New EU regulation highlights the risks of cybercrime
Cyber Security The rise of cybercrime is now one of the biggest issues affecting many businesses and the EU regulators have now taken actions to try to get the business community to act to protect itself.
Under the forthcoming EU General Data Protection Regulation (GDPR), which comes into force in 2018, unless the data breach is unlikely to result in a high privacy risk for an individual, or if the data was appropriately encrypted, all organisations will have to inform their customers when a serious data breach occurs, and recommend ways in which any adverse effects could be mitigated, and if they fail to do so could be fined up to four per cent of their global turnover.
So what are the issues facing the industry and how can businesses work to overcome them?
The first step is to understand who the potential hackers are. “They are quite wide ranging,” says John Cannon, Commercial Director – Fraud and ID of Callcredit Information Group. “From organised criminal gangs who are motivated by fraud, to terrorist groups and corporate and rogue state sponsored espionage with malicious intent. But the threat isn't just from organised groups: hackers have all kinds of motives and could just be an individual flexing his/her intellectual muscles showing off to peers simply because they can.”
There are now a number of security risks facing businesses today. “Many more of us are interacting digitally and data is increasingly important, meaning where and how it’s stored,” says Cannon. “Businesses that are migrating from their traditional model into digital channels are potentially not as well geared up to the threat.” They are having to accept the idea, he says, that there are threats posed both externally and internally, such as from rogue employees.
As a result of all of this, however, companies are becoming increasingly aware of the potential dangers and many are taking action to try to alleviate the risks. “This is becoming increasingly high on the agenda at board level,” says Cannon. “Recent data breaches have clearly shown the financial and reputational impact to businesses and those not giving it focus risk being caught out by the introduction of the new GDPR.”
What should individuals be aware of?
There is a misconception that if hackers don’t manage to get hold of PINs and full card details then there is nothing to worry about. That is not the case. “We are seeing the rise of ‘social engineering’ techniques,” says Cannon. “This means that even if hackers exposed a low level of information, it could be used to gather the data they really want. These days, most of us are clued up enough to know that if we get a phone call out of the blue asking for our bank details, then we shouldn’t hand them over. But if you were contacted by an organisation you hold an account with and they quoted that account number, you may be more likely to be tricked into handing over more sensitive information...”
The new EU regulations are forcing companies to take cyber risk and data breaches a lot more seriously and to implement measures to guard against attack. “The first step is to make sure someone in the company is empowered to implement the relevant processes,” says Cannon. “Then start thinking about a plan. Come up with the worst case scenarios, think about what data you hold and what is important to the business. Play through the various scenarios and see what you can do to increase your protection and what to do afterwards. Think about what you need to implement to recover from an attack and make sure employees are trained to understand what a breach looks like.”
If a company is attacked, there are two steps it must take. “First, establish and understand as much as you can about what’s happening,” says Cannon. “IT security must understand exactly what’s going on. Then execute the plan you have put in place. If you can establish where the attack is coming from you may, say, be able to make changes to your firewall. Or in extreme cases you may need to consider taking your system offline. Secondly, communication is key as everyone should be aware of what is happening both internally and externally.”
What to do after a data breach
Of course, after a data breach it is crucial for businesses to reassure their customers that the problem has been dealt with: damage to their corporate or brand reputation could prove a disaster in the longer run. “You should consider what has happened and give your customers the absolute confidence that you have done everything to mitigate the breach happening again in the future,” says Cannon. “Customers will understandably worry about their personal details being exposed and through education are becoming increasingly aware of the value of their personal data. Media stories highlighting anonymous forums used by fraudsters on the dark web are adding to their concern so you should proactively consider having a data breach response. For example, Noddle Protect enables businesses to put in place a fast and effective remediation plan to safeguard consumers who may have had their personal data compromised following a data breach. The service can be available to consumers within 48 hours of a breach occurring and consumers who sign up to the service can use it to help identify and respond to fraudulent activity, checking whether their credit profile is being damaged by criminals. Noddle Protect allows consumers to review their credit report for free and helps them to look out for people applying for credit in their name or using their details fraudulently, giving them peace of mind and ensuring they continue to trust in your brand.”
The increase in data breaches in recent years coincides with the increase in consumers making use of digital channels due to the convenience they offer. The value of your personal data to fraudsters is increasing as it is their way to gain access to your digital accounts. Your data is their means to an end. “I often compare it to car security,” says Cannon. “In the past, if someone wanted to steal a car they would break into the car and hotwire it to drive away. As a result, car manufacturers have increased their security meaning it is now much harder. The approach of a car thief has shifted to stealing the car keys by breaking into your house. It’s similar in the digital world, as organisations increase security around services they offer through digital channels, fraudsters see your data as the key to unlocking your digital accounts using techniques such as identity fraud and account takeover being able to bypass security.” In other words, while the benefits of life online are enormous, so are the risks and companies and individuals alike must take measures to protect themselves against the threat of cyber-crime.