I’m of an age where I have lived through two major technological events that had business owners in a cold-sweat and vendors rubbing their hands in delight. As a young sales person working in the telecommunications industry for one of the biggest global players I remember vividly PhONEday. For those under the age of forty you will have lived in blissful ignorance that changes to almost every phone number in the UK were made on the 16th April 1995. Whilst Take That’s Back for Good was riding high in the charts, Dumb and Dumber was the big hit at the cinema and Blackburn Rovers were on the verge of an unlikely Premier League title, those of us working in the Telecoms industry were busy preparing for an extra “1” to be added to all telephone numbers after the first “0”. For some cities, such as Leeds, Sheffield, Bristol and Nottingham they would get a whole new numbering system.
Nobody knew what would happen at midnight on the 15th April – would phone systems explode, would the stock market collapse with brokers who traded still by phone unable to place deals, would the emergency services system fall over? In the end, there was no more than a ripple of impact. Years of preparation plus a thorough public awareness campaign ensured that everyone was aware of the change and four years later another change saw the use of “020” numbers plus the consolidation of all mobile numbers to start “07”.
That was in the year 2000 which of course gave us the second biggest event that caused mass panic in technology terms – the Y2K or Millennium bug. Rumours spread that the world would end at midnight on 31st December 1999 when our computer systems simply wouldn’t be able to compute when the date clocks moved to 2000. By luck I had moved into the IT sector at this point and spent my time trying to advise clients about the potential impacts and some practical steps they could take. But many organisations sold on fear – fear that organisations computer systems would fail, fear that websites would stop working, fear that the Internet, then in its early commercial days, would crash. Many people made a lot of money selling services that simply weren’t needed.
Next May we have another compelling event, one that almost certainly requires every business in Europe to take steps to protect themselves as well as their customer’s data and one where the ramifications of non-compliance to be severely damaging. The General Data Protection Regulation (GDPR) may have slipped under the radar of some businesses but when it comes into effect on the 25th May 2018 there are new accountability obligations, stringer rights and restrictions on international data flows.
Businesses that operate in Europe or hold data on European customers must be compliant within the next 13 months – after that date they could be hit with some huge penalties for any mishandling of data, including being the victims of cyber threats such as data theft.
Cybercrime today is unfortunately a growing business, with more sophisticated means being deployed by the criminals to exploit not only insecure systems but also the most fallible link in any organisation – employees. Social engineering is an almost daily threat for some organisations – the criminals only have to be lucky once to have potentially devastating effects.
The GDPR brings together many of the existing laws on how organisations need to handle any data breaches. Any loss of data will have to be reported within 72 hours which means organisations must have the technology and processes in place to both detect and respond swiftly to any breach. Failure to comply with the regulations could see firms fined up to €20 million or up to 4% of their global turnover.
This isn’t something that companies should schedule to start planning for next year, it is something that they need to be on top of now. A colleague who works in data security said to me this week, “There’s two types of company – one who has had a data breach and one who doesn’t yet know they’ve had a data breach”. Whilst this statement may hold water for the corporate and enterprise market, it is an interesting guiding principal that every organisation should consider. The financial penalties for even the most sustained and malicious cyber-attacks could be terminal for some businesses come what May (2018).
The good news is there is enough information available to understand the legislation and how organisations can start planning for the new regulations. In addition, many organisations are starting to develop software that monitors networks for potential breaches that today may be slipping under the radar including signs of potential social engineering attacks and data misuse (including industrial espionage) – a small price to pay for ensuring that customer data is kept safe and sound.
We will hear more and more about the GDPR over the coming months and I urge everyone not to ignore it. Whilst in our post-Brexit mood we may scoff at anything that mentions the words “European Union”, it is highly important that in this context we address the issues at hand and do not leave everything to the last minute where the cost of compliance could be prohibitive.