Businesses spend billions of Danish kroner each year to protect digital assets and prevent confidential information from being disclosed to the public. Nevertheless, security breaches with the potential to seriously threaten businesses are becoming more and more frequent. Business owners should therefore adopt a strategic approach to IT and cyber security, one that meets future legal requirements and actively involves management.
In Denmark, the hacker attack on CSC, in which millions of Danish social security numbers and other sensitive personal data were stolen, was a source of increased concern and both private and public-sector enterprises attracted heavy criticism for offering less-than-adequate defences. The CSC case is just one of many cases involving serious IT and cyber security breaches. Once a matter for the IT department, the risks involved in IT security today call for new strategic measures to avert the all-too-credible threat of cyber attacks.
PUTTING STRATEGIC IT AND CYBER SECURITY ON THE AGENDA
Kromann Reumert is receiving more and more calls for advice on IT and cyber security. Our recommendation is for top management to work actively and strategically with the following questions:
1) WHAT ARE THE CURRENT LEGAL REQUIREMENTS?
First, find out what kind of data your company is retaining and identify which are the most critical in relation to your business, customers, etc. Check what the current legal requirements are and where you stand in terms of compliance. For example, is there any data storage involved in your contracts or supply agreements?
2) WHAT IS YOUR ORGANISATIONAL SET-UP IN TERMS OF IT AND CYBER SECURITY?
Find out what your procedures are on data protection and risk management. What are you doing to enhance security? Do you have a proper policy in place? Are your security upgrades properly installed and regularly inspected? And who has administrative rights?
3) WHAT STRATEGIC INITIATIVES CAN YOU LAUNCH TO ENHANCE SECURITY AND COMPLIANCE?
Find out what the future legal requirements will be and where you stand in terms of compliance. Are there any projects you might need to initiate to ensure compliance? Lay down procedures for the handling of security breaches, should they occur.
When you have a strategy in place, present it to your top management. Everyone needs to know the security risks you have and what investments may be required to enhance security.
LACK OF MANAGEMENT FOCUS WILL INCREASE THE RISK OF CYBER ATTACKS
A survey done by market intelligence company IDC in 2014 among 149 Danish respondent companies with a staff of more than 10 showed general awareness that they are from time to time the target of cyber attacks or subject to unauthorised accessing of data.
One reason for the weakening of IT and cyber security is that in many businesses management does not prioritise these risks enough. Many companies have no defined policy to lay down how risks are mitigated and what to do if ever there is a breach of security. This leaves them open and vulnerable. If your IT and cyber security is not good enough, you are dangerously ignoring serious economic and commercial risks.
A BREACH OF IT AND CYBER SECURITY WILL IMPACT YOUR FINANCES AND YOUR REPUTATION
If your data security is compromised, the financial and commercial consequences can be severe.
Not only may your company be fined or incur substantial costs to restore IT systems, etc., you may also suffer negative press, loss of business and/or customers, and legal proceedings may even be brought against your company. For some companies, the price of their shares may go down.
2016 saw a rise in ransomware attacks afflicting businesses across the globe. Ransomware is malware that uses encryption to hold your data hostage. A 2016 survey by cyber security firm Malwarebytes found 40% of respondents in the UK, the United States, Canada, and Germany said they had had ransomware attacks within the past year. Expectations are that the trend will continue in 2017 and that the assaults will grow more sophisticated and more targeted.
With these scenarios in mind, it is essential that you make IT security a top management priority. Today’s reality leaves you no choice, and legal requirements will only grow stricter in the future.
STRONG IT AND CYBER SECURITY PAYS OFF
Establishing and maintaining cyber security safeguards and defences is well worth the effort. Management needs to specifically review your current security programme and lay down procedures for what to do in case of breach.
Among the benefits of adopting a strategic approach to IT security is that no claim for damages can successfully be brought against you claiming acquiescence - and that minimising the harm done if you do suffer a breach of security will be easier and less costly if your procedures are in order.
Besides the direct consequences as described above, there may also be indirect consequences of not having proper data security procedures. It may affect the sale of your business, should you ever desire to sell.
A buyer’s due diligence will include - or at least it should include - investigations into the company’s data storage and data protection, management’s involvement in IT security, and whether there are clear rules and procedures for data processing and the required course of action in case of a breach of security. If a target company is found lacking in these areas, it may very well have a direct effect on the price that the bidder is willing to offer, or on the warranties that the bidder will demand in order to minimise the risk of a security breach occurring after takeover.
PREPARE FOR STRICTER REQUIREMENTS IN FUTURE
The biggest IT and cyber security investments go into compliance with the rules for the processing and storing of data. And with the entry into force on 25 May 2018 of the new General Data Protection Regulation (GDPR), these rules will become a lot stricter and a lot more demanding.
Notable among the new requirements is the introduction of the principles of data protection by design and data protection by default. Data protection by design calls for systems intended to store or process personal data to be specifically designed for data protection. Data protection by default builds on the general principle that the most restrictive settings should always be adopted as the default settings in all such systems.
The GDPR does not only introduce new and stricter rules, it also dramatically increases the penalties for non-compliance.
Under the new rules, the size of the penalty will depend on the size of your revenue, much like fines for breach of competition law rules. All the more reason to make cyber security a strategic priority for any company.
For more from us on the new General Data Protection Regulation, please see our Insight on the upcoming general data protection regulation
FIND OUT HOW TO BEST SAFEGUARD AGAINST BREACH OF CYBER SECURITY
The Danish Data Protection Agency has published a number of texts offering guidance on some of the issues that data controllers and processors should take into account.
While these publications may serve as inspiration, they are far from comprehensive and they are often very operational. You will need a much more strategic approach.
One way to safeguard against some of the potential consequences of a breach of data security is to take out special insurance. There are a number of products on offer, especially in the United States, that insure against damage caused by hacking or expenses applied to remedy a security breach. Due to uncertainty about the scope of cover, however, insurance against cyber attacks is not often seen.
Kromann Reumert considers strategic preparations the best way for businesses to protect themselves. If done properly, a strategy will reduce the cost of handling of a breach of security because the damage will be more easily to contain if you have adequate procedures in place. Also, you will not have to expend considerable sums of money hectically developing a plan after you have suffered a breach, having already done so in an orderly manner before the incident.
TAKE A PROACTIVE APPROACH AND STAY SAFE
- Check what the legal requirements are and where you stand in terms of compliance.
- Identify your procedures in relation to data protection and security risks.
- Find out what the future legal requirements will be and where you stand in terms of compliance.
- Is there any projects you might need to initiate to ensure compliance?
- Find out how to best safeguard against breach of cyber security.
- Make sure to get your management involved in IT and cyber security, and designate a party or group to be responsible for IT and cyber security.
KROMANN REUMERT'S ADVICE
Kromann Reumert knows the current and future rules and regulations and can help you identify specific and concrete steps to counter security breaches. For example, we can help you draft guidelines to ensure compliance or help you review your existing systems and procedures.