Press release by ACCA – A new report from ACCA (the Association of Chartered Certified Accountants) claims self-interest rather than regulation is the future of cybersecurity because technology is evolving at such a rate that any legislation would be out of date before it is signed in to law.
Constant Forward Motion: The evolving phenomenon of cybersecurity regulation and the race to keep up examines the growing threat to businesses and the problems lawmakers have because of the pace of technological evolution.
Jason Piper, ACCA head of business law, said: "We’ve seen many times over the past five years or so how much reputational damage a data breach can do to a large firm. Customers and potential customers are likely to think very carefully about their involvement with a company if they have had a data breach.
"Because of the nature of cybersecurity we believe that authorities and governments would be best placed using their resources to raise awareness among businesses, and to put resources in to creating mechanisms to catch perpetrators. Businesses have to take the lead, they need to be aware of the value of the data they hold, the value in protecting it, and the damage than can be done if they fail to do so.
"Data is being used in all sorts of ways – for example to predict purchasing and money transfer patterns – criminals can use this information to commit fraud. As a basic rule of thumb is that if there is value in the data to a criminal then there is value in protecting it and because data is digital it can be replicated over and over again, potentially before the businesses is even aware.
"The big question for authorities is; how do you regulate? Is it better to prescribe hard law or soft law. Both have advantages and disadvantages but ultimately the problem that lawmakers have is that anything they pass into law is likely to be archaic very quickly and they could spend the whole time ‘running to catch up’.
"The same can be said of insurance, mandatory insurance now would force insurers to offer cover without the information yet to be able to set premiums. Insurance is a growing area in the field of cybersecurity but it is an extremely complex job for underwriters to value data and set suitable premiums. Insurance can however, act as an awareness raisers in a similar way to soft laws – if you can insurance against the loss of data then its security needs to be taken seriously.
"Large organisations can play an important role in cybersecurity. Most criminals will look to go after the weakest link in the supply chain as a point to access data. This will usually be the smaller businesses, as they have fewer resources. The larger companies in the chain can support the small ones by providing guidance and expertise. This would be of benefit to the whole chain, as once a criminal has access to one area they will be able to infiltrate the entire chain – causing more damage, both financially and reputational.
The report also looks at other threats to cybersecurity and how technology means that data thefts don’t always have to involve the internet. Physical devices can be used to collect information from ATM cards, electronic tills and card readers for future use, without the need for any direct internet involvement.
Employees are a major threat to a company’s cybersecurity. It is likely that in every data breach an employee will be involved whether directly or indirectly and whether knowingly or unwittingly. Jason Piper concludes: "Employee involvement in data breaches demonstrates the need for increased knowledge and awareness amongst all in the company. Everyone has a role to play in the protection of data."
The full report can be downloaded from: http://www.accaglobal.com/gb/en/technical-activities/technical-resources-search/2016/february/constant-forward-motion.html