UK Businesses want watchdogs to punish cyber security failures
The vast majority of UK business leaders believe that tougher penalties are required to help prevent major breaches - but are they right?
New research indicates that UK companies would like much tougher action from watchdogs to penalise inadequate security measures.
The majority of UK directors - 77 per cent - believe that enterprises that fail to keep customer data safe should face severe financial penalties. A similar majority, 71 per cent, believe that companies who fail to meet basic cyber-security requirements should be penalised too, according to the research by ComRes.
Interestingly, just under half (48 per cent) of those asked felt cyber threats were now a bigger risk to their business than market volatility. The research surveyed 200 directors from companies with more than 500 employees, and comes just days after Yahoo announced the biggest data breach in history which has exposed more than half a billion user passwords and personal information.
The Yahoo breach dwarfs even the Myspace breach of May 2016, as this helpful infographic makes clear:
Speaking at the Institute of Directors annual convention, NCC Group CEO, Rob Cotton, introduced the ComRes research, and said that larger companies were often the most complacent about cybersecurity, with directors themselves refusing to take responsibility for safety.
“For years it hasn’t been taken seriously enough in boardrooms across the country and while these results don’t prove that it’s now being managed appropriately, they do show that directors are realising that greater scrutiny and oversight from regulators and government will stimulate the necessary action and help drive-up standards,” he told the Telegraph
Current UK penalties are based on the Data Protection Act and are enforced by the Information Commissioner’s Office (ICO). Maximum fines are set at up to £500,000. However, new EU-wide regulation is set to become law in 2018, which will raise potential fines to 4pc of global revenues or up to €20m (£17m), but national regulators will be in charge of enforcing the letter of the law.
That said, the cost to businesses who have suffered a data breach isn’t all about regulatory penalties. A recent Ponemon study found that the average cost to a business of a data breach grew from $3.8 million to $4 million in 2016. The average cost incurred for each lost or stolen record containing sensitive and confidential information increased from $154 to $158 - which puts the cost of the Yahoo breach at a fairly punitive $790 billion.
It’s also not as if boards are not throwing money at preventing the problem either, with overall spend just on cybersecurity tools by companies and governments expected to hit $202 billion a year by 2021, up 66 per cent from this year, according to research firm MarketsandMarkets. It is certainly true that there is little room for complacency though, as successful attacks continue to rise, and it seems that applications remain the leading cause of security breaches. Developers themselves seem to agree, with 47 per cent of respondents to a recent SANS report
Technical research by High-Tech Bridge has uncovered a plethora of widely-ignored but endemic issues, particularly around application security. Although best practice application security has often resulted in the deployment of a Web Application Firewall (WAF), and indeed Gartner has predicted that by 2020, more than 60 percent of public web applications will be protected by a WAF, High-Tech Bridge research indicates that those currently protected by one contain 20 per cent more vulnerabilities on average than unprotected ones. Moreover, an impressive 60 per cent of web vulnerabilities have advanced exploitation vectors allowing hackers to bypass WAF configuration entirely and thus compromise the web application - full technical breakdown is here.
So is tougher regulation the silver bullet? Probably not, although it is set to tighten up over the next few years whether businesses like it or no. Can more be done to prevent breaches? Certainly, and often at a pretty basic level (how do your servers look under the microscope of this free test?