For most, cyber security is dull. It’s also technical and unless you “understando / speako de lingo” it can be intimidating and perceived as too hard. Conversely, cyber security is now an essential life skill, whether that be in business or in one’s personal life.
We live amidst an unseen cyber war that is here to stay and unlikely to end. The advent of greater data transfer speeds; the ever-decreasing size of microchips and sensors; the associated explosion of smart devices as part of the Internet of Things (IoT) revolution; and the incorporation of all these technological advances into our businesses and homes; the prospect and opportunity for cyber-attack is exponentially increasing.
Why should I do something about cyber security?
Asides from the shock, inconvenience, distraction, embarrassment, and distress of being hacked, what you may not have considered are the other indirect losses and costs that could occur should you fall foul of a cyber-attack. Bottom line up front (BLUF): prevention is always better than cure.
Privacy regulation has teeth.
Internationally, there are an increasing number of compliance regulations whereby it is a requirement to protect against cyber-attack. Widely known and leading the pack is the EU / UK General Data Protection Regulation. This regulation requires that appropriate “organisational and technical” controls are implemented to protect personal data – by this, in the main, they mean cyber security. EU / UK GDPR are both extra-territorial, meaning regardless of the actual registration of your business, if you hold and/or processes the data of an EU or UK citizens, you must cyber-protect the data. Failure to do so could result in enforcement fines up to £17.5M / €20M or 4% or global turnover – whichever is greater. A great number of other nations are updating their privacy laws and using GDPR as a benchmark. While small to medium businesses are unlikely to receive a top end fine, proportionately any fine is likely to have major impact.
When cyber-attacks occur, they are all consuming, particularly if it is a ransomware attack and you have lost all digital access – no computer/device access, no website access, no management systems access. Nothing. All those tasks you were already juggling in your busy work life have just got interrupted, cancelled, or postponed while you concentrate on responding to the incident; communicating with shareholders, regulators, and insurers; and possibly having to inform and apologise to clients and suppliers. What would the cost of this be to you? Furthermore, if you are subject to UK / EU GDPR, and a cyber breach meets the threshold for reporting to a regulator, investigation is highly likely to follow. This can be all consuming and comprises very detailed questions regarding what happened, how it happened and why it was able to happen.
Reputation damage and loss of trust.
When your clients provide their personal data to you there is an unwritten trust contract. They trust you to respect and preserve their privacy. Businesses spend huge amounts to recruit customers, but market analysis shows that an equitable amount is not invested in then protecting these clients. What would the impact be on your client’s trust and your business reputation if you had to contact your clients to inform them that you had lost their personal data? Would you lose that client? How would that affect your cash-flow forecasts and plans?
Cyber criminals are clever and cunning, an attack on your business may simply be a tactic to attack one of your clients or suppliers, or depending on the type of attack, may intentionally or inadvertently impact them through onward transmission. If after analysis your business is found to have transmitted a cyber-attack to a client or supplier due to insufficient or inadequate organisational or technological controls, and it has had a profound impact on strategic reputation, operational delivery, loss of intellectual property and/or personal data, you could probably expect to be sued for damages and the associated legal costs of defending your business. How would that affect your business?
Most personal data stolen during a cyber-attack ends up for sale on the dark web for other cyber criminals to purchase and further target individuals. A single hack on your business, could lead to an individual being targeted multiple times over. How would you feel if it was your data? Would you want your business to be responsible? There are a growing number of law firms offering group litigation action for damages to individuals who have had their data breached. Damages precedent is still being established, but currently are averaging at ~£2000 per individual. If you lost 10,000 data records that could amount to £20m.
So, in summary, while cyber security can feel like another compliance costs, the cost of a cyber-attack is likely to far exceed the implementation cost. Cyber security resilience is simply a baseline cost of doing business.
Michael Wills is co-founder and chief data officer for CSS Platinum. For further information on the company and the services it provides to Gibraltar businesses and the international yachting industry, please visit https://cssplatinum.com and/or email firstname.lastname@example.org.