GDPR: Heads You Lose; Tails You Lose?
Okay, so the 'shocking' regulator announcement for intention to fine, against British Airways and the Marriott Group have confirmed that the General Data Protection Regulation (GDPR) has 2-sides to the coin:
Tier 1 - Poor Security Practices in support of safeguarding of EU members personal data.
Tier 2 - Misuse/Abuse of EU members personal data.
Consequently, failure to embrace the 'Secure by Design/Secure by Default' and 'Secure Processing' leaves a business open to an opportunist cyber-attack, which makes them susceptible to considerable fines, damage to reputation and financial losses. However, what GDPR fails to clearly define is what these should look like. Take for example, an eCommerce organisation that has base-lined themselves against the PCI SSC's SAQ A, with a full direct to a 3rd party PCI DSS compliant Payment Service Provider. The payment card industry has designated this to meet these criterias, with the risk to the consumers' payment card details being transferred to the compliant 3rd party and no interaction of such data on the eCommerce business's website. However, as we have seen in the Magecart 'Formjacking' attacks has shown this is not true.
The recent notifications from the Information Commissioners' Office has also demonstrated that compliance with GDPR is a balance of protecting the consumer through correct use and securing the personal data.
Let's take a hypothetical situation and apply some lessons learned from the British Airways fine.
Okay, so you are the CIO of a global manufacturing company who has been given the task of ensuring that all Business to Business (B2B) operations are aligned to comply with GDPR. During the initial phases, you identify that previous business process have been far from perfect and have failed to meet the previous data protection laws.
Where do you start to prioritise?
Well, given that the major fines (€20 Million or 4%) are related to misuse of their business customer personal data, surely this is the priority? However, whilst you are focused on improving internal practices, you are running the increased risk of a poorly coded website or poorly implemented supporting IT system presenting an opportunity for a cyber-attack. A crucial concern for a global entity, where the are formed of multiple companies (otherwise known as an 'Undertaking'). A successful cyber-attack could leave you staring down the barrel of a 2% global turnover fine.
The impact of a successful Cyber-Attack (leading to the considerable loss of personal data)?
Let's suppose that the organisation is a highly successful (say FTSE 100) company, which uses a, globally accessible, online Customer Relationship Management (CRM) platform, containing 500,000 personal data records. As the result of a cyber-attack, the CRM was hacked and all records were stolen by malicious attackers. They were processing the data correctly but had no formal cyber security strategy in place (or the strategy was ineffective).
If your operating profits for 2018 were £342 Million, you would be looking at a potential tier 1 fine of around £7 Million. Add to this, the potential reputation damage (Since the attack, British Airways has seen a drop in share price of 37%), so with a share price of 550,000 shares @ 4,500p, this would be another £9 Million, as well as the extra unseen costs of having a data breach - £3 Million. Therefore, the estimated costs for such a hypothetical business, neglecting the Cyber/Info Security requirements of GDPR would equate to around £19 Million (€21 Million).
If you are such an organisation that has prioritised data handling practices over cyber security and are relying on your IT Operations to self-regulate (mark their own homework), then I hope that this hypothetical example may help to change your mind and will explain just how important it is to have a Cyber/Info Security specialist there to question the activities of both your internal data handling practices and the Business As Usual activities of your IT Operations teams - providing you with that 'So What?' response.
If you are an Executive of a company that allows self-regulatory IT Operations, I would recommend that you ask some hard and fast questions, as to the rationale behind this approach and as to how they can guarantee the interest of the business (being Cyber Secure), without the appropriate Subject Matter Expert(SME) to ask those probing and awkward questions (providing you with the reassurance you need).
If you are one of those businesses that have prioritised data privacy practices over Cyber/Info Security and have decided to do without an SME, I hope this article helps to show how these 2 things go 'hand in glove' with each other and I would highly recommend that you see the investment benefits of employing an SME within your business. A much cheaper option and far better than trying to justify such a failing to the regulators, in the event that you are subject to a successful attack (note: The manufacturing industry is predicted to see considerable increase volumes of cyber attacks).
Businesses have misunderstood the close relationship of data privacy and Cyber/Info Security. This increases the risks of a purely coded or poorly patched IT system providing an attack opportunity for malicious individuals/groups to exploit. This, in turn, could cause considerable damage to the business. It is essential that businesses incorporate oversight of their business and IT operations, so as to provide independent oversight and reassurance. This is extremely helpful in the event of a successful attack, enabling you to demonstrate that your Cyber Strategy was suitable and independent from IT Operations, or Business processes.
Cyber Security historically been seen as being very expensive and invisible. That is until it goes wrong, when it becomes extremely visible and costs even more to put right after it has gone wrong.