As cyberspace is getting increasingly crowded with ever more services, products and applications, such as billing, customer relationship or enterprise resource management and devices, such as computers, smartphones, smart cars or smart fridges, so has increased the number of entities looking for illegal gains creating an entire cybercrime industry. The biggest targets of these new brand of bandits are companies that own and process large amounts of data and companies whose cybersecurity measures are lagging behind the times.
The global cost of cybercrime is estimated to reach 6 trillion USD by 2021, which is more than twice what it was in 2015. The impact is felt most by companies that own, use and process the most data – cloud service providers and server hosting providers, banks, lenders, insurance companies, e-commerce, retailers and hotel chains with large customer databases to name just some.
High impact cyber incidents and massive data breaches have happened in Estonia as well as many other countries worldwide. Marriott hotel chain was hit by a data breach of 383 million of its guests, 3 billion Yahoo email accounts were hacked. In Estonia, FEB internet shops and the Kivimäe general practitioner centre fell victim to ransomware attacks.
How to protect your company?
Two improve the security levels of a company needs to consider these two points first:
- what are the most valuable digital assets of the company, hardware as well as data, that need protection, and what is their value for the company?
- what are the biggest threats to these digital assets?
Once these questions are answered a company can take the next step and create a risk-based cyber defence strategy and action plan. Naturally, special care must be taken to protect a company’s best performing digital assets which are the assets that are the most important for the company and its customers.
The tighter data protection requirements in the General Data Protection Regulation and people’s greater awareness of their privacy rights mean that companies need to know their privacy risks and ways of managing these risks. A regular review of privacy risks and rights management must be conducted. Data categorisation – audit of information assets – is essential here as well, a list of risks that includes probability and impact, and available risk management measures enables the company to put together an action plan to raise the level of cyber security.
Not just the IT manager’s responsibility
Putting together a company’s cyber risk strategy is not the sole responsibility of IT manager or data protection officer, cyber risk strategy is an important part of the company’s overall business strategy and the company as a whole needs to be included in the process. Which is why it is essential to include management in putting together the cyber risk strategy. After completion the cyber risk strategy should not be left to collect dust in a drawer but reviewed and updated regularly because risks as well as company’s business objectives change.
No such thing as a universal security solution
Even though such a risk-based approach to cyber risks management is a sensible way of doing things, many companies choose not to do sensible things and prefer outdated one-size-fits-all data security solutions offered on the market.
In Grant Thornton Baltic’s experience working with a variety of companies, the digital and data assets vary greatly as do the risks and risk levels. Some of the companies derive 100% of their revenue from data while others despite manufacturing physical goods use all digital production lines. Both have digital assets that need protecting. Nowadays all companies have digital customer databases, and these make an attractive target for competitors and phishing attacks. Where you keep the customer database affects the risk level of a company storing the database on your own servers might be more risky than for example using a cloud based customer relationship management solution. One thing is clear: both cyber risks and risk management strategies vary from one company to the next, but the strategy and methods for determining risk management measures are similar.
Five most important recommendations for ensuring cyber security
- Categorise data assets according to their strategic importance. Those that will disrupt the business or customer experience or cause untold reputational damage if compromised should be heavily protected.
- Regularly review your data asset categorisation in collaboration with senior business leaders. This categorisation must align with business objectives, which may change over time.
- Don’t just think about the minimum required from the regulator when implementing data protection controls. Instead, consider what regulations may look like in the future.
- Collaborate fully with valid requests for data and information and know the extent to which data should be provided.
- Demonstrate your commitment to data protection by having your cyber risk practices tested regularly by an independent third-party. This will help to build trust.