Business Leader Magazine attended the Stackhouse Poland cyber security event in London, where leading experts were brought together to discuss General Data Protection Regulation (GDPR) and cyber security; and how businesses can best deal with these issues.
How can businesses best prepare against hacking?
Sandy Gilchrist (Director at Priviness): “The most important thing from a businesses’ internal governance perspective is to be prepared all the time and to put it on the agenda before it becomes the agenda.
“This means setting up processes and systems within your organisation to ensure that you are looking at this all the time. In addition to this, make sure you have the right training and that everything in the business is documented, because unless it is, you are in breach of GDPR as well as being susceptible to hacking.”
Sheona Wood (Partner at DWF Law): “It is also about investing in your IT infrastructure at the beginning, such as your firewalls and your anti-virus software. This means that you’re checking in real-time for issues with activity, rather than waiting to be re-active once something happens.”
How many hacks are the result of accidental breach, within a business? So, this means data flowing out of a business inadvertently as opposed to an external attack?
Oz Alashe MBE (CEO & founder of Cybsafe): “A high proportion of the information that we lose is shared and that could range from an inadvertent email, through to people losing laptops and mobile devices with data they thought was encrypted.”
Who should be responsible for tackling this issue in a business?
Geoff Keig (Head of Division at Stackhouse Poland): “To deal with this, the structure needs to be top-down. You will need a cascade arrangement, with somebody responsible at the very top of your business, on the board or otherwise, who has this as their remit.
“They will have a facility for checking hacker and breach activity and then you’ll have a day-to-day operation which they will not see, unless it is an emergency. This will help to keep you secure and up to date with regulations.”
Is the training of staff being taken seriously enough to deal with this issue?
Oz Alashe: “When it comes to the human aspect, we often gloss over it and there is much more that can be done. If you ignore the impact your people could have, it could have a negative impact on your business. It’s being put on the agenda more due to GDPR but not equipping your staff with the knowledge and best practice around this area, is a bit like filling up a bucket full of holes, with water.”
GDPR comes into effect in May next year, and much is made about the maximum fine, which will be €20m or 4% of global turnover – whichever is the greater. How relevant are those numbers for all businesses?
Sandy Gilchrist: “They are relevant in terms of the law, but the law also says there is the principal of proportionality – it needs to be dissuasive to that business and others.
“If someone came along and knocked on your door and said – there’s been a breach of GDPR, as you haven’t notified the people on your database about how you are using their data then that would be an example of a breach.
“A breach is not necessarily always due to hacking. But, it’s unlikely you are going to be hit with a huge fine in the first instance as the regulator would most likely issue a warning and say I’ve looked at your processes and this is where the error lies, so rectify it.
“An example of a significant breach is Talk Talk and because of how they announced and handled this they suffered a 50% reduction in their profits, a third of their share price had been lost and thousands of employees lost their jobs; and to boot they got fined £400k (under GDPR it could have been £80 million).
“The only reason they were fined this amount was because it was the fourth time it had happened.
“The fines will obviously hurt businesses but it’s also worth considering the damage that will be made to a business and its brand outside the courtroom, there is no proportionality here – like the courtroom – instead it is emotive and this is where businesses will get hurt.”
Sheona Wood: “When GDPR was being discussed and drafted, there was some suggestion that SME businesses will be let off, or given one warning, but that was quashed because the principle of protecting the data and individuals was so overwhelmingly paramount that the fines are will be in place for all businesses.”
Oz Alashe: “Many of the elements included in GDPR are just good practice and we’re gravitating towards brands that hold our information correctly. It’s the right thing to do and to demonstrate you are adhering to GDPR will be a value creator, rather than not.
“A report by PwC last month regarding data protection and regulations showed a 150% increase in fines in 2016 compared to the previous year and fines of £3.2m were issued. There is a general trend of this being taken more seriously.”
Sandy Gilchrist: “The ICO have said that they are treating May 25 2018 (this is when GDPR comes into effect) as a once in a lifetime opportunity to crack down on businesses that aren’t doing the right thing.
“They want to make it clear though, that it doesn’t mean they will be throwing fines out left right and centre and they don’t want people to look at this as a data prevention rule, they want you to look at it as a data sharing rule.
“The ICO already has a lot of useful tool kits for SMEs online for the Data Protection Act. Let’s look at this as a positive thing that encourages data sharing and not a negative scaremongering thing surrounded by fines.”
To what extent can you be anonymous online? Should you be anonymous?
Sheona Wood: “People are having a good go at trying to be anonymous online, whether it is something trivial such as World of Warcraft users not wanting their real identity revealed in order to protect their ‘warrior status’; or to rather more serious issues where people are using cryptographic tools to make themselves anonymous.
“I think it is possible to try and make yourself anonymous online, however, whether you should be able to make yourself anonymous is really for the judgement for society and government.
“My personal view is that you should be accountable for statements that you make online, so I am comfortable with people looking at every email that I send. However, there are people who truly believe that their privacy is paramount – it is state security versus civil liberty – stalking, slander and libel against privacy. That is a balancing act that needs to be carried out.”
What emerging future technologies will we have to worry about the most?
Oz Alashe: “I rarely look at technology as something that we need to worry about. Many things are changing and they will affect us. What do we need to do to make sure we are not harmed by them? The technological advancement I’d draw attention to is the Internet of Things.
“It is vital we understand how interconnected and how dependent we are in everything we do, on technology. Everywhere we talk and go data is being gathered about us; about what type of coffee we like for example as people want to sell to us.
“We could take this as a point of worry but I’d rather say that we embrace it and consider it as an opportunity; and GDPR is one of those.”
What is the most usual form of cyber-attack?
Sheona Wood: “What I have seen the most of is phishing and voice phishing – where someone phones up claiming to be the bank. We have seen millions of pounds lost from businesses and individuals due to this form of cybercrime.
“In terms of future threats, I see cyber like the game of whack-a-mole – where you whack a phishing mole, but another one pops up and the thing we are seeing more of too, is identity fraud. All you need to impersonate somebody is your name, address and birth date.
“I feel strongly about education and training at the front end, not after the event by explaining to everyone what they should have done.”