Digital technologies are evolving so rapidly that vulnerabilities emerge faster than they can be secured. As such, it’s getting harder to prevent data breaches and criminals have their choice of weaknesses to exploit.
This is the opinion of the WEC (World Economic Forum) in its Incentivizing Secure and Responsible Innovation report, which was published earlier this month.
It cites the market forces that pressure organisations into releasing products and applications as quickly as possible. Doing so means they get a step ahead of their competitors, but it comes at the cost of reviewing and addressing cyber security risks.
In a bid to tackle this trend, the WEC outlined three ‘cyber essentials’ (different from the UK Government scheme of the same name) that entrepreneurs and investors must consider when developing technology.
1. Organisational security
Effective cyber security begins with a solid internal understanding of risks and the processes designed to mitigate them.
The WEC urges all organisations to develop a cyber security culture in which employees take regular training courses that address a range of issues. Doing so will foster good security habits and lead to employees intuitively following best practices.
In turn, entrepreneurs will instinctively consider security and privacy at the outset of projects, and investors will prioritise these concerns when evaluating corporate cultures.
A cyber security culture should be accompanied by cyber security governance, in which the board provides a strategic approach for cyber security activities and oversight of the risks that the organisation faces.
Likewise, senior management should adopt cyber resilience. This is a set of processes that enables organisations to remain functional in the event of a disruptive event.
Given the likelihood of a disruption and the damage it can cause, organisations must be prepared, and investors must be confident that these plans are sufficient.
2. Product security
Organisations that develop a culture of cyber security will naturally find themselves adopting a security-by-design approach to new products and services.
This means that developers consider security risks at the outset of a project, rather than bolting on defence measures at the end. Not only will this reduce the number of vulnerabilities, it will also be more cost-effective.
Security by design should go hand-in-hand with privacy by design, in which developers build their products and services with privacy features as a priority.
They will therefore need understand what the organisation will be doing with any personal data that’s collected and what measures should be implemented to mitigate risks.
Security and privacy by design are two elements that investors should pay particularly close attention to, because mistakes here are more likely to be chalked up to major organisational faults rather than technical hitches.
As a result, the reputational damage of a security or privacy breach could rival or surpass the financial costs, as the organisation struggles to shake its association with the incident.
3. Infrastructure security
Entrepreneurs and investors shouldn’t only be concerned about the security of their products and services. They also need to consider data governance, which addresses the confidentiality, integrity and availability of information in enterprise systems through internal data policies and controls.
To do this, entrepreneurs must develop and maintain a data protection policy, including a written information security programme that addresses the security of personal and other sensitive data.
Meanwhile, investors must evaluate these policies and be satisfied that they meet the necessary industry-specific, national and international regulations.
Similarly, entrepreneurs and investors must consider the infrastructural security of third parties. They must have similarly strict data governance practices and agree in writing to certain information security requirements.
What challenges await?
Although the WEC’s report is framed around organisations’ responsibility to protect customers, its advice also has commercial benefits.
We are all increasingly in tune with the importance of cyber security and privacy, and organisations that can demonstrate their commitment to data protection gain a competitive advantage and boost their reputation.
It therefore benefits everyone when organisations keep informed of the challenges they face – and we’re in a particularly demanding time, given COVID-19 and Brexit.
Those looking for advice on how to navigate their requirements might be interested in our upcoming live panel discussion: Privacy and compliance challenges organisations face in 2020.
Our team of data protection experts will discuss:
- The way the current climate affects GPDR and privacy compliance;
- The challenges posed by DSARs (data subject access requests);
- The DPO (data protection officer) role and data transfer requirements in light of Brexit; and
- Data breaches and the processes organisations should implement to minimise risk.
The presentation will be followed by a Q&A, for which attendees can submit questions once they register for the webinar on the confirmation page.