Looming GDPR mandate requires sea change in corporate cybersecurity tactics

More accountability critically important at all levels of an organization

Share on FacebookShare on Google+Tweet about this on TwitterShare on LinkedInEmail this to someonePrint this page

The count­down has begun. In less than a year, tough new rules on data pro­tec­tion will come into effect for the Euro­pean Union. For the first time, com­pa­nies will be required to noti­fy reg­u­la­to­ry author­i­ties, and poten­tial­ly con­sumers, in the event of a sig­nif­i­cant cyber breach.

In ele­vat­ing the rights of con­sumers, the EU Gen­er­al Data Pro­tec­tion Reg­u­la­tion (GDPR) rep­re­sents a sea change in how com­pa­nies will have to operate—and many are not ready.

Relat­ed video: How a U.S. pri­va­cy con­tro­ver­sy helped dri­ve new EU rules

Oliv­er Wyman, one of the Marsh & McLen­nan Com­pa­nies, pre­dicts that fines and penal­ties in the first year alone may total £5 bil­lion, or more than $6 bil­lion, for FTSE 100 com­pa­nies. Adher­ence to GDPR require­ments will require senior management—and not sole­ly IT departments—to assume greater respon­si­bil­i­ty for cybersecurity.

This shift means more than draft­ing a new orga­ni­za­tion­al chart. It rep­re­sents a pro­found trans­for­ma­tion in how indus­tries retain, use and man­age data and how lead­ers under­stand, mit­i­gate and respond to cyber intrusions.

To com­pound mat­ters, the Wan­naCry worm showed just how vul­ner­a­ble com­pa­nies are. In the span of 48 hours, the Wan­naCry mal­ware infect­ed more than 300,000 com­put­ers across mul­ti­ple con­ti­nents. The attack pro­vides a glimpse into a dark future, where cyber crim­i­nals oper­ate with grow­ing ease and impunity.

Threats mul­ti­ply in num­ber, complexity

Giv­en the array of hack­ing tools report­ed­ly stolen from the U.S. Nation­al Secu­ri­ty Agency in April, experts believe that more vari­ants of Wan­naCry will be deployed short­ly. As the cyber threat land­scape grows more com­plex, Euro­pean reg­u­la­tors are not alone in man­dat­ing greater account­abil­i­ty at the exec­u­tive level.

For exam­ple, in May, New York state adopt­ed a sweep­ing new reg­u­la­tion requir­ing finan­cial ser­vices insti­tu­tions to per­form risk assess­ments, meet min­i­mum pro­tec­tion stan­dards, report breach­es and cer­ti­fy com­pli­ance. The Chi­nese gov­ern­ment also has imposed broad new cyber requirements.

These myr­i­ad changes will impact vir­tu­al­ly every aspect of a company’s oper­a­tions. In Europe, for exam­ple, news­pa­pers like­ly will be filled next spring and sum­mer with sto­ries of sig­nif­i­cant breach­es as com­pa­nies begin report­ing under the GDPR man­date. And as con­sumers are alert­ed to breach­es, reg­u­la­tors and data pro­tec­tion author­i­ties will like­ly jump into the fray.

More­over, the GDPR grants EU con­sumers broad rights to access, cor­rect and delete their per­son­al data. As a con­se­quence, Oliv­er Wyman esti­mates that at least 90 mil­lion giga­bytes of data may be impli­cat­ed. Super­vi­so­ry boards will demand assur­ances from man­age­ment teams that are like­ly not yet accus­tomed to this lev­el of scrutiny.

All com­pa­nies vulnerable

Even those com­pa­nies that do not fall under the new reg­u­la­tions should take proac­tive mea­sures to pro­tect their busi­ness­es against a cyber breach. Steps that busi­ness­es may wish to con­sid­er include:

• Set a tone of aware­ness and urgency at exec­u­tive lev­el. In height­en­ing anx­i­ety world­wide, the Wan­naCry attack pro­vides an oppor­tu­ni­ty for exec­u­tives to demon­strate lead­er­ship by pri­or­i­tiz­ing cyber pre­pared­ness. Com­pa­nies should use this moment—with mem­o­ry of the attack still fresh—to remind their teams of the impor­tance of good cyber hygiene.

• Iden­ti­fy trans­la­tors. Too often, the tech­ni­cal team that defends sys­tems and detects and com­bats cyber inci­dents speaks a lan­guage the C-suite does not under­stand. Exec­u­tives need to have the right peo­ple in place who can pro­vide them with time­ly and strate­gic advice. These trans­la­tors need to be able to under­stand both the rep­u­ta­tion­al risk to the company’s brand and the tech­ni­cal require­ments of the company’s systems.

• Imple­ment best prac­tices. Senior man­age­ment can­not afford to be detached from their company’s cyber­se­cu­ri­ty plans any longer. A vital les­son from Wan­naCry is the impor­tance of devel­op­ing con­sis­tent pro­to­cols for patch­ing known soft­ware flaws. Exec­u­tives should engage direct­ly with their IT teams around emerg­ing best prac­tices like mul­ti­fac­tor authen­ti­ca­tion, encryp­tion tools and pen­e­tra­tion testing.

• Start com­mu­ni­cat­ing with cus­tomers and share­hold­ers now. Com­pa­nies should pre­pare their stake­hold­ers for an era of greater trans­paren­cy and dis­clo­sure and the almost inevitable day when cyber intru­sions occur. Help your cus­tomers under­stand how you col­lect and use their per­son­al data. Noth­ing will be worse for your company—or your customers—than over-promis­ing and under-deliv­er­ing on cybersecurity.

• Make up for lost time. The penal­ties for non­com­pli­ance with the GDPR are severe—up to 4 per­cent of a company’s total turnover. For com­pa­nies with annu­al rev­enues of $12 bil­lion for exam­ple, poten­tial fines will run up to $500 mil­lion. Com­pa­nies should test their cyber inci­dent response plans through drills or sim­u­la­tions, and devel­op cross-depart­ment mus­cle and rela­tion­ships of trust that will be need­ed in the event of a seri­ous breach. Exec­u­tives should also reach out to reg­u­la­tors, law enforce­ment author­i­ties and policymakers—not so much to lob­by, but rather to share insight, infor­ma­tion and help shape the rules as they evolve. No one has all the answers.

Sound prac­tices and sheer chance ulti­mate­ly stopped the Wan­naCry mal­ware and saved count­less insti­tu­tions from even worse breach­es. It is unlike­ly the unpre­pared will be so lucky next time. Cor­po­rate lead­ers must act today to ensure their com­pa­nies can adapt and excel in a world of grow­ing risk, oppor­tu­ni­ty and sig­nif­i­cant new regulations.

More sto­ries relat­ed to the EU’s GDPR mandate:
Ready for new EU data pro­tec­tion rules? Four steps to mas­ter compliance
Brex­it vote will com­pli­cate, but won’t change, data pro­tec­tion laws
U.S. com­pa­nies could see tighter data-pro­tec­tion rules when Europe adopts new laws