Either by accident or intent, many employees are often the root cause of a successful cyberattack. However factor in a centralized security functions where staff are either trained or included in new cybersecurity process development compounds the problem. This siloed approach can creates lack of accountability across the business creating an ‘it’s not my responsibility’ culture. By far and large, accidental publications of confidential publication has the greatest impact second only to hacker attacks if breaching the organizations cyber defenses. Some small medium organizations believe they have nothing of value to an attacker and are unlikely to be a target. However they are perfect targets because they have weak defenses and easily compromised. They will then assess threats incorrectly or not at all mis-allocating resources to mitigating them in first instance.
This assumption and lack of rigor can have far reaching consequences when a breach takes place or the organization is attacked by a malware or ransomware alone. If personal information is stolen and the organization was found not to have taken reasonable steps to prevent it, the financial implications including penalties and reputation costs can be staggering. Or take the case of a ransomware attack alone, often the weapon of choice to attack an organization encrypting the victim systems and files. Only when a ransom is paid are the systems and files unencrypted.
This said, Malware standout as the most expensive attack type for an organizations and has increased by 11% over the year 2017-18 according to Accenture whereas the cost of malicious insiders has increased by 15% in the same period.The message is all businesses have something of value but it also says you cannot take cybersecurity for granted. Bring it into an economic context, the impact of cyberattacks alongside security breaches in the US totaled 11.7m in 2017 to a new high of 13m in 2018 per company. Over 5 years beginning 2019 to end of 2023, the total global cyber risk is estimated to be US5.2 trillion.
Compliance And Data Breaches
Prevention is by far the best medicine the Australian Privacy Principle compliance regimes requires an entity to secure personal information key to minimizing the risk of a data breach. Specifically entities must take reasonable steps to protect the personal information they hold from misuse, interference and loss, and from unauthorized access, modification or disclosure. The type of steps that are reasonable to protect information will depend on the circumstances of the entity and the risks associated with personal information handled by the entity.
Added to this, 2018 & 2019 shaped up to be a new era of Cybersecurity compliance around the world. This year will only see that trend continue as cybersecurity legislation shifts further in line with the EU’s General Data Protection Regulation (GDPR) penalty regime. Enacted in 2018, the new regulation hold organizations accountable in protecting information assets and IT infrastructure. This includes potential fines of up to US23m or 4% of annual global revenue adding to the costs of overall cybersecurity breaches. Last year the US Federal Trade Commissioner settled with Facebook over the Cambridge Analytica scandal after a year long investigation plus an US100m to the SEC for failure to disclose breaches to investors.
Amendments to the Australian Privacy Act increase the maximum penalties for misuse of personal information by entities covered by the Act, from $2.1 million for serious or repeated breaches, to the greatest of $10 million three times the value of any benefit obtained through the misuse of information 10% of a company’s annual domestic turnover. The amendments also established a new Social Media Code of Conduct for online platforms.
Thailand’s introduction of the Personal Data Protection Act (“PDPA”) also signals a new dawn in the handling of personal data. Prior to the PDPA, Thailand did not have an overarching law governing the protection of personally identifiable information until now. The collection, use and disclosure of personal data in Thailand were regulated by a patchwork of laws including the Constitution, sector-specific legislation and various self-regulatory codes. The PDPA is also similar to the EU’s GDPR regime, bringing personal data protection law in Thailand in line with other jurisdictions. Penalties include civil as well as criminal and administrative sanctions.
With all this said, legislation is needed to ensure business compliance regimes are in place to mitigate data breaches and cyber-attacks. So also is the technology to defend the attacks of malware and ransomware. What this also says is risk assessment to an organization’s information and systems must be a forgone conclusion legally, financially and operationally. Yet crucial to all mitigating factors to breaches of privacy and attacks in addition to embedded risk management regimes is the support by the board, user security policies, staff training and cyber awareness.
Why, because the risks from cyberattacks and breaches are not just a technical problem. They fall in the domain of C-level at the top and decisions ripple through creating a risk adverse or laissez-faire culture in the business. Attacks on Sony, Target and others resulted in considerable financial and reputational damage and so the problem then becomes a board issue that has to be managed at that level just like any other risk to the business.