The global cost of cybercrime is estimated to reach 6 trillion USD[1] by 2021, which is more than twice what it was in 2015. The impact is felt most by companies that own, use and process the most data – cloud service providers and server hosting providers, banks, lenders, insurance companies, e-commerce, retailers and hotel chains with large customer databases to name just some.
High impact cyber incidents and massive data breaches have happened in Estonia as well as many other countries worldwide. Marriott hotel chain was hit by a data breach of 383 million of its guests, 3 billion Yahoo email accounts were hacked. In Estonia, FEB internet shops and the Kivimäe general practitioner centre fell victim to ransomware attacks.
Two improve the security levels of a company needs to consider these two points first:
Once these questions are answered a company can take the next step and create a risk-based cyber defence strategy and action plan. Naturally, special care must be taken to protect a company’s best performing digital assets which are the assets that are the most important for the company and its customers.
The tighter data protection requirements in the General Data Protection Regulation and people’s greater awareness of their privacy rights mean that companies need to know their privacy risks and ways of managing these risks. A regular review of privacy risks and rights management must be conducted. Data categorisation – audit of information assets – is essential here as well, a list of risks that includes probability and impact, and available risk management measures enables the company to put together an action plan to raise the level of cyber security.
Putting together a company’s cyber risk strategy is not the sole responsibility of IT manager or data protection officer, cyber risk strategy is an important part of the company’s overall business strategy and the company as a whole needs to be included in the process. Which is why it is essential to include management in putting together the cyber risk strategy. After completion the cyber risk strategy should not be left to collect dust in a drawer but reviewed and updated regularly because risks as well as company’s business objectives change.
Even though such a risk-based approach to cyber risks management is a sensible way of doing things, many companies choose not to do sensible things and prefer outdated one-size-fits-all data security solutions offered on the market.
In Grant Thornton Baltic’s experience working with a variety of companies, the digital and data assets vary greatly as do the risks and risk levels. Some of the companies derive 100% of their revenue from data while others despite manufacturing physical goods use all digital production lines. Both have digital assets that need protecting. Nowadays all companies have digital customer databases, and these make an attractive target for competitors and phishing attacks. Where you keep the customer database affects the risk level of a company storing the database on your own servers might be more risky than for example using a cloud based customer relationship management solution. One thing is clear: both cyber risks and risk management strategies vary from one company to the next, but the strategy and methods for determining risk management measures are similar.
[1]https://cybersecurityventures.com/cybercrime-damages-6-trillion-by-2021.
