European Companies are Unprepared for EU GDPR

The EU GDPR and exploding cybercrime costs requires Europe to get ready to get in control of data access

By Santeri Kangas, Omada CTO

SecurityBreach

Until now, spectacular news stories about security breaches have primarily exposed US companies, presumably lulling Europe into a comforting feeling that large-scale and business-crippling cyberattacks are something that happens to the proverbial “other people” – i.e. organizations in other parts of the world.

As any IT security professional is only too aware, the reality is very different. For years, European organizations have simply mitigated security breaches, largely kept quiet about it, and then carried on with business as usual. In future, the Europeans will have to address the issues that lie at the heart of the matter in security breaches, just as the Americans have been doing for years, to avoid the effects of unwanted publicity to their credibility.

 Access is what it’s all about

What lies at the heart of a security breach is the matter of access!: Access to data and systems, acquired through access to user accounts and user credentials. That’s why, as companies are forced to protect sensitive data and notify authorities about breaches, it becomes paramount for them to safeguard the data, the systems, and the users from theft and abuse.

First of all: Forget about whether you know you have been hacked, or think you won’t be hacked at all.

It is an accepted condition of modern business life that your organization will be hacked at some point, and probably already has been. It is also an acknowledged truth that size doesn’t matter – your organization is a potential target regardless of how big or small it is.

What is really important is two things: your ability to detect a breach and your ability to act on the information and deal with the damage quickly, efficiently and effectively.

In future, European organizations – just like American organizations today – will have to get used to the fact that they will be judged: not on whether they got hacked, but on how they handled the breach, and how well they are able to document that they have learned enough from their mistakes, to avoid similar damage in future. You need to be able to lock down access to data and systems, and you need to be able to prove what you have done to mitigate the situation and protect the data. If you fail to do so, you will be fined by the authorities and risk public disgrace.

Identity management and access governance are of course the foundational disciplines you must have in place, to enable you to impede unauthorized access to data and systems, through access to user accounts and user credentials – and to enable you to prove that you have done everything you’re supposed to, to keep the data protected from misuse.

The Dutch warning about what’s in store

I believe Europe will be hit hard, when the EU General Data Protection Regulation takes effect in May 2018.

Anyone doubting that European organizations are just as likely victims of cybercrime as anyone else, need only look to the Netherlands for a wake-up call:

According to Fortune Magazine and ComputerWeekly, at the start of 2016, the Dutch authorities passed a data protection act of their own, a bill which – like the EU GDPR – forces Dutch organizations to report cybersecurity incidents to the authorities and to the affected individuals. Fines for failure to report the incidents can be up to €810,000, or 10% of the company’s turnover.

Fortune Magazine reports: “In just the first 130 days since the law took effect at the start of this year, more than 1,500 cyber incidents were reported.” And, Fortune adds: “Additionally, a 2015 study by PwC reported that 90% of large UK-based businesses – and 74% of small businesses – reported being hacked in the previous year.”

I have no reason to believe that Dutch organizations are IT security laggards, compared to their European counterparts. In fact, I am quite sure that the Dutch numbers represent what to expect throughout Europe, when the EU GDPR is enforced in less than two years.

Cost of cybercrime is on a dramatic increase

While European organizations have the added challenge of public embarrassment and reputational damage to deal with from 2018, the rest of the world can’t rest on its laurels.

Cybercrime is an increasingly popular activity, and the cost of cybercrime damages is predicted to skyrocket in the coming years, requiring organizations to fortify their defenses and strengthen their mitigating capabilities:

Just look at these numbers, listed by Steve Morgan of Cybersecurity Ventures:

  • In early 2015, the British insurer Lloyd’s estimated cybercrime was costing businesses globally $400 billion annually — which included direct damage plus post-attack disruption to the normal course of business.
  • Juniper Research followed with a report in the spring of 2015, which predicted that the rapid digitization of consumers’ lives and enterprise records would increase the cost of data breaches to $2.1 trillion globally by 2019.
  • This year, the Microsoft Secure Blog reported that The World Economic Forum estimated the economic cost of cybercrime to be $3 trillion worldwide. That was a six-fold jump in cybercrime damage estimates in just one year.
  • Cybersecurity Ventures predicts cybercrime will continue rising and cost businesses globally more than $6 trillion annually by 2021.

Of course, these are predictions, and the actual costs will be different. But I am certain the numbers are indicative of the trend.

Strengthen your security posture

What boards and executives should take away from these two factors – the increase in the cost of damages caused by cybersecurity incidents, and the increasingly strict legislation that ensures the security breaches are broadcast to the public – is that they need to up their security and compliance game.

It is vital to incorporate the increased security and compliance risk in the 2017 budgets, to have a fighting chance at being ready for the EU GPDR in particular, and to generally diminish the costly damage cyberattacks can do to the organization.

If you have questions or comments, feel free to drop me a line.

 

Santeri Kangas

Santeri Kangas_Omada CTO_hi res MG_7868

About Santeri Kangas: Omada CTO Santeri Kangas has 25 years of experience in cybersecurity and cloud computing, and a commendable track record in building award-winning security software products for consumers, operators and enterprises.