Cyber Security & EU GDPR implications for SME’s

200 days to discover a breach and 80 days to deal with it are the average response times for IT security breaches. Data, corporate intellectual property or customer data is the target of the threat actors, at a cost to business on average of $200/customer record according to the Ponemom Institute with IBM ‘Data Breach Study’.

Let me put that in context. The average smartphone during a random sample test on an audience revealed an average of over 800 personal contact records, data that would qualify as Personally Identifiable Information under Data Protection Regulations. It transpires that the ease of our new-found Cloud email services means that contact records are all to easily synchronised en-mass. That equates to a breach financial exposure to an organisation of £160,000, for ONE smartphone. The phones in our pockets are mini-datacentres and an example of the fluid nature of data and the nature of the threat surfaces that organisations are struggling to manage.

It’s no wonder the European Union (EU) felt it needed to do a root and branch review of its former Data Protection Directive. This has been replaced as of May 2016 by the EU General Data Protection Regulations (GDPR). It is due to come into full enforcement May 2018.

Data protection regulation may traditionally have been considered the realm of large corporations, with small and medium-sized enterprises (SME) largely playing lip service to whatever they were aware of and hiding in obscurity. This lack of awareness is highlighted in the annual data breach preparedness study by Experian which reveals a shocking lack of understanding among small and medium-sized enterprises (SME). More than half of small companies have no plan in place to deal with a data breach and are drastically underestimating the cost of managing one. With UK Government research indicating that data breaches can costs SMEs an average of £310,000, based on actual incidents, it is a serious matter for both the UK economy and small business owners. The evidence for this statistic of course reflects incidents that are known about and there will be many that organisations have simply swept under the carpet. Well, that practice is no longer going to work. The EU GDPR now makes it mandatory for breach notification and within 72 hours of discovery. The implications of this are that failure to do so will incur a fine of up to £20m or 4% of global revenues. Fines of that magnitude are perhaps out of the realms of reality for most SME’s perhaps, but none the less a fine will likely still be of a reasonable size to send a dissuasive message to others thinking they can hide from notifications. Hiding a breach is becoming increasingly hard, with many websites appearing that report data that appears on the dark web or circulates in other hacker communities, data which is too easily traced back to its source. Just head over to ‘have i been pwned’ for a case in point.

SMEs have slept walked into this new risk era. Risks that extend beyond hackers to now include exposure to fines form new regulation like EU GDPR. Fines for non-compliance are no longer token gestures but now up to £20m or 4% of global revenues. For most businesses that level of fine following any sizable breach will constitute a threat to continued viability. How many SMEs have considered that as part of their business Risk Assessment? In fact, how many SMEs have a business risk or impact assessment for that matter?

The truth is SMEs are the soft underbelly of national economies, increasingly dependent on technology for efficiencies and competitiveness. It is not so much the technology that is the Achilles heel that over exposes them to Cyber Threats but a very blinkered attitude that they sit below a radar. Wrong! Hackers know SMEs are a soft touch as SMEs have some unique attributes when it comes to targets. For example, they are often:

• Part of a supply chain as a weak link into a larger organisations IT infrastructure (remember Target in the US)
• Digital ransom or extortion suckers due to poor business continuity (backup) practices (Ransomware is the fastest growing crime both online and offline)
• Poorly policed IT assets that can be easily enslaved as part of a Bot Net with little chance of being discovered
• Internet of Things (IoT) luddites, deploying IoT with little regard for the security implications
• Rich pickings for Identity theft/fraud and extortion.
• Low if not non-existent employee Cyber Security training
• Ill-disciplined social media usage that makes profiling targets easy
• Poor Identity and Access management  – User Credential compromise is behind over 75% of all breaches.

With the majority of SMEs saying they are confident they would know what to do in the event of a breach, research indicates that the same majority are largely ill prepared. This substantiates consumer views on the subject as they already lack confidence in the ability of firms of all sizes to suitably protect their data (NCC Group Report – Trust in the Internet 2016) . Organisations cannot hide behind satisfaction surveys either, as customers rely on their emotional experiences more than any of the traditional factors. This is according to research by the Peppers & Rogers Group, which showed that 80% of defecting customers describe themselves as “satisfied” or “very satisfied” just before they leave. Which leaves the odds at almost a certainty that organisations of all sizes will take a significant hit to their customer base if they cannot look after them in the face of a breach.

With the probability of a data breach sitting as almost a certainty, a first step in any SMEs motion to improving their risk management should be meaningful breach response preparedness. If not, then the likelihood of missing a notification deadline and incurring almost certain fines are 100%.

The actual steps to breach preparedness as a basic measure are not that onerous either and can act as a structure to drive wider basic Cyber Hygiene practices. Such an approach could be for example:

1. Breach Insurance – the biggest blocker in breach response is the cashflow needed to engage the variety of skills you will need. Legal, technical remediation, forensics and PR to name a few, are not cheap. Breach Response Insurance is going to become the new busines norm alongside employee and other standard classes of Insurance that you would not think of going into business without.
2. Breach Response Preparedness – Often as part of the Insurance you will get the basics to assist you in getting a breach policy and process in place. It will be up to you to practice it, and apply the additional steps that your insurer will request of you to be compliant with your Insurance cover.

Insurance for many SMEs will represent the simplest path of least resistance. Insurance is a familiar risk mitigation strategy, using trusted broker channels and as stated above can often provide the basic guidance as part of the service to not only get Breach Ready but also tighten up some other areas of Cyber Hygiene. Fear of the unknown is often the hurdle in addressing this. In fact it is reasonably straight forward and anything worth doing is worth investing in. The steps necessary to meet insurance obligations will start an organisation nicely also on their road to mandatory EU GDPR compliance. SMEs are going to find that the ecosystems they may depend on will be driving this requirement.

SME’s should be ready for increasingly uncomfortable questions from supply chain principles and increasingly savvy customer.  Two that spring to mind are likely to be:

1. Do you have Insurance that covers you in the event of a Breach? If so, ask to see the certificate. If not, then ask them how they can provide financial security that in the event of a breach they can still provide service or goods to ensure the protection of your business commitments in the event of a Breach that disrupts or shuts down their business. Make sure the answer stacks up for you.
2. Are you EU GDPR compliant? If they are not, then you are potentially contracting with an organisation that is operating outside the law and likely to not be practicing good data controller and or processor custodial practices. If that company sits in your supply chain you may have shared customer personal data, that could leave you exposed as well.

One of the biggest SME ecosystems that hide in plain site are IT vendors and service providers that SME and Enterprises alike rely on. Furthermore, governments desire to support SMEs means that these potential weak links also sit in Public sector supply chains. This is why the UK Government mandated that ANY company supplying goods or services had to meet a minimum-security standard called ‘Cyber Essentials’.  This is an example that should be noted by the large Brands underpinned by a Partner Network, as the makeup of those Partner Networks are in their majority the same class of SME organisations. SMEs have more than customer data, they have the intimate details of a customer’s technology, networks and often access to their systems as they fulfil a valuable extension to supporting and keeping business systems running. There is the also code to bespoke software, websites and apps that represents a unique competitive advantage developed at significant cost, code that would not only represent a loss if stolen, but worse, imagine if a hacker injected backdoors into the code unbeknown to the developer who would deliver it to the unsuspecting customer.

Just because an IT company demonstrates a technology competence, it does not make them any more secure. In fact, it is almost the opposite. In many IT companies, especially software development or web design, they operate in very open network environments where developers all have administrative rights. This should be a priority job for Partner Network Brand owners to raise the game of their partners and in so doing the integrity of their brand as it is presented by their proxies into the market. Closing this circle, this should also be the motivational voice from the market. Customers should be holding the major brands to task, quite rightly expectant that their certified ‘agents/partners’ are maintaining the highest standards.

Right now, the single most important question the major vendors should be asking their licensed/certified partners, agents and or supply chain dependencies amongst other commercial relationships that involve Personal Identifiable Information (PII) of customers is:

Are you GDPR Compliant? Why GDPR? It is mandatory across ALL sizes of businesses controlling or processing any EU citizen’s data. Not meeting this regulatory requirement means operating outside the law. If an organisation is compliant or has the discipline to demonstrate they are on their road to imminent compliance, then their Cyber Hygiene (ie: ability to protect Brand owner interest and their mutual customer’s good faith) should meet minimal best practices and critically they will have Breach Response readiness.

If they are not GDPR Compliant:

What are you doing about it?  No satisfactory answer – I challenge any large Brand organisation; can they afford to have a representative promoting them who is known to be operating out with the law? Be assured there is one thing customers can do very easily today. Find another supplier, a myriad of choices are just a click away.

Of course, some Brands devolve that responsibility on the operating agents they licence or certify, hiding behind the argument that they only certify a competency in their technology NOT the Partners business operational practises. As technology and digital data management practices have become some interwoven, it is time for technology vendors to raise the bar on quality. When a customer sees a Certified or Licenced Technology company their expectation of that accrediting Brand goes deeper than just a deployment of technology.