In the first half of 2017, there were 918 data breaches reported worldwide - an average of one data breach a day1. From prominent multinational corporations such as Equifax, which became the largest single data breach in 20172 and Facebook, which suffered a data breach of 87 million users via a personality app3, to even the hacking of the European Central Bank4, no organisation seems immune to cybersecurity risks. Cybersecurity and data privacy must be a top priority for any organisation anywhere in the world. Gartner reports that as cloud security becomes a top priority in organisations, focus must shift away from protection and prevention towards detection, response and remediation, a shift that leads to changes in the way security is managed5.
With the GDPR recently going into full force, the cost of these breaches are now greatly magnified, both in its extension to organisations beyond the borders of Europe and in terms of monetary costs.
It is now more essential than ever before that European organisations, both the C-Suite and the board of directors, understand how to properly detect and respond to these increasingly ominous and costly cyberthreats.
The Increasingly Threatened Cybersecurity Landscape
In the cybersecurity and data privacy landscape, Europe has its own set of challenges. According to the European Union Agency for Network and Information Security (ENISA), the complexity of cyber attacks are increasing, with attackers becoming much harder to track. This is especially true in light of the anonymity provided by digital currencies and other infrastructures that offer encryption and detection evasion. As in the case of HSBC’s ransomware attacks, these hackers6, many of which are state-sponsored actors, are primarily motivated by monetary means7.
The top threat to European organisations in 2017 was malware. Although the frequency of mobile malware attacks has decreased, from 1.5 million in Q3 of 2016 to 1.3 million in both Q1 and Q2 in 2017, experts report that these attacks have become more sophisticated, which translates into more damage. For example, malware has now spread to both Mac and Linux operating systems and is now able to spread without the need for a user action8. Fileless malware has been detected in Eastern European banks, which have been successful in avoiding detection9. European organisations, particularly those in the financial sector, have responded with not only security teams within the organisation, but with external teams brought in to test their effectivity against hacks10.
Web-based and web application attacks were the second and third-most common threat, followed by phishing, though phishing has extended beyond email to include social media and SMS (smishing) and voice communications (vishing)11. All of these threats were increasing as of last year according to ENISA’s report.
Since data breaches aren’t going to cease completely any time soon, how can organisations mitigate these cyberthreats?
The Tough Lessons UniCredit SpA and Sony PlayStation Have Learned
The European private sector, and banking specifically, have unfortunately learned the lesson of how to mitigate data breach from experience. Italian leading bank, UniCredit SpA, suffered one of the biggest data breaches in European banking security last year, gaining unauthorized access to data from over 400,000 client accounts through a third-party provider12.
Their response was to swiftly update their IT system, allocating over €2.3bn to it. More than the response, they were able to realise that the breach occurred after a change in management13. This emphasizes the importance of having a coherent data and security strategy in place at all times. Although UniCredit claimed no financial damage ensued14, other organisations weren’t so lucky. Sony’s PlayStation Network had over 102 million accounts hacked in 2011, resulting in class-action lawsuits of $15 million as a preliminary settlement15. It was one of the worst data breaches in hacking history16.
In addition to revamping IT systems, tighter regulations have seemed to result in fewer data breaches, at least in Europe. European countries, which have recently imposed new regulatory requirements, saw a 26% decrease in the total cost of a data breach in 2017 over the previous year, reporting only 49 breaches in 201717. Meanwhile, in the US the average cost of a breach increased by 5% this year, to $7.35 million18. And in the future, these numbers will increase: GDPR regulations will fine organisations that fail to report personal data breaches within a 72-hour period a fine of up to 2% of global annual revenue (or €10 million), whichever is higher. This could even apply retroactively19.
Effectively Communicating the Management of Data Privacy Across the C-Suite
"Boards are becoming increasingly interested in security and risk management. However, there’s often a misalignment between what the board needs to know and what security and risk management leaders are able to convey." - Rob McMillan, Research Director, Gartner
Ultimately, the CEO is held accountable to the board of directors for the management and implementation of the cybersecurity strategy at the organisational level. On the one hand, a CEO looks to business information technology (IT) or, in larger organisations, a chief information security officer (CISO) to provide him with the information and resources he needs to manage these risks effectively. These parties often need to coordinate with the board, audit committee and risk management committee to deliver this information to him or her.
The challenge of the CEO is in synchronising the different management skills, communications, project management and responsibilities necessary to effectively gather the information he needs to report to the board of directors. CISO’s, on the other hand, seldom need to coordinate with a board of directors and committees to deliver relevant insights on the best information security practices and important trends in hacking and defense20. A system and process of clear communication between a number of different parties is therefore vital to the organisation’s cybersecurity strategy21.
Another factor an organisation will have to consider is the role of the IT department in cybersecurity strategising. It is important to distinguish between the responsibility of information technology and cyber security and risk management, since IT generally is responsible for technical rather than strategic detail. Cyberthreat management also involves keeping information well out of the reach of suppliers and other third parties, including legal experts, which is beyond the scope of the IT department’s responsibility, according to Denton22. Limiting cybersecurity oversight to the IT department, on the other hand, can restrict the budget, influence and the authority required for effective security and risk management, which places the whole company at greater risk, the same report continues23.
After all, the head of IT does not usually fall under executive management leadership. Rather than responsibility for the budget or strategic risk management, the role of IT is to be able to evaluate the risks from a technical standpoint and report them to the cyber security board, or similar entities within an organisation, which should in turn influence strategy and the budget. It all comes back to the leadership of cyber security for executives and effective oversight by the board.
It is therefore critical that CISOs, or Chief Information Security Officers, present potential risks and response plans to boards of directors, the CEO, and other members of senior management. To do this properly, however, they need the digital tools to also effectively communicate the value of their job, their suggestions of / recommendations in respect to a future cybersecurity strategy, and measured results. Effective risk prioritisation should rank risks from most likely to least - and what would be harmed - should have an action plan that involves deciding which risk to focus on. Remember at the end of the day, the CEO, together with all of senior management and the board of directors must agree to the cybersecurity strategy for the entire organisation24.
The importance of clear communication between teams cannot be underestimated, according to Deloitte25. Many board members, knowledgeable in cyber security, for example, report complete confidence in their senior management to deal with crisis. Further evidence however, reveals a significant gap between awareness of these threats and the ability to actually handle them26.
That’s why it’s not only essential for CISOs to effectively collaborate with senior management, but for boards of directors to communicate efficiently with the entire C-Suite. Boards must hold senior management accountable for a clear cybersecurity strategy, which requires regular dialogue between board and management and sharing of information and metrics that track cyber risk management and performance27. If your organisation isn’t already doing this, it won’t have a choice for much longer. Gartner reports that by 2020, 100% of large enterprises will be asked to report to their cyber security board of directors on cyber risk management at least annually28.
Cyberisk as a Strategic Imperative for Boards and Senior Management
With fines of up to 2% global annual revenue or €10 million (whichever is higher), the need to be compliant with GDPR and EU regulations is critical to the cyber risk management of any European organisation29. Beyond hackers and malware, infrastructure security also includes control and auditing, data protection, and mobile service security - all critical elements of the cybersecurity framework. With so many different elements involved, effectively evaluating cyber risk management is crucial.
Members of the cyber security board should be able to ask and answer questions such as30:
In the dynamic cybersecurity landscape, the answers to these questions are crucial. Each of these questions must be able to be easily and quickly answered.
Moreover, when considering external vendors, such as, for example, a digital solution for executive and board meetings, C-suite and boards should primarily take into consideration their need for their data to be protected according to the highest standard of security. Not only must the tool be compliant with EU regulations, such as the General Data Protection Regulation, also known as the GDPR, but it must also ensure as well a solid infrastructure security and auditing and control processes. All of these features need to be coupled with the tool’s ability to ensure optimal management of efficient C-Level and board meetings, and to provide effective collaboration across the organisation.
Catching up to Speed in the Cybersecurity Landscape
Ultimately, although online hackers, malware, and other security and cybersecurity threats seem to be evolving at increasing speed, many organisations are not keeping up with the pace. This is partly due to the need for human coordination among organisations, which takes careful management of time and resources, but also due to limited information on security and cybersecurity topics. According to Deloitte, one-fifth of cyber risk board members say they have no crisis playbook; yet one-third don’t even know if they have one31. But there is a more proactive route organisations can take well before an attack occurs. This proactive solution includes a continuous discussion with regular meetings among executive management and the boards of directors to ensure preparation at all times32.
Until organisations catch up to speed by implementing a carefully planned cyber risk management and strategy which includes detection, prevention and crisis management, the cybersecurity threats will continue to cost organisations significantly in the future years ahead.
1. Leyden, John. More data lost or stolen in first half of 2017 than the whole of last year. The Register. September 20, 2017.
2. Whittaker, Zack. Equifax says more private data was stolen in 2017 breach than first revealed. ZDNet. February 12, 2018.
3. Badshah, Nadeem. Facebook to contact 87 million users affected by data breach. The Guardian. April 8, 2018.
4. Honan, Brian. European Central Bank Hacked. CSO. July 31, 2015.
5. Walls, Andrew. Leading Enterprise Security & Risk. Gartner.
6. Schwartz, Matthew. Hackers Release Info from Swiss Bank. BankInfo Security. January 12, 2015.
7. ENISA Threat Landscape Report 2017: 15 Top Cyber-Threats and Trends.
8. Ibid, p. 25
9. “Designed for deletion: APTs harness wipers and fileless malware in targeted attacks.” Kaspersky website. April 27, 2017.
10. Ibid, p 27.
11. Walls, Andrew. Leading Enterprise Security & Risk. Gartner.
12. Sirletti, Sonia and Robinson, Edward. Hackers Breach 400,000 UniCredit Bank Accounts for Data. Bloomberg. July 26, 2017.
13. Arnold, Martin. UniCredit reveals data breach affecting 400,000 customers. Financial Times. July 26, 2017.
14. Sirletti, Sonia. Italy’s UniCredit Reveals Massive Data Breach Involving 400,000 Bank Accounts. Insurance Journal. July 26, 2017.
15. Armerding, Taylor. The 17 biggest data breaches of the 21st century. CSO. January 26, 2018.
16. Takahashi, Dean. Surprise: Sony faces class action lawsuit on PlayStation Network breach. Venturebeat. April 27, 2011.
17. Leyden, John. More data lost or stolen in the first half of 2017 than the whole of last year. The Register. September 20, 2017.
18. Rayome, Alison DeNisco. Data breach costs are dropping but still $3.62 million on average, report says. TechRepublic. June 20, 2017.
19. Montalbano, Elizabeth. Report: EU may slap new GDPR Fines on Old Data Breaches. Security Ledger. April 12, 2018.
20. Cohan, Peter S. Why (& How) CISOs Should Talk to Company Boards. Dark Reading. April 25, 2017.
21. A cybersecurity guide for directors. Dentons.
22. A cybersecurity guide for directors. Dentons.
23. A cybersecurity guide for directors. Dentons.
24. A cybersecurity guide for directors. Dentons.
25. A Crisis of Confidence. Deloitte.
26. A Crisis of Confidence. Deloitte.
27. A cybersecurity guide for directors. Dentons.
28. Walls, Andrew. Leading Enterprise Security & Risk. Gartner.
29. Trentmann, Nina. Data Breaches Will Soon cost Companies in Europe. The Wall Street Journal. November 22, 2017.
30. Taking the lead on cyber risk. Deloitte.
31. A Crisis of Confidence. Deloitte.
32. A cybersecurity guide for directors. Dentons.
BPS (Suisse) was founded in 1995 and is headquartered in Lugano, Switzerland. Currently, the bank is represented through its 22 units spread across 6 cantons and is owned by Banca Popolare di Sondrio.