Published in Asian-mena Counsel: Cyber Crime & Data Protection Special Report 2018
Attend just about any information security conference these days and you will see a huge array of security products, each promising to solve your data protection issues and keep the hackers at bay.
Yet, the breaches continue. Where are we going wrong?
Kroll investigates numerous security incidents each year, and contrary to what is passing for conventional wisdom these days, the vast majority were preventable. Certainly, the use of sophisticated software products, when correctly selected and implemented, can add a heightened level of protection. But when it comes to data loss prevention, a leadership-driven security culture is imperative.
Asian jurisdictions upping the ante for data breaches
Authorities around the globe are no longer accepting the “it’s not if, but when” defeatist culture that pervades in respect of being hacked. Inspired by the European Union General Data Protection Regulation (GDPR) that recently came into effect with its frightening penalties, Asian jurisdictions are also upping the ante. Data protection laws in Australia and the Philippines are just the beginning as many others are looking to follow suit. Now, concerns are no longer restricted to reputation and business disruption; but now potentially also heavy fines, the requirement for thorough investigation, notifications to customers (and the associated costs therewith) and the threat of class actions loom in the future.
Strong top-down governance strengthens data security throughout organisation
The good news, though, is that there are steps that drastically reduce the risk of a data breach. From the outset, organisations must address the issue of information security as they would any other mission-critical aspect of their business, and this means direct leadership involvement via top-down governance. By continually focusing on and raising cyber security awareness throughout the organisation, leaders can help provide a mature, defensible and flexible structure for protecting sensitive data, eliminating many of the most common threats. This can also help to ensure compliance and encourage good cyber security hygiene among employees, partners and suppliers.
This approach need not be prohibitively expensive, especially when security measures are considered within the context of how the organisation conducts its business and particularly how its employees work. Ultimately, an organisation must answer four questions:
- What data do we have and what are the risks of exposure for each?
- Do we have a security framework (people, processes and technology) in place that protects the data and is it commensurate with our risk tolerance and provides meaningful metrics?
- Are there well-thought-out plans in place for responding to and remediating a cyber security incident?
- Lastly and perhaps most importantly, have we tested all of our assumptions and plans, and do we have a roadmap for continuous testing and monitoring in light of an ever-shifting threat landscape?
Role of virtual chief information security officers and data protection officers
The basics of information security are remarkably straightforward to implement, but very often, the devil is in the detail, and unfortunately, organisations find their strategies and plans to be inadequate or flawed at the worst possible time, ie, in the midst of a data breach or cyber crime crisis.
We increasingly see organisations engaging services from a virtual chief information security officer (vCISO) to complement their existing resources and to help ensure all gaps are plugged. Likewise, legislation in many jurisdictions is mandating that organisations identify and assign a designated individual with Data Protection Officer (DPO) responsibilities. However, when this additional burden proves too time-consuming or difficult for the employee to effectively carry out, turning to external DPO services can be the better option.
Many organisations find it eminently logical to engage an adviser with the global reach and credibility to help guide it on the path to cyber security maturity. In reality, few companies have the scale to hire such capabilities in-house. Independence is also key — security advisers should not be aligned with specific products or services because each environment is unique. By applying the most appropriate and cost-effective tools for the organisation’s needs and risk appetite, the vCISO or vDPO can promote better security at a lower cost.
Ultimately, information security is a question of risk. The stakes are getting higher and the question of whether to accept the risk, reduce the risk or transfer the risk (via cyber insurance) is a business decision — and organisations need advice that they can trust. The journey to resilience in the context of cyber security is a daunting one, but the consequences of failure are starkly exposed in the all-too-regular news headlines. More importantly, our experience shows that with a combination of leadership, carefully selected resources and best practices, organisations can prevent a critical number of breaches, which is good news indeed!
Kroll is the leading global provider of risk solutions with more than 45 years of experience in helping clients make confident risk management decisions about people, assets, operations and security. For more information, visit www.kroll.com.