The landscape of cyber attacks has changed over the years, we've all become more vigilant about how we engage with the increasing number of devices we use. In the past, our primary concern was mainly around infection by a virus. Now we have a myriad of different attacks to defend against, ransomware locking and encrypting our devices, socially engineered phishing attacks and malware-infected websites to name just a few. Being more vigilant about which attachments we click on in our inbox helps, but the honest truth is, the majority of users and organisations are not equipped to defend against the modern cyber-attack landscape.
The legal framework that we operate under will be changing with the bringing into law of the General Data Protection Regulation (GDPR) legislation on the 25th May 2018. This will force big changes in how organisations treat data in terms of process, the understanding of what data is held, its location and the reason for holding it. Organisations that hold personally identifiable information that suffer a security breach will have a legal responsibility to report the breach within 72 hours. If an organisation fails to comply with GDPR regulation they will be open to substantial fines from the EU. Reports state that the £400,000 fine applied to Talk Talk for their recent breach could have been £59M under GDPR.
PWC have stated that over 74% of Small and Medium Enterprises (SMEs) have been breached in recent years. Many organizations, unsurprisingly struggle to identify when a breach has occurred or believe no one would breach their organisation. Data, however, is rapidly becoming the commodity of choice for sale on the dark web and the lack of in-house cyber-security skills and systems does not deter criminals from trying to steal it.
A pressing question which should be on the lips of organisations is, "has enough been done to protect the data we hold and if we are breached, will we know?"...