Well it’s that time of the year when we reflect on what happened in the previous 12 months and polish the Risk Evolves crystal ball to see whether we can predict what may happen in the future.
2018 was the year that saw the biggest change in data protection legislation and regulation in a generation as the General Data Protection Regulation and UK Data Protection Act (2018) were introduced. At the same time we saw the increase in phishing emails and businesses succumbing to hacks and data breaches which GDPR is trying to protect against!
At Risk Evolves we helped over 100+ organisations become GDPR ready and delivered seminars and education to over 2000 people as well as raising the awareness of data security with more than 45 clients certified for standards such as Cyber Essentials and ISO 27001.
A common question asked by clients last year was – ‘Did we do enough ?’ or ‘what was all the fuss about ?’ So what will happen in 2019?
We forecast that the momentum will continue as follows :
1. The ICO
In 2018 we saw the number of complaints to the ICO increase, together with the number of reported breaches. In 2019 the ICO will rule on some of the major breaches that occurred in 2018 – Butlins, Dixons Carphone Warehouse, BA etc. They will provide detailed analysis of what happened and why with lessons for all of us. Inevitably we predict that there will be fines using the new structure. However this presents opportunities for organisations to learn the lessons from others, to review current processes and ask ‘could that happen to us ?’ If you’ve ever been to one of our seminars, we recommend signing up to the ICO’s newsletter which provides details on each case. Oh … and if you haven’t registered with the ICO and paid the registration fee, we recommend that you do so as soon as possible. The ICO is taking what appears to be a zero tolerance approach.
2. Class Actions
We expect to see the first of the class actions coming to court. In addition to the Morrisons case we also expect to see claims brought by solicitors in order to gain compensation for individuals who have had their data ‘lost’ by organisations. As soon as first payments are made, we expect the increase in claims to increase leading to a knock on impact for companies as increases in Subject Access Request requests are made. As the Claims industry closes for PPI in 2019, we predict that it will refocus on data compensations.
Whilst cyber insurance is unlikely to pay any fines that are levied by the ICO, a good policy should help you to manage claims for data breaches. Speak to your insurance broker who should be able to provide a good policy that is affordable to your business.
3. Supplier focus
At Risk Evolves, we’ve already seen an increase in the number of requests for support in completing ever complex questionnaires. What has been noticeable is the increase in questions that relate to cyber security and GDPR readiness with questions ranging from ‘when did you last experience a data breach ?’ to ‘how do you manage your 3rd parties’. One questionnaire for one of our micro clients featured over 150 questions on how data was stored, managed, protected, recovered and shared. In each instance the objective has been for the issuing company to understand how their supply chain risk is being managed. Unsurprising, in light of the increase in cyber attacks on larger organisations, such as Ticketmaster or BA where it was a supplier that was hacked. The importance of supplier chain due diligence and risk management has never been more in focus.
4. Increase in demands for standards
Linked to item 3 above, the increasing cyber threat and the potential consequences of a data breach will mean an increase in organisations requesting the adoption of recognised standards by companies in the supply chain. The growth area continues to be in Cyber Essentials, ISO27001 (information security), ISO9001 (quality management), and increasingly ISO22301 (Business Continuity). Each provide an independent validation that companies have adopted industry best practice to reduce the risk to their Clients.
At Risk Evolves, we’ve seen 3 types of customers come to us :
1. Those that have been told that they must have a standard to stay in the supply chain;
2. Those that have chosen to adopt a standard because they want to get into a particular supply chain;
3. Those that have chosen a standard because they want to be leaders in their industry.
We’re expecting as well the development of an international standard (ISO27552) for GDPR (our geeky MD Helen is off to the Committee meeting in February !) but this won’t be available until the end of 2019 at the earliest. In the meantime, for those who need a standard for GDPR, BS10012 is available. Give us a call to discuss in more detail.
5. Cyber Crime will continue to flourish.
Sadly, we know that cyber criminals will continue with more social engineering attacks targeting the SME. Organisations need to adopt an ‘when will I be attacked’ approach and not an ‘if’. As we forecast last year, we know that small businesses are now being targeted because they are in the supply chain for larger businesses (as seen with Ticketmaster and BA). Whilst this message was issued by the FSB last summer, it remains as true today as it was when the article was first written.
Adoption of standards such as Cyber Essentials will help to reduce the risk. We plan to launch some new education in Q1 this year called ‘Keeping the Human Safe’ – a no jargon approach to making sure that staff know their phishing from their whales, their viruses from their patches. In addition, we will be introducing an affordable phishing testing service for our Clients, regardless of whether you’re a micro or a multinational. Watch this space for more updates !
We’d be remiss not to include the “B’ word in our forecast. Much has been written on this topic and we won’t repeat here. However, in the event of a ‘No-deal’, there are implications for the majority of organisations with regard to data protection legislation. For those who have followed our advice, mapped their data, written their policies, understood the compliance of 3rd party organisations etc., then you are well positioned to adopt the recommended changes. We’ll continue to monitor the recommendations over the next few weeks and will further updates in future news letters. One fact though – GDPR and the UK Data Protection Act are here to stay !
7. Mergers and Acquisitions
If you’re contemplating buying or selling a business in 2019, then give us a call as you need to be confident that the business you are acquiring or merging with will not increase your cyber or GDPR risks. In a similar theme to point 3 above, we’ve already seen questions raised on the data risk in organisations. If you’re buying a business, in addition to checking your current client data base, the financials of the business etc., you need to ensure that you do not buy a legacy data problem and risk future legal action. If you’re planning to sell, then we can help you to ensure that there are no skeletons in the cupboard.
8. We’re here to help !
We know that we can be a bit geeky at times, and some have described our knowledge and passion around governance risk and compliance as ‘downright weird’, but we do love the stuff that other people hate. So if you don’t know your 27001 from your 10012, have received a SAR and don’t know what to do next, or just fancy meeting us for a cup of coffee then please get in touch.