As our digital lives become more complex, the amount of faith we put in the security of our most valuable details is surprising, considering how little visibility we have of the unseen battle between hackers and IT security teams.
When data breaches happen, the scale of their impact is more nuanced than that of a physical crisis, and the actual damage can take some time to make itself apparent as the most sophisticated hackers know how to cover their tracks and hide their actions.
Whilst the upcoming EU General Data Protection Regulation ultimately has data protection at its heart, it does create a new series of challenges for IT professionals. The question is, do new regulations mean better protection – and for whom?
Less time means less certainty
As part of the new GDPR, businesses will need to report to both regulators and consumers within 72 hours of discovering a breach, giving them no time at all to complete an IT forensic investigation, let alone having the time to plan their communications and take legal advice.
Whilst being timely may seem like a good idea to minimise the damage dealt by a breach, it doesn’t go far in helping the businesses who have themselves been a victim. My experience with recent breaches is that within those first 72 hours, the team is still engaged with trying to identify what happened on a practical level. It’s likely that this won’t be a realistic amount of time to piece together the chain of events and assess the potential impact. In fact, I’ve seen cases where it takes weeks for the investigation to be able to narrow down the scope of which customer data may have been compromised.
Increased scrutiny and penalties
What this means for us as communications professionals is that in a post-GDPR world, where we are legally obliged to disclose the potential numbers of people affected earlier than ever before, we will be communicating very large numbers – based on the possibility of those who may be at risk, rather than smaller more definitive numbers uncovered by closer examination.
Not only does this potentially paint a skewed picture, it’s debatable whether a sudden deluge of companies publically disclosing very high numbers of potentially affected customers will lead to "data breach fatigue" among journalists where it becomes so common place that it ceases to be reported as news.
However, one implication of this new imposed information sharing is clear – internal teams need to be much better prepared ahead of a breach. Detailed scenario planning between the legal, IT and communications teams needs to take place so that when they’re forced to report a breach, they are better placed to do so. In short, if you’re a member of a communications team, now is the time to get to know your IT counterparts – odds are you’ll be working together a lot more closely in the future.
It’s not just the reputation of a company that’s at stake – their finances are too. GDPR allows for fines of up to four per cent of a business’ annual turnover for violating the basic principles related to data security or consumer consent. To put that in perspective, the current ceiling for the most serious data breaches in the UK is £500,000.
Beyond the regulatory and financial implications, it’s also clear that cybersecurity is the new battle ground in the court of public opinion. Consumers are getting increasingly savvy about how their data is used and are asking tough questions about why businesses are storing it.
So what does all this mean? It means that GDPR should be a wakeup call to communications professionals whose job it should be to voice the concerns of consumers and external stakeholders. As part of FleishmanHillard’s Authenticity Gap survey, we recently asked consumers about their perception of how well companies are protecting their data. The result was clear: nearly two-thirds (63%) agreed that companies are not taking data threats seriously and are not investing enough in their IT to protect against serious breaches.
This perception was proved to be true by a separate survey, published by insurer Zurich in July, which showed that despite the volume of attacks and potential losses, business leaders are not committing to investing significantly in cybersecurity in the coming year. Almost half (49%) of SMEs admitted that they plan to spend £1,000 or less on their cyber-defences in the next 12 months, while almost a quarter (22%) don’t even know how much they will spend.
In an uncertain economic environment where increased financial spending on technical cyber-defences may not always be possible, the onus falls on us communications advisors to do everything we can to build up reputational defences instead.
And with the clock ticking down to the new regulation in May next year, the time to act is now.
Stephanie Bailey is MD of FleishmanHillard Fishburn’s Corporate Practice in London
You can read about the Authenticity Gap here: