From PayPal to T-Mobile, there has been no escaping the impact of large-scale data breaches on consumers so far this year. And perhaps unsurprisingly in this ferocious climate, cyber insurance premiums are also on the rise.
Having observed Data Privacy Day this past weekend, we delve deeper into the trends that experts from the fields of cybersecurity, risk and data expect will define the year ahead speaking with several top industry experts.
Jonathan Wood, CEO of C2: Businesses and consumers alike need to heighten their vigilance for phishing and social engineering attacks generated by ChatGPT that puts Private Personal Information at risk. While there are certain barriers that have been introduced to prevent highly personalized content generation, for example not allowing you to input someone’s LinkedIn Profile. However, a strong persona built from the data harvested from such a profile would have much the same effect. Such a persona coupled with a common hypothetical situation, like an email from an employee apologizing to a senior stakeholder for a mistake or from a customer service representative from a trusted supplier, could generate highly convincing phishing messages for those specific scenarios to up attackers’ success rate of accessing sensitive data.
Glen Hymers, Head of Data Privacy & Compliance and Information Assurance, at Cabinet Office Digital: Data protection is of the utmost importance in a public sector environment! We are entrusted with all aspects of information including very sensitive information about individuals, as such, we have a legal responsibility under the various pieces of legislation here in the UK to protect it. Not only that, we need to protect our citizens from breaches that can cause suffering and detriment such as identity theft, financial loss, and damage to their reputation. In the case of a government organization, a data breach can also compromise national security and undermine the trust of the public in our ability to protect their data. However, we have a greater moral imperative, as government organizations, we have a duty to serve the public and act in their best interests. Protecting their personal data is an important part of this, and it is our responsibility to do everything in our power to keep it safe.
Jordan Giddings, Non-Executive Director at Met Office: A holistic approach to data privacy drives trust through the supply chain, increases business agility, delivers velocity and ultimately can help define an organization as a partner of choice. In today’s competitive market, it is not an option for suppliers to sidestep taking stringent data privacy measures, as it is too great a priority for businesses. Implementing the right governance and assurance controls, for instance through a risk management platform, will help suppliers stand out in a selection process.
Luke Beeson, Group CISO at Aviva: As enterprises increasingly look to external partners to support the delivery of products and services it’s imperative that data security is front and center of these partnerships. While many providers will naturally be looking at areas where they can make cost savings in the current climate, cutbacks on cybersecurity defenses will ultimately increase their risk profile. Indeed, thriving as a trusted partner in the digital economy ultimately comes down to better controls to minimize risk.
Andreas Wuchner, former global CISO and cyber security advisor: With DORA coming into force earlier this week, financial services companies – from banks and insurers to crypto wallets – should start planning for how they will meet the new level of digital operational resilience required by this EU directive. The new requirements on incident management will be critical in helping companies quickly respond to threats, as well as in understanding what information has potentially been compromised, so they can take quick steps towards minimizing any risk to their client's or customers’ data. With security breaches rife in the financial industry in 2022, from Revolut to Crypto.com, companies should not sit on their hands and then later rush to meet the 2025 deadline for DORA. Instead, we need to encourage them to implement the measures required by the new directive today to better protect their and their customer’s data.
Jonathan Wright, Director of Products and Operations at Global Cloud Xchange: Changes in the cybersecurity insurance market driven by the continued stretching of actuarial predictability over the scale and impact of cyberattacks mean that security leaders need to be able to show that they are taking a dynamic approach to manage their security posture. Insurers will only cover you when they are confident that the house will win. And showing that you have the capabilities to proactively monitor who has access to what, which patches have been applied, and which accounts have been compromised, among other measures, will give them the confidence that you are able to dynamically manage your IT environment and ultimately lowers their risk when providing insurance.
Max Buchan, Founder and CEO of Worldr: Followed by the pandemic, the mass adoption of flexible working has radically increased our reliance on communications and collaboration platforms such as Microsoft Teams, WhatsApp and Slack. Companies rightfully want to encourage their team members to collaborate using these tools however with the varying data privacy laws and regulations globally, it has become extremely challenging for businesses to balance data governance with their strategic objectives. Today, about 70% of countries have legislation in place for protecting data, and in most cases, firms also have the responsibility to comply with the local data and privacy laws of the jurisdictions where their customers are located. Mitigating potential risks of privacy and breach becomes a key priority for companies that operate in these highly complex and globalized environments. That is why helping companies retain ownership of and secure the data shared across communication platforms is so important. I think one of the biggest vectors of risk when it comes to being a multi-jurisdictional organization is around how you communicate and share sensitive information. Implementing solutions that empower companies to own their data ensures the opportunity for data sovereignty and significantly limits their privacy risk.
