The 4th e-Crime & Cybersecurity Spain
Madrid, 22nd November 2018
If Spanish companies thought that they could take a rest after the efforts to meet May’s GDPR deadline, then the hack at Barcelona-based survey company Typeform quickly corrected that misapprehension. And, in a vivid illustration of how local and global have become inextricably linked in cybersecurity, the first public disclosures of a problem came from UK challenger bank Monzo and purveyors of posh-nosh, Fortnum & Mason.
Coming after the arrest of the leader of the crime gang behind the Carbanak and Cobalt malware attacks targeting over 100 financial institutions worldwide in Alicante, the attack reminded Spanish businesses that their country is still one of the most highly targeted nations by cyber criminals.
Perhaps most significantly, it demonstrated that for many businesses, third-party security is a bigger issue than internal issues and with so much reliance on Cloud storage, apps and other third-party providers, as well as suppliers and other partners, the problem is getting worse.
But the most significant long-term implications of GDPR are only just becoming apparent: as AKJ Associates has long believed, mandatory disclosure and breach notification is a gamechanger for cybersecurity.
Real disclosure will reveal the true scale of the cybersecurity problem to consumers, to stakeholders and investors and to the press. Consumers are already reacting to GDPR with subject access requests and increased complaints. Just wait until they realise how many data breaches have been covered up. Investors too will be able to see which firms are weak and which strong in terms of information security.
And for the first time, we are seeing how disclosure affects entire business and transaction ecosystems: in the recent Ticketmaster breach, the initial alarm was raised (to Ticketmaster) by digital bank Monzo, which spotted unusual Ticketmaster transactions in client accounts. Ticketmaster did not announce a problem publicly until after Monzo had sent replacement cards to customers who may have been compromised. The significance of this sequence of event is that now companies may compete to show that they disclosed first, winning the reputational battle.
So how can CISOs and CSOs prepare for this new era of disclosure? What does it mean for current cybersecurity practice and processes? Is this the tipping point at which senior management finally acknowledge that current initiatives and budgets are insufficient?
e-Crime & Cybersecurity Spain 2018 will look at the post-GDPR disclosure landscape and the realities of achieving cybersecurity and resilience today. What is realistic? Which solutions providers can deliver it? Who at end-users should be making the key decisions? And what is the true role of the CISO in all this?