As cyber risk grows, 2018 is the year to get proactive about security

Here, Mark Chimley, founder of DPHub, explores what cyber security measures businesses should implement in 21018.

When it comes to online threats, the landscape moves so quickly that it’s difficult to accurately predict what the coming 12 months hold in store. But one thing we can say with certainty is that the UK’s SMEs will once again be on the receiving end of a barrage of cyber-attacks, from ransomware to data theft, online fraud and much more.

Given the challenges, SMEs would be right to seek help from trusted third parties like law enforcement. However, as experts have argued many times before, the police simply don’t have enough resources to help everyone, and often the advice they give out is reactive at best — focusing only on what to do once your business has been attacked.

As we enter 2018, SMEs need to move to a mindset of proactive cyber security to help reduce the chances of a damaging data or systems breach and potential hefty fines under new EU privacy laws. Reputable technology providers are moving towards the provision of ‘security by default’, especially with smartphones, tablets and cloud services. Business, however, tend to deploy traditional, self-managed IT systems and it is invariably within these that most security vulnerabilities remain.

Raising the stakes

Getting more proactive will be particularly important in light of the coming General Data Protection Regulation (GDPR), which finally comes into effect on 25th May. Although the GDPR specifies few prescriptive requirements when it comes to securing customer and employee data, businesses need to implement appropriate technical and organisational security measures. Regulators will certainly take a dim view of firms which fail to follow industry best practices, including installation of ‘state-of-the-art’ technology.

It’s more than likely we’ll see some smaller UK firms fined in 2018 for failing to report data breaches — a key requirement of the GDPR. Complaints that this isn’t something they’re normally used to doing will eventually wear a little thin for the privacy watchdog the Information Commissioner’s Office (ICO). High profile GDPR fines will be issued in select cases, which will send a message to the business community that lax attitudes to personal data will no longer be tolerated. With the maximum penalties possible now reaching four per cent of global annual turnover or £17 million, it’s time to start paying attention.

You may also be expected to appoint a Data Protection Officer (DPO) — or risk a maximum fine of two per cent of turnover or €10 million (£8.5 million). The race is already underway for the best talent here and many qualified DPOs have already been appointed within large organisations. Salaries will certainly be on the rise ahead of May. At the smaller end of the SME space, the good news is that many small businesses are unlikely to be required to hire one.

Insuring the future

The coming year will also witness increasing numbers of SMEs purchasing cyber insurance as a way to mitigate growing online risk. The industry is still in its infancy so we’ll certainly see an expanded range of offerings hit the market in 2018. The Federation of Small Businesses (FSB) already offers this to members.

However, before you start thinking of insurance as a way to duck your data protection responsibilities, be aware that it will not work as a virtual ‘get of jail free’ card. SMEs will still need to put in place proactive security and ensure they are GDPR compliant. In fact, most policies will be predicated on best practice proactive security measures already being in place — so be sure to check the small print.

An attack by artificial intelligence (AI)

As new technologies develop, it is invariably the case that criminal and nefarious uses of it follow on from an initial set of beneficial ones. Since machine learning and AI have now become established technologies and the software tools to implement them are widely – and in many cases freely – available, 2018 might be the year in which we see an AI-based cyber attack.

Whether this occurs, and by what means, remain to be seen. It could spread faster and be more wide reaching than anything seen before or it could be a stealthy, targeted data-stealing attack which remains undetected for months or even years to come.

Whatever happens over the coming 12 months, it’s going to be a bumpy ride. The bottom line? You need to get proactive about security if you are to mitigate the risk of a cyber attack and avoid punishment from the ICO.

Mark Chimley is founder of DPHub

Further reading on cyber security

Related Topics

Cyber Security

Leave a comment