Tuesday, 29 December 2015

Preventative measures needed in Cyber Security for Irish Business

Speaking at  Irish Reporting and Information Security Service Conference on Cyber Crime in Dublin, IDT911’s Paul Keane has called on Irish business to start taking cyber-security and incident response planning seriously to avoid serious financial implications.

More than half of Irish companies suffered a data breach during 2014, with current trends suggesting that this will increase in 2015, illustrating the prevalence of these threats to companies of all sizes. The Irish Data Protection Commissioner’s Annual Report 2014 reported a 43% growth in breach notifications from 2013.

This prevalence is very concerning considering a recent Association of Data Protection Officers survey revealed that one in three Irish companies have no corporate data breach policy and almost half are poorly trained for data breaches.

A further PwC study highlights that in addition to the immediate business interruption and potential long-term reputational damage, the average cost of a data breach for an SME ranges from €107,000 - €444,000 (£75,000 - £311,000), which could force closure if not appropriately insured.

Changes underway under the EU’s General Data Protection Regulation (GDPR) – especially new reporting requirements – also mean a failure to comply could see Irish businesses fined 2-5% of global annual revenue.

Upcoming legal changes under the GDPR will create mandatory reporting requirements when personal information stored by businesses is compromised, lost or stolen. Such incidents must be reported to the national supervisory authority – the Irish Data Protection Commissioner - within 24-72 hours, depending on the final text of the Regulation, due next month.

In order to limit their exposure to these costs IDT911 advise that Irish companies should:

• Assess and review their insurance coverage and requirements for data breaches;

• Retain a breach services firm prior to the incident to allow time to negotiate favourable pricing and terms;

• Conduct employee training so they can identify and triage potential security events;

• Be guided by legal counsel and experienced communications professionals familiar with breach notification requirements; and

• Be mindful that law enforcement and/or regulatory agencies may be required to be notified - they could be a helpful resource for investigation.

IDT911’s European Operations Manager, Paul Keane added: ‘Irish businesses need to start investing in preventative measures to protect from the potentially hazardous effects of a data breach. This exposure is only going to increase as more demanding European legislation comes into effect.’