- Security TWENTY
- Women in Security
This will be the year where organisations appoint dedicated cyber security and data breach reporting officers, as part of their legal compliance obligations, a lawyer predicts.
Dan Hyde, a partner at the London law firm Howard Kennedy says that increasing fines and prosecutions for cyber-breaches will force businesses and organisations to take greater steps to tackle rising cyber attacks.
Dan Hyde, pictured, said: “2015 saw some of the biggest data hacks to date costing the global economy some US$400bn, highlighting the inability of companies to properly guard valuable entrusted data. The consumer has a right to expect organisations that require the provision of personal information to properly safeguard it. Dedicated cyber security and data breach reporting officers will inevitably become the global norm for businesses that are vulnerable to attack.”
The European Union (EU) has been tinkering with, but has not yet brought in, a single Europe wide Data Protection Directive that would equalise regulation across all EU states. When in force this will force organisations to formally report data breaches and beef up cyber security to ensure adequate protection is in place.
Dan adds: “Fines for non compliance could, if the EU gets its way, be as much as 5pc of an organisation’s entire turnover. In the US, federal agencies are prosecuting firms where sub standard cyber security may have contributed to a data breach, and I confidently predict that the UK will soon see companies appointing cyber security and data breach reporting officers as part of their compliance obligations.”
Dan Hyde is the author of ‘Cyber Law – Corporate Defence Against Cyber Crime’, due to be published by Jordans, the specialist law publisher, in summer 2016.
Separately, on the EU’s upcoming adoption of the General Data Protection Regulation, Stewart Room, PwC partner and head of PwC Legal’s data privacy and protection practice, warned that business is not prepared for the complex legal changes to compliance and risks heavy financial penalties and a wave of litigation. What he called a landmark piece of legislation is important because of what it seeks to do by assisting people to gain more control over their personal data, which is also a vital asset of the global economy. Some of our largest multinationals as well as public entities could face penalties worth many millions in pounds or euros, he said, as organisations are forced to publicly disclose any security and confidentiality breaches to the regulators and the people affected.
Room said: “The scale and breadth of the changes to privacy rules will deliver unprecedented challenges for business and every entity that holds or uses European personal data both inside and outside the EU. Most companies will be shocked at the scale of the new rules and the work that needs to be done before the laws take effect in two years – it is not much time for the magnitude of internal changes that will be required. Compliance costs will also be high, in some cases tens of millions of pounds, for large entities.
“Major retailers, the banking sector, and any entity that is aiming their marketing and promotion to consumers are especially at risk, as is any entity that uses data around children. Technology companies will also be in the firing line.
“New enhanced rights for people over their personal data may also unleash a wave of legal action and compensation claims against entities that will face new rights including the Right to be Forgotten – so that personal data is deleted and destroyed by organisations.
“Obtaining consent to use personal data is also about to become a lot harder for companies; as well as new requirements to assess the risks to personal data and privacy.
“Business will also face greater scrutiny from the European data protection regulators as new powers enable them to shape how personal data are used.”
And David Ferbrache, the new Technical Director at audit firm KPMG’s cyber security practice, points to the recent field trial by the Office of National Statistics that suggested that there could have been over 7.5 million cyber offences against individuals a year. The year 2016 will see cybercrime, finally, find its place in our official statistics. He says: “I doubt that even the headline grabbing statistics which follow will capture the true scale of cybercrime – with many crimes against organisations remaining unreported.
“Extortion attacks have been making a comeback with criminals demanding significant sums for suspending denial of service attacks against targets; not going public with stolen data; and of course providing a ‘service’ which grants access to a ‘client’s data which they had previously hacked and encrypted. Although security firms and law enforcement have become savvier in disrupting the infrastructure being used by organised crime groups, cyber criminals continue to search for new ways to turn other people’s information into money.
“While phishing attacks, banking Trojans and large scale low value cash outs have characterised the last 10 years of cybercrime, new techniques are becoming part of the criminal arsenal while firms invest more and more in cyber threat intelligence in the hope of keeping up. In 2016 we predict that organised crime groups will become increasingly selective in targeting high net worth individuals, corporate treasuries and commercial bank accounts; as well as looking for new ways to profit. The recent US indictments of alleged market hackers show just how sophisticated manipulation of markets has become – whether through front running stocks using stolen market sensitive information, or pump and dump schemes using personal data acquired in bulk from unsuspecting banks, insurers and even governments.
”2015 has topped 2014’s unenviable record of bulk data breaches with some of the most serious large scale disclosures of personal information. Unfortunately this trend is likely to continue in 2016, with David Ferbrache suggesting that the patience of regulators is beginning to wear thin and there is a growing drive for transparency around business’ approach to cyber security.
“The much lobbied EU General Data Protection Regulation and the EU Network and Information Security Directives are likely to be finally agreed in 2016, firing the starting pistol for governments and firms to implement within two years. Together these EU interventions set the scene for greater transparency around data breaches, a more robust data protection stance and a Europe wide nudge towards greater cyber security regulation.“While large international firms are no strangers to an increasingly complex and uncoordinated global tapestry of national cyber security initiatives; smaller firms are likely to come under increasing pressure in 2016 as their larger cousins embed cyber security requirements into their contracting and procurement processes – fuelling both a supply chain security industry and the growth of third party cyber insurance.
“The expected launch of a new National Cyber Security Strategy in 2016 has the potential to signal a new relationship between UK governance and industry, with the new National Cyber Centre at its heart. In 2016 we can only hope for a nuanced approach to regulation which works with the risk mechanisms in the markets to drive the right behaviours and address the current market failure around cyber security.”
Terrorism may spill over to the cyber world, as was raised by the Chancellor George Osborne when he spoke at GCHQ recently, as featured in the January 2016 print issue of Professional Security. ,
David Ferbrache says: “Terrorist organisations are becoming more and more tech savvy exploiting the internet for propaganda, radicalisation and communications. Often seen as dog which hasn’t yet barked, it seems inevitable that such terrorist groups will explore and exploit cyber attacks. While these attacks are likely to lack the visceral impact of the tragic bombings and shootings which have become all too common, they are likely to become more frequent in our increasingly interconnected and interdependent world.“2016 is likely to be the year that cyber resilience starts to matter more than just cyber protection, as governments worry about systemic risks from cyber attacks and critical infrastructure firms start to pay more attention to just how resilient their business models really are to these new threats. The NIST cyber security framework will succeed in becoming the de-facto yardstick for cyber security amongst such firms.”
David Ferbrache suggests that business of all sizes need to look beyond cyber security as a technical issue, and start preparing for some worst cases.
“This year cyber security has been grabbing the headlines following many high profile data breaches – expect that to continue into 2016. Firms are finally beginning to recognise that a determined and well-resourced adversary will find a way to breach their cyber protection regardless of the robustness of their defences. This is leading to firms focusing more on the data and systems that are most critical to their operations and how to reduce the risk to those assets”.
“Many business now accept the likelihood of a data breach and are turning their attention to what a cyber incident might actually mean for their business, and just how they can restore and maintain client and customer confidence if and when they are hit – an issue for the whole C suite, not just the CIO.
”And finally, one prediction which we would dearly love to see come true, but we have a suspicion isn’t likely in 2016… maybe in a few years to come … Passwords are broken! They have become one of the weakest links in our security chain. People are being forced to adopt more and more convoluted passwords, while simultaneously trying to avoid the temptation to reuse those super strong passwords. It is high time we moved to more sophisticated approach to authenticating people which blends biometrics, behavioural analysis and contextual information rather than relying on knowledge of a single increasingly user unfriendly password.”