Cyber security is a topic that’s consistently dominating the mainstream press and we’re seeing an increase in global organisations being put in the spotlight because of targeted breaches, writes Guy Bunker. However, recent research conducted by Clearswift has found that, although 70% of financial organisations in the UK have been hit by a data breach in the last 12 months, it’s only recent high-profile General Data Protection Regulation (GDPR) fines that have made Boards of Directors sit up and take note of cyber security, with 32% of respondents citing this as a primary reason for an increase in Board-level involvement and/or provision for additional IT security spending.
It has been well over a year since the GDPR was enforced. It’s interesting that it’s only after seeing the financial ramifications of a breach under the GDPR that Boards are sitting up and taking note. Recent fines against well-known brand names such as British Airways and Marriott International have clearly sent shockwaves through the financial industry, and while it’s a shame that such high-profile failings seem to have been the trigger for financial organisations to adjust their thinking on compliance, this late reaction has the potential to be the catalyst for real and beneficial change.
Based on our study findings, it would seem that financial sanctions take precedent over perceived or statistical risk when it comes to implementing measures to mitigate cyber incidents. For those that remember the Y2K bug, which appeared to be a damp squib with virtually zero fall-out on the day, the same seems to have been applied to the GDPR. Would the regulators really fine organisations for a breach? In the case of Y2K, the lack of fall-out was due to preparation, whereas a lackadaisical approach towards the GDPR ends up having quite the opposite effect.
The research highlighted that the Information Commissioner’s Office’s (ICO) recent judgements (ie a £183 million proposed fine for British Airways and a £99 million proposed fine for Marriott International) were a key turning point for senior business decision-makers within enterprise financial organisations in addressing their own cyber security. What appears to have happened here is that, by giving out such large ‘intentions to fine’ notices, the ICO has delivered a message that it’s not afraid to reprimand household names. As a result, businesses across the financial sector that hold a mass of sensitive citizen data have realised there’s an urgent need to make sure they’re complying with the necessary regulations.
In short, businesses don’t want to hang around and wait to see how the ICO will handle similar cases. Instead, they would rather invest now to avoid a future penalty.
Ramifications of cyber episodes
It is, of course, one thing to state your company’s commitment to GDPR compliance, but quite another to ‘put your money where your mouth is’. This seems to ring more true than ever in this instance. Financial organisations have finally understood the ramifications of suffering a serious cyber incident, it seems, and realise the need to increase spending on cyber security.
When asked about spending levels, the majority of the financial businesses surveyed argued they would like to see an increase in cyber security investment (73%). Additionally, almost one-in-five (17%) UK firms surveyed reported that their budgets currently stood ‘well below the adequate level’. Fortunately, this figure then dropped dramatically (to 5%) when looking at firms with over 5,000 employees, a possible sign that larger firms have already made additional investment to deal with the increasingly dynamic ‘cyber threatscape’. This supports the idea that ‘finance trumps all’, as those companies with the greatest deal to lose have been quicker to batten down the hatches.
Regardless of business size, the recent high-profile GDPR fines have also highlighted the need for organisations to make cyber security education a priority. If not aware of the risks, employees may inadvertently allow malicious code and malware to be installed on the corporate network. The threat of employees making a mistake was also prevalent in the data, with almost half (42%) of the cyber security incidents reported in the last 12 months originating from employees failing to follow security protocol or data protection policies.
While undoubtedly a crucial layer in any firm’s defences, investment in cyber security technology is only one element of the ‘safety net’. The education of employees is key to long-term sustainable change and proper training and education in how to carry out routine processes without putting sensitive data at risk is vital. We would be well-placed to remember that a proportion of any cyber security investment should go towards ensuring individuals are not just aware of, but also suitably educated in terms of how to handle all data traversing the organisation’s network.
Understanding information flows
As well as data leaving the organisation (accidentally or otherwise), receiving sensitive data unauthorised can also be a serious issue. Organisations need to better understand how information flows through the business and its supply network in order to tailor security solutions around how they operate. This will help them to identify where the risks are and deploy the best protection.
Having seen the ICO bare its teeth, organisations are now finally paying attention to the seriousness of compliance and data breaches and are looking to boost their cyber defences. Our research clearly illustrates that avoiding a hefty fine – and the subsequent damage to reputation and bad publicity that comes with it – is now a priority for Board members in the financial sector.
A wake-up call like this, even though it’s financially motivated, is enough for them to realise that more time, effort and investment is needed to secure customer data and mitigate today’s biggest cyber threats.
Dr Guy Bunker is CTO at Clearswift