Information security has become an absolute priority for companies and governments throughout the world, and it is easy to understand why: the shift to digital processing means that companies are now more dependent on the Internet, for a vast range of functions. Unfortunately we are reminded of the importance of data almost on a daily basis, with reports of security breaches and high profile attacks. In this historic context, it appears that no individual, company or even government is safe. In the last year alone we have witnessed cyber attacks against all kinds of organisations, from American political parties to British mobile phone telephone operators.
This is why cyber security has become a big business: it is estimated that approximately 1 trillion dollars will be spent throughout the world between 2017 and 2018, on cyber security products and services. The risk of cyber attacks has further increased due to a growing number of devices connected to the Internet throughout the world. Indeed, it has been forecast that approximately 200 billion connected smart devices will be in use by 2020.
What is Cyber Security?
The term refers to a set of company skills in a series of sectors, including software development, communication devices and equipment, consulting, aerospace and defence services. The main objective of cyber security is to protect computer networks, programmes, connected devices (PCs, desktops and smartphones), and data in their possession, from unauthorised access and theft, ranging from an international attack to inadvertent error. In 2016, 17.7% of data breaches were caused by involuntary actions or errors, according to a study by Verizon.
One of the distinctive features of cyber security is the constantly evolving nature of threats. As technology evolves, potential attackers are able to develop increasingly sophisticated loopholes. The number of cyber threats to companies reached an all-time high in 2016, including a 752% increase in the number of ransomware attacks, according to a Trend Micro study.
One of the most well-known cases of a cyber attack on a vast scale is the affair which took the American company Yahoo by storm. Last year the company suffered two breaches: One affected over a billion accounts and the second one involved approximately 500 million users. These breaches resulted in criminal charges in the USA and led Verizon to abandon its public purchase offer for 350 million dollars. In the UK, the Internet services provider TalkTalk was forced to pay a record fine of 400,000 pounds following a cyber attack which breached the data of 150,000 customers. In politics it is widely believed that Russian hackers targeted senior Democratic Party members, as a part of an effort to influence the outcomes of the USA presidential elections last year.
Future growth perspectives for the sector appear to be infinite: forecasts are currently predicting an annual growth rate of 8.3% for the cyber security sector, more than double of total IT expenditure between 2016 and 2020. According to Bloomberg, the main areas of growth in the cyber security sector will be mobile security, the Internet of Things (IOT), specialised analysis and protection from threats.
Therefore the European Union has resolved to take steps towards the regulation and protection of its citizens’ data. This is why numerous changes have been introduced to the GDPR (General Data Protection Regulation- EU Regulation 2016/679), as of April 2018. Said amendments had been requested many years ago, given that the previous draft dated back to 1995, a time when the cyber world and strategic importance of data was yet to undergo appropriate analysis. Here are some of the most important changes:
- Broadening of territorial scope: What is probably the biggest change on the data privacy scene stems from the extension GDPR jurisdiction, applicable from 2018 to all firms which process the personal data of individuals residing in the European Union, regardless of where said firms are actually based.
- Penalties: Organisations which breach the GDPR may be fined up to 4% of global annual turnover, or up to 20 million Euros. This is the maximum possible fine which can be issued for more serious breaches, for example failure to obtain sufficient consent from the customer for data elaboration, or breaches to the central nucleus of privacy by design concepts. It is important to note that these regulations apply both to supervisors and processors, which means that “clouds” will no longer be exempt from GDPR application.
- Consent: Conditions for consent have been reinforced. Companies will no longer be able to use illegible terms and conditions, of long duration and containing numerous legal characteristics that are difficult to understand, insofar as any request for consent must be presented in an intelligible ad easily accessible form, together with the purpose for the processing of enclosed data.
- Notification of breach: With the GDPR, notification of breach will become compulsory in all member States in which it is probable that any data breaches “may put the rights and freedom of persons at risk”. Said notification must be submitted within 72 hours from the first time the breach in question is discovered.
- Right to Access: This is the right of interested parties to obtain confirmation from the data supervisor that their personal data is currently being processed, where and for what reason.
- The Right to be Forgotten: Also known as Deletion of data, the right to be forgotten enables the interested party to avail themselves of the right to obtain the deletion of personal data by the data controller, and the cessation of any further disclosure and processing of data by third parties.
- Data Portability: GDPR introduces data portability – the interested party’s right to receive personal data concerning them, previously supplied in a “commonly used format which is readable by the machine”, and to submit said data to another data processing supervisor.
- Privacy By Design: Privacy by design requires the inclusion of data protection immediately from incipient phases of system design, rather than as a successive addition. Such notions have existed for years, but it is only now with the GDPR that they have become legal obligation.
- Data processing supervisors: Currently data supervisors are required to submit notification of their data processing activities to the local data protection authorities, which for multinationals may truly be a bureaucratic nightmare, given that most member states have different notification requirements. With the GDPR, it will no longer be necessary to present notifications/records to each data protection and processing authority, and it will no longer be necessary to notify/ obtain approval for transfers based on contractual contracts (MCC). Record keeping requirements are to be introduced and compulsory for data supervisors and persons in charge of processing only, insofar as their main activities require regular and systematic control of interested subjects on a vast scale, or of particular categories of data or data pertaining to criminal convictions and offences.
ETF Securities, Cyber security: investing in the biggest security story of our time, May 2017