Cybersecurity issues are once again dominating headlines around the world. There are allegations that Russian hackers interfered with the recent U.S. president elections and a massive data breach at Yahoo! Inc. led to data being extracted from over a billion user accounts.
Therefore, investor interest in the sector has soared. In order to make sense of the recent developments, S&P Global Market Intelligence spoke to Ian Mann, CEO of U.K.-based cybersecurity firm ECSC Group. The company recently listed on the London Stock Exchange's Alternative Investment Market (AIM).
S&P Global Market Intelligence: Should anyone trust Yahoo with their data at this point?
Ian Mann: That is a difficult question to answer because on one level there is a damage to trust when companies experience breaches. But equally, when we carry out breach responses, issues are often very quickly resolved. So an organization can be in a much better state within a short period of time. So you would hope that when organizations do have breaches, they would learn lessons from it and actually invest in their systems.
Why have we seen so many high-profile breaches this year?
There is a general increase year over year. I would not say this year has seen a massive spike. What tends to happen now is that breaches are reported in the public domain and that is partly because of the ease of sharing information. It is quite difficult for organizations now to keep breaches a secret because of the proliferation of social media and the culture of information sharing.
Are companies doing enough to secure their data?
I think the constant stream of breaches show they are not doing enough. The [U.K.] government has been quite proactive about offering guidance and advice to companies but there is still a significant gap. There are still a lot of companies that are not managing their security well enough, hence the increase in breaches.
There is a strong investor interest in cybersecurity. How do you explain that?
It is becoming clear that cybersecurity breaches are becoming more common. Additionally, the level of impact they have on organizations mean cybersecurity has become a board-level issue. It is no longer just an IT issue. When there is a security breach it is the CEO who has to answer and the reputational damage can often be significant.
Has legislation managed to keep up with the level of cyber threat?
There is some new legislation coming through in the next two years, which will drastically increase the fines associated with a security breach. Currently in Britain, the maximum fine for a company is half a million pounds. The General Data Protection Regulation will move that to 4% of turnover. More important, the GDPR imposes the legal requirement to report breaches and we think that is a far more significant development than increasing the fines.
We have been helping people respond to hacks for 20 years and the total number of those incidents that ever reach the public domain is actually less than half a dozen. So in essence, the vast majority of breaches are either undetected or if they are detected, they are not reported externally. This makes the legal requirement to report breaches the most significant provision in the GDPR.
But will Britain fall under the scope of the GDPR post-Brexit?
Yes, it will. We are currently still in the European Union so therefore, legally, we have to implement GDPR within the next two years. The U.K. Information Commissioner has said that we will implement the GDPR by May 2018. That will be approximately a year before Brexit. The Information Commissioner has quite rightly said it does not mean a future government won’t revise the legislation once Britain has formally left the EU, but the GDPR is really only bringing the EU into line with existing laws in, for example, Japan, who have had a similar law for about 20 years. Various U.S. states also have similar laws.
What are the cost implications of major cyber breaches?
On the larger scale, the costs could be very significant for a player the size of Yahoo because it could change the price that is agreed in its acquisitions negotiations with Verizon. For other organizations, it can certainly have a reputational impact and put pressure on share price, as well as the fines. But also, typically when breaches do happen, they highlight the significant weaknesses in how people are managing security. This should lead to conversations about where to make investments in sorting out your IT system. So if you look at reports from the information commissioner’s office, usually the conclusion is the breached organization was being very lax and not investing enough in security.
On an individual level, how can web users protect themselves beyond setting more complicated passwords?
It is a real challenge for individuals as they are being asked to do more and more online in their day-to-day lives. The focus of many manufacturers is often getting a product to market as soon as possible, meaning security can sometimes be neglected. Ideally individuals should use different devices for different activities. You really shouldn’t use the same device for browsing the web or using online services, for instance, as you would for managing your investments or monetary affairs. Separating those two is a good idea. However, for most people that would mean buying multiple devices. This is reasonable for high-net-worth individuals that can afford that, but is less of a useful proposition for the average person on the street.