GDPR has been in effect since May 25th, 2018. The purpose of the regulation is twofold: to enhance the privacy of an EU citizen’s related information and to strengthen the powers of the data protection institutions and regulators to act against any organization breaches the new rules. But is GDPR alone the panacea for fighting cybercrime and data breaches?
The State of Cybersecurity
The statistics of cybercrime are frightening, with losses amounting to $5 trillion in 2015. Cybercrime is more profitable than the illegal drug business and constitutes the biggest transfer of economic wealth in human history. On the other hand, organizations spent in 2017 more than $87 billion in state-of-the-art technologies such as artificial intelligence, machine learning, peripheral security, protection software and services trying to protect themselves from the cyber criminals. Were they successful?
Apparently not. There is a paradox with cybersecurity. Although organizations are investing huge amounts of money trying to secure themselves, the number and size of cyber attacks is still increasing. There’s one ransomware attack every 14 seconds, for example, and the total cost of ransomware attacks in 2017 was more than $5 billion. Finally, another factor affecting the state of cybersecurity is the growing human attack surface, which is expected to grow from 3,8 billion users in 2017 to almost 6 billion users in 2022.
GDPR and Organizations
A lot of articles and opinions have been written about what is and what isn’t GDPR. To cut a long story short, GDPR is a strategic choice and not an operational tactic. It is about respecting your customer’s privacy and of course it is about respecting yourself, your reputation as an organization. Yes, it is true that failure of protecting the personal data can and will result in prosecution, fines and damage in reputation and sales, but organizations should focus on the fact that compliance with the new rules is a proof of how seriously they are respecting and protecting the customers’ personal data.
In their effort towards compliance, organizations will face one big challenge: their own employees, humans. Indeed, statistics and annual security reports have shown that the easiest way to disrupt and attack a system is by attacking humans. One might therefore wonder: is the compliance effort in vain?
Simply, the answer to above question is no. But organizations need to approach GDPR compliance from a different path. Compliance will fail if the organizations fail to create a cybersecurity culture where every member of the organization has understood the rules for the protection of personal data.
However, business environments change constantly, hence organizations must actively maintain and adapt their cybersecurity culture in response to new technologies and threats as well as their changing goals, processes and structures. Otherwise a non-adaptive organization is destined to fall behind. A successful cybersecurity culture shapes the security thinking of all staff and improves resilience against all cyber threats, especially when initiated through social engineering, while avoiding imposing burdensome security steps that prevent staff from effectively performing their key business functions.
What is the need for developing a cybersecurity culture? The majority of data breaches within organizations are the result of human actors, and while cybersecurity policies are commonplace among organizations, employees may view them as guidelines rather than rules. Similarly, technologies cannot protect organizations if incorrectly integrated and utilized. Against this backdrop, the development of a culture achieves a change in mindset, fosters security awareness and risk perception and maintains a close organizational culture, rather than attempting to coerce secure behavior.
Cybersecurity Culture and GDPR: How?
Setting up on the journey to creating a cybersecurity culture, organizations need to remember that it is a difficult effort but that it is definitely worth it. It contributes to the effectiveness and the security posture of the organization, hence it is the best advert for the organization itself. In order to shape an effective cybersecurity culture, organizations need to take into account certain factors such as the wider organizational culture, the cybersecurity strategy and last but not least the human factor.
Collaboration within the organization is essential, as open communication will facilitate the development of a cybersecurity culture. Everyone within a company should be involved by contributing their fields of expertise, identifying where cybersecurity risks and other business functions intersect and potentially conflict as well as brainstorming solutions. The leadership of the organization should act in a transformative manner, inspiring the employees, setting a clear and achievable vision and managing conflicts in order to have a win-win solution.
In addition, an effective cybersecurity culture should be fully embedded within the organizational culture if the value of cybersecurity is to be accepted by all members. Commitment to cybersecurity should also be signaled through appropriate budget allocation and a motivation for achieving greater security rather than simple compliance by ticking some meaningless boxes. A commitment to quality and cybersecurity suggests a wider organizational culture of excellence in business.
Another prerequisite for building an effective cybersecurity culture is the development and communication of policies and procedures that lay down clear responsibilities and serve to guide security behavior and attitudes. The provision for specific goals and end-user usability should be fundamental considerations, as permanent behavioral changes are possible only when they equate to success and satisfaction among employees. To facilitate employee ownership, acceptance and support, everyone in a company should be encouraged and empowered to participate when developing and embedding an information security policy. This ensures that security measures are adapted to the different functional roles within the company and that they avoid becoming too burdensome or complicated.
Finally, developing an effective cybersecurity culture requires recognizing factors outside of the organization. Understanding the impact of human biases, society and culture is essential for the development of a successful cybersecurity culture.
Security technologies can only be effective if employees have the necessary knowledge, skills, understanding and acceptance to use them. Achieving this “practical human security” may require a change in both the knowledge and behavior of employees whereby education and training may be used to foster knowledge, while behavior can be altered through cultural and organizational incentives and sanctions.
The analysis has shown that GDPR alone is not a panacea for protecting the privacy of personal data. In order for GDPR to be an effective regulation, cybersecurity culture needs to be embedded in a transformative organizational culture. Cybersecurity culture should be guided by clear policies and strategies that cater to employees’ biases and psychology. This will ensure that cybersecurity culture is an integral part of an employee’s daily behavior. Through an effective cybersecurity culture, employees will wonder which data is really necessary for daily functioning of the organization and what is the impact of processing personal data in the fundamental right for privacy and secure communications.
About the Author: Anastasios Arampatzis is a retired Hellenic Air Force officer with over 20 years worth of experience in managing IT projects and evaluating cybersecurity. Anastasios has been honoured by numerous high ranking officers for his expertise and professionalism and he was nominated as a certified NATO evaluator for information security. He holds certifications in information security, cybersecurity, teaching computing and GDPR from organizations like NATO and Open University and he is also a certified Informatics Instructor for lifelong training. Anastasios’ interests include exploring the human side of cybersecurity – the psychology of security, public education, organizational training programs, and the effect of biases (cultural, heuristic and cognitive) in applying cybersecurity policies and integrating technology into learning. He is intrigued by new challenges, open-minded and flexible. Currently, he works as an informatics instructor at AKMI Educational Institute.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.