Earlier this year, British Airways hit the headlines for the wrong reasons after it was announced that the airline had received record fines of £183m from the Information Commissioner’s Office following a data breach which saw the details of 500,000 were compromised, breaching GDPR.
In the same week, hotel chain Marriott also received fines of nearly £100m after guest records were hacked.
Although hefty fines such as this are damaging to the reputations, and finances, of the companies involved, new research suggests that they are having their desired effect on cybersecurity.
Designed to hold companies whose data storage practices are in breach of GDPR to account, research by data security company Clearswift indicates that fines are having a positive effect on “board level involvement and spending plans” related to to cybersecurity in UK financial organisations.
Clearswift surveyed senior business decision makers across financial organisations in the UK and, when asked, 32% of companies referenced recent GDPR fines against British Airways and Marriott International as being the main reason for an increase in board level involvement and/or provision for IT security spending.
“The teeth behind the regulations”: GDPR fines are working
Dr Guy Bunker, CTO at Clearswift, believes that large fines have proved to organisations that there are “teeth behind the regulations”:
“These fines have clearly sent shockwaves into the industry and are now serving as a blueprint for how the ICO will handle cases of this nature. By giving out such large ‘intentions to fine’ notices, the ICO has delivered a message that it is not afraid to reprimand household names.”
He believes that this has led to board-level involvement and awareness of the importance of robust cybersecurity. According to the UK Government’s Cyber Governance Health Check 2018, there is an “alarming” lack of awareness of cybersecurity at a board level in FTSE 350 members.
Bunker said that this may be changing:
“The board is now sitting up and taking notice of GDPR compliance and the role cyber security plays in it. However, it is not just about taking notice, it is the need to invest to maximise their ability to keep the organization safe from new threats. Revisiting their ‘defence in depth’ strategy to augment with enhanced security solutions including both the boundary and the cloud, and implementing more stringent policies is critical to securing the critical information they hold within the organisation.”
The research also revealed a desire for cybersecurity spending to increase. 73% of financial businesses said they would like to see an increase in cyber security investment, with almost one in five UK firms saying that their budgets were currently ‘well below the adequate level’.
When asked where their organisation currently focuses its cyber security investment, Data Loss Prevention technology was a key area for 53%, followed by database security at 42%, regulatory compliance at 40% and advanced threat protection at 40%.
“Increasing investment in the latest data loss prevention solutions will help mitigate inadvertent and malicious data loss risks. Furthermore, with GDPR, organisations need to be aware that receiving unauthorised data can also cause issues. Organisations need to better understand how information flows through the organisation in order to tailor security solutions around how the business operates. In doing so, it will highlight where the biggest risks are and how the most cost-effective solutions can be deployed to increase protection and prevent a hefty fine.”