By George Ralph, RFA – A global cybersecurity company recently commissioned the Ponemon Institute to conduct a survey to inform a study on cybersecurity global megatrends in 2018. The results, while not surprising, are incredibly interesting and echo the messages that RFA has been giving to my clients for the past three years.
The report outlines the issues that respondents believe will become megatrends in the coming year and start with the belief that unsecured IoT devices are very likely to be the cause of a data breach. The rate at which new technology is entering into the mainstream, and being utilised in more businesses is rapid, and while we encourage the use of new digital services, it can leave gaps in security defences. Luckily the IoT hasn’t made much of an impact on the alternative investment sector so far.
The second megatrend is that ransomware and other forms of cyber extortion will increase in frequency. This is in line with other research, for example Symantec showed a 36 per cent increase globally in ransomware attacks during 2017. The causes are varied, but some insurers have attributed it to the increasing value of Bitcoin and the ease of ransom transactions in the cryptocurrency.
Third up, in-house cybersecurity skills will not improve or may even decline and will become less able to deal with the advancing cyber criminals. A good reason to think about outsourcing to a cybersecurity expert perhaps.
Fourth, cyberwarfare and theft or breach of high value data will increase in importance, in terms of being a big threat over the coming three years. Companies anticipate strong and sustained attacks.
Fifth, many respondents still feel that cybersecurity is still not being given the importance it deserves at board level, despite all the evidence to show that the threats are increasing, and the cost of breach or data loss is also increasing. Crazy.
Not only are boards not prioritising, they are not even being briefed on cybersecurity. So they don’t know what they don’t know.
Finally, the report states that many organisations believe the costs of compliance with data protection and cybersecurity regulations are going to increase, and fines for non-compliance will also increase.
The final point is particularly relevant for the alternative investment and private equity sectors that we operate in, and regulators are taking a strong interest in understanding and assessing regulated firms’ resilience to cyber-attacks. But what can firms do to protect themselves against cyber-attacks, but also demonstrate to investors and regulators that they are putting adequate measures in place? They could look at Cyber Essentials, a Government backed and industry supported scheme that has been developed as part of the UK’s National Cyber Security Programme. It helps firms to guard against the most common cyber threats and demonstrate their commitment to cyber security. Cyber Essentials PLUS Certification can even mitigate regulator fines if a company suffers a breach as it provides evidence that the firm has carried out basic steps towards protecting its business and data from internet based cyber-attacks.
The assessment is detailed but not too onerous, using a 200 question self assessment format to run a top-level audit of the firm’s infrastructure, policies and risks. Certification will mean that firms have the measures in place to prevent many of the common attacks hackers use and can achieve compliance with the information security element of GDPR.
For private equity firms, certification can reduce the risk of attack on their own infrastructure, and that of their portfolio companies and demonstrate to investors that their data will be handled safely and securely.
In addition, the FCA will be reassured that firms with a Cyber Essentials Plus certification are meeting cybersecurity standards and putting measures in place to protect their data.
It seems like an ideal first step being accessible, cost effective and self-service. If clients aren’t doing this, we need to be asking, why not?