There’s no doubt that each high profile data compromise story seems to garner more attention than the last. The news media thrives on stories that run and run, particularly if they have a whiff of corporate miss-doing about them. The problem is that such ‘scandals’ are rarely isolated. It’s more a case of who hits the headlines first and whether or not others can get their act together before they get found out too! The reality is that many are ‘accidents waiting to happen’, a case of pushing ones luck for as long as one can get away with it. Simply put, taking a risk. After all isn’t that what running a business is all about?
So on that basis risking the £500k fine that could be meted out by the Information Commissioners Office (ICO), for a large enterprise would seem trivial compared to the multi-million pound investment that may have been required to encrypt a data asset that on the face of it is regularly placed in the public domain. For SME’s, without a mandate to disclose data compromises, it's fair to say that most will assume they are off the radar as far as hackers are concerned, too small to bother with!
Now there is an oft quoted saying that ‘it’s easier the get a pound off a million people than a million pounds off one’. In other words the ‘little guy’ is worth worrying about after all. So whereas we can all afford to ‘lose’ a speculative pound, few of us would, even if we were lucky enough to have it, part with a million quid without being sure it was for the right reasons! And so it is with data security, chances are the little guy won’t notice he is being hacked nor will his peers. Vulnerabilities will be easy to come by and for the criminal it’s just a case of laying low, then making a ‘dash for the door’ when the basket is full! Finding similarly vulnerable businesses will not be too hard either, indeed who they are is irrelevant, as long as the door can be nudged open! So before you know it, the fraudster has bagged a mass of ‘monitisable’ data right under the nose of his victim.
To date the only concerted effort to get SMEs to sit up and take note has been PCI DSS. Despite a certain amount of criticism and what can sometimes be considered a rather arcane approach to validating compliance via a self-assessment questionnaire, the standard has heightened awareness of the need to protect your customers data. Granted it focuses on a single data asset and for many it’s been a case of doing it to avoid additional charges, however it has raised the bar in terms of cyber accountability for other people’s personal data. I would contend that it has and continues to do a job in so much as recent high profile breaches have seen the victim quickly point out that credit card details were not part of the said data heist!
Things are about to change, perhaps not over-night, however within the next few months the mainstream tech orientated business media will be awash with stories on the GDPR ! Whilst it might not be so catchy as ‘PCI DSS’, only joking there, it will undoubtedly have a more profound impact on the way businesses look at cyber security. Firstly, cyber security is now considered a bonafide business risk, something that does make the news and figures very much in the minds of the man in the street. Any Personally Identifiable Information (PII) can and is being monetised by fraudsters with their ability to create new scams building on a variety of social engineering techniques knowing no bounds.
General Data Protection Legislation (GDPR) has all the makings of a sort of Cyber ‘Health & Safety’, oft sited as a burdensome chore and the butt of a million jokes, however something that in reality has put paid to a multitude of avoidable accidents. In the litigious society we now live in, it simply does not pay to take short cuts with such legislation. My guess is that the same will hold true with GDPR. Even before its final enshrinement in law, it’s fair to say that avoidable data breaches will be subject to significant fines, fines that for large enterprises could make the ICOs £500k look like loose change. For the SME, whilst the fines would be more modest, they are likely to be calculated based on a percentage of annual turnover, so none the less just as painful, should they be incurred. What’s more for those who live and die by the sword that is social media, reputational damage could well leave you ‘holed beneath the waterline’.
The good news, is that PCI DSS has opened many SME businesses up to processes and procedures that can and often do now extend to cover more than just that which is within scope of the standard. Indeed most UK small business, will already subscribe to bank sponsored PCI DSS compliance programs.
Over the coming months Foregenix will be reporting on the emergence of the GDPR and how businesses can prepare for what is without doubt going to see a massive shift in how we all consider cyber security. Whilst it might not come with the ubiquitous luminous green tabards that have come to signify health and safety, it will high light issues that many companies have historically failed to see.
For more information on PCI DSS, the new legislation and your business, please contact us.