Most businesses have a cyber security strategy, but how many are aware that in less than a year from now, those that fail to prevent a cyber breach could be fined millions under new European regulations?
The General Data Protection Regulation (GDPR), is a new complicated requirement driven by the European Union (EU). This will supersede the UKs Data Protection Act 1998 and is due to be enforced on 25th May 2018. Companies that suffer a data breach or display noncompliance may face a fine up to 20,000,000 euros or up to 4% of their global annual revenue of the preceding fiscal year.
GDPR aims to give assurance that our data is safe
This EU regulation is driven by the need to improve faith in the burgeoning digital market place. The current legislation adhered to in the UK and Europe was drawn up at a time before people’s data was so easily shared between various agencies such as Google and Facebook. GDPR is an update believed to meet the new requirements in data protection and came into force on 24th May 2016, organisations have until 25th May 2018 to prepare for when the regulation will apply.
Cyber-attacks are not going away
Across the global market cyber-attacks are an imminent risk. An organization’s ability to adapt to the new regulations, the ongoing threats to data privacy and the potential losses both in revenue from a breach and EU fines cannot be ignored. Companies outside of the EU that offer good and services to EU citizens will also be affected by the new data regulations. The level of their financial culpability is yet to be tested along with negative PR that non-compliance with the legislation can bring.
Educating employees essential for cyber security
One of the key differences a company can make, is organisational changes to security at an employee level to lessen the risk of a breach. By placing emphasis on shared responsibility for cyber defence across an organisation involves all business stakeholders and staff, from Human Resources to the post room knowing the basics of digital security. With the press as a permanent reminder of digital threat, here are some standard ideas that new and existing businesses can deploy.
1. Draft a response plan to a cyber attack
A draft response to a cyber-attack can be in place ready for the PR team to issue. Broadcasting that you are GDPR compliant may give reassurance to business stake-holders and customers alike. They need to know their data is safe. Remember the story of the 1000s of NHS patients that turned up at numerous hospitals in the morning only to be told their data was missing? A twitter fire is difficult to extinguish.
2. Is everyone in your business aware of the risks?
Workshops and newsletters can reinforce positive behaviours and expose the negative scenarios that have made businesses vulnerable to a data breach. Difficult passwords are a must, what to do when you leave the company laptop in a café, are you storing company data on your desktop not the hard drive?
3. Team ambassador for each company silo
Having a security champion in each team helps spread the responsibility across a company’s infrastructure and can help enforce best practise. Does the HR team want to be source of a hack that leads to the company facing an annual loss up to 4% of their global income?
4. New starters
The onboarding process is an opportunity not to be missed. Start as you mean to carry on. Does your company have a new starter programme for cyber security best practice?
5. Malware spreads on contact
USB sticks need a warning attached. They are readily handed out like sweets or picked up from bowls at industry events. It doesn’t take the smartest hacker to realise that, one could be picked up and compromised with malware and then placed back in the bowl.