, cyber crime has moved into the public consciousness thanks to global headlines on attacks such as WannaCry and data breaches at large companies like Equifax and Target. These instances have shown that it's not just organisations' bottom-lines that are negatively impacted; it can also be devastating for the innocent individuals caught up in the aftermath. From identity theft to cancelled operations, and from cash-drained bank accounts to the lights going out - the consequences from different acts of cyber crime are wide-reaching.
Clearly the threat requires a response. Organisations handling any kind of personal or otherwise sensitive data must protect it as best they can in order to minimise the threat. There will always be the potential of a hacker getting in, or a particularly rushed employee emailing the wrong spreadsheet to the wrong person, but there is also a clear effort and expense to be expended in ensuring that systems and data are adequately defended. Additionally, we need to overcome the slightly erroneous mentality of ‘It won't happen to me, so why bother?' that abounds, which leads plenty of organisations to bury their heads in the sand and simply do the bare minimum.
In response, governments and lawmakers have determined that the threat of punitive damages must be used to encourage greater responsibility. The EU General Data Protection Regulation (GDPR) will finally come into force this year and includes potentially massive fines for data breaches (up to €20 million, or four per cent of annual global turnover, whichever is greater).
Separately to this legislation, the UK Government announced earlier in the year that firms in critical industries - such as energy, transport, water and health - could face fines of up to £17 million if they fail to protect themselves effectively from cyber-attacks. Clearly, a measure that had previously been described as a ‘last resort' is now the go-to method for encouraging organisations to up their game.
Of course, the threat of penalties tends to be an effective way of steering people in the right direction, especially when tied to regulation. Since the deadline for complying with the GDPR was announced, thousands of organisations have been forced to take a long hard look at their data protection practices and, one assumes, improve their security infrastructure and guidelines (although only time will tell how effectively this has been done, and we'll be keeping a careful eye on fines and warnings issued by the Information Commissioner's Office (ICO) come May 25th). However, by focusing too much on punitive ramifications - and, as a consequence, public exposure of failures - we run the risk of creating a culture where organisations simply follow a tick-box process in reaction to specific regulations, rather than taking positive steps to improve their overall security posture. With the rate at which technology changes, new risks constantly appear and focusing on only the areas that may result in penalties will leave many threat vectors exposed.
HP and Centrica are the first industry partners to sign up to the government's new Code
New ice grows faster but is also more vulnerable to weather and wind
With a crackdown on cheats is coming in November, PUBG rushes to fix matchmaking problems introduced in Update #22
New material uses carbon dioxide from the air to repair and reinforce itself