Cyber-attacks and data breaches are one of the key dangers for corporations today. Serious incidents continue to grab headlines, and for many organisations huge losses and costs are just a tick-tock away. But can we stop the timer? The short answer is "probably not" - however we can certainly try to slow it down.
Cyber-crime is on the increase, as high profile hack victims such as Sony, Target Corp and eBay know only too well. New cyber security vulnerabilities in established systems (such as Shellshock with its weakness for Botnet attacks), continue to provide new platforms for crime. Cyber risks are further compounded by the ever increasing sophistication of online criminals, who are often perceived to be one step ahead of law enforcement agencies and specialist cyber-security firms. Liability is also likely to flourish due to developments such as cloud computing and the Internet of Things (where more and more sensitive information is stored online and an increasing number of everyday devices are connected to the Internet).
Add to this, the risk of data loss from human error (the classic example being an unencrypted laptop full of sensitive information being left on a train) and the picture appears to be extremely worrying.
Organisations face significant losses when dealing with cyber-attacks and data breaches including, amongst other things, loss of or damage to data, software and essential IP, business interruption from network downtime, cyber extortion, wasted management time, and reputational damage. A recent report (the 2013 Cost of Data Breach Study: Global Analysis by Symantec and the Ponemon Institute) found that the cost of the average data breach in the UK was more than GBP 2 million.
With regard to data breaches, the situation is expected to become even more serious once the new EU Data Protection Regulation is finalised and finds its way into UK law. According to the latest draft approved by the European Parliament, businesses could be fined up to EUR 100 million or 5% of their annual worldwide turnover for certain data breaches (whichever is higher) and will be obliged to notify both national data protection authorities and the individuals affected. There is still some way to go before the final regulation becomes law. However, once it does, businesses suffering from cyber-attacks and data breaches are likely to see their related losses and costs increase dramatically.
Dealing with the risk