By Brian Craig, legal director at UK law firm TLT
Cybersecurity has been a hot topic for large and small businesses alike throughout 2019.
Big household names such as British Airways and Marriott have faced record fines from the Information Commissioner’s Office (ICO) for data breaches, and headlines warn of the increasing threat posed by the use connected devices, potentially allowing hackers easier access to our data.
Although many businesses are taking steps to protect themselves against cyber-attacks, there are still many more that are not sufficiently motivated to protect themselves against such threats, or even feel that the threat level doesn’t warrant the investment required to implement adequate cybersecurity protocols.
We expect 2020 will be another eventful year for the ever-evolving cybersecurity industry, and have listed below our top 5 predictions for the year ahead:
- Tighter integration between DPOs and CISOs
In the rush to respond to a growing cyber threat, organisations of all sizes have been equipping themselves with the resources and expertise necessary to address privacy and cyber risks. However, this haste has often seen businesses implementing cybersecurity protocols in uncoordinated and therefore more expensive ways, leaving them open to vulnerability from this fragmented approach.
We expect to see senior leadership calling for a coherent, business-wide approach, which could include the application of a single cyber security and data privacy leader to lead and coordinate resources from stakeholders across the business, such as legal, finance and IT. A coordinated strategy with an accountable cybersecurity leader in place will deliver greater resilience against attacks and data loss, and provide a much better response should an incident occur. It will also allow for detailed reporting explaining the specific threats to the business, and a demonstration that these risks are understood and being mitigated against.
- In-depth incident response rehearsals
Cyber incident preparedness training will likely become more sophisticated in 2020, as senior leadership teams start to prioritise the rehearsal of a customised major data breach and evaluate the resulting incident response.
There is a strong business case for rehearsing cyber-attacks, as it can help an organisation identify gaps in policy, reporting, decision authority, supplier services, and technical operations. Any issues identified in a rehearsal can be mitigated against, allowing a more effective response in the event of a real life situation.
- Increased in attacks on SMEs
With bigger companies investing heavily in cyber defence in recent years, cybercriminals are turning their attention to small and medium sized enterprises (SMEs). Smaller scale ransomware attacks are continuing to pay off for cyber-bandits, and despite small businesses becoming the cyber-attackers’ new easy target of choice, many are unprepared and unaware of the risk.
The security resilience in smaller organisations is still developing, and employing expert help is often seen as unaffordable, making these organisations easier targets. Human error and weaknesses in the supply chain are still areas for concern, however, we expect to see training and technology solutions that will drive down the cost of building cybersecurity resilience. For example, inexpensive training programs will help eliminate the weakest security link in these businesses – people.
The National Cyber Security Centre is the UK’s independent authority on cyber security and publishes a broad range of advice and guidance that can help SMEs. Growing adoption of basic security standards such as Cyber Essentials standard will also help. NCSC oversees the “cyber essentials” certification scheme – a government-backed and industry supported scheme that provides self-assessment certification to help organisations protect themselves against common cyber-attacks and aids compliance with the NIS Regulations.
- Use of AI to defend against phishing attacks
A business can also face risk from inside the organisation. Phishing scams have become increasingly more sophisticated and are harder to detect. Spear phishing – where cyber criminals have taken their time researching their victim and crafted a bespoke email – is becoming a really big problem, as it’s even harder for the recipient to identify the scam.
In a typical working environment, where employees are busy or distracted, the risk is likely to be higher. However, AI, and machine learning in particular, could be the answer.
AI can be put to work analysing emails and noticing patterns of behaviour, suspicious language or metadata, and would intelligently detect and autonomously neutralise phishing emails. We’ve seen a movement towards the use of automation in an effort to reduce the burden on understaffed cyber security teams and increase efficiency.
However, it’s important to remember that AI can also
be used against a business, with cyber-criminals making use of it to make their
attacks even smarter. Employee training and regular engagement to increase
staff awareness, and company-wide response rehearsals, will still be required
to combat these attacks and reduce the risk from careless or uninformed staff.
- Regulatory response to drive up standards
Cybersecurity is not just an IT issue, but a regulatory issue too. Indeed, the financial sector is sitting up and taking notice – the Financial Conduct Authority has seen increasing reports of cyber-attacks that are growing in scale and complexity and has stated: “Firms of all sizes need to develop a ‘security culture’, from the board down to every employee.”
A UK government consultation in 2019 saw the government request industry views to help it understand what barriers were preventing organisations from adopting cybersecurity standards. Home-grown security standards may not be credible if they are not widely adopted internationally and easily auditable.
Although significant changes have been brought about by the implementation of the GDPR (concerned with the security of personal data) and the Network and Information Systems Regulations (concerned with the security of information systems) which both took effect in May 2018, there remains a gap for a cohesive cybersecurity legal and regulatory framework in England and Wales.
The implications of Brexit also
provide an icing of uncertainty, and it will important to consider how the UK might
chose to adhere to any existing EU security regulations.
Regardless of regulatory attention, or the size of an organisation, businesses must take an increasingly joined-up approach and continue to take steps to improve their defences, or risk severe financial and reputational damage.
The importance of cybersecurity must be promoted at all levels, with a strong senior leadership team ensuring a centrally-managed strategy is in place, and implementing the necessary policies, procedures and training to minimise risk and strengthen incident response.