30 MAR 2020
We now operate in a world where the security of data is as important as the physical security of people, or that of the buildings and infrastructure where we live and work. As technology becomes yet more pervasive, we are storing and processing more and more data about individuals, clients, employees and assets, and using it for an increasing number of purposes.
While many jurisdictions already have specific laws to protect personal data – the General Data Protection Regulation (GDPR) in the EU being an important example – as RICS professionals we also need to consider the way sensitive data about clients and organisations is managed and protected.
Is this a question of technology, processes and procedures; or, more fundamentally, an issue of conduct and ethics that is central to being an RICS professional?
While legislation such as GDPR and the contractual agreements you have with clients together define how personal and commercial data should be processed and protected, we have an ethical duty to manage and protect all kinds of data to the highest possible standards. This responsibility falls on us all at every level of any organisation, irrespective of its size, the sector in which we work, or the country in which we practise.
The question we should ask ourselves is how we would want a third party to manage and protect our data. In addition to the fundamental ethical imperative, there are strong practical reasons to manage and protect all kinds of data in order to protect our customers, organisations and profession from financial loss, reputational damage and business interruption.
All the same, there is an ever-increasing list of parties using an evolving set of approaches to access data, intercept and change payee details, and otherwise damage, infect or extract ransom payments from us. These include:
To do so, they are using an increasingly diverse range of tactics that include phishing, ransomware, malware and identity theft, among others.
Recent cases around the world highlight the risks to reputation and business continuity as well as the potential for financial loss that can be caused by hacking. These also stress the risks associated with using third-party suppliers to provide shared web hosting and other services, with devices that form the ever-growing internet of things (IoT).
As former FBI director Robert Muller stated at a 2012 conference on cyber security, ‘I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.’
There is an ever-increasing number of examples of large companies’ data being targeted. Customers of US retailer Target had their data stolen via the credentials of one of its heating, ventilation and air conditioning suppliers, who had access to the company’s network. In the UK, TicketMaster and British Airways (BA) both suffered data breaches, with customer credit card data being stolen.
I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.
Former FBI Director
As a consequence, BA could be fined £183m by the Information Commissioner’s Office, and TicketMaster is facing a multi-million-pound lawsuit. In the latter case, the breach occurred via a third-party chatbot service, and when BA’s website was penetrated customers were also redirected to a malicious external website that harvested their credit card information.
In Norway, aluminium and energy producer Norsk Hydro suffered a ransomware attack early in 2019 that seriously affected its computer networks and reportedly cost the firm some $52m.
It is also important to note that hackers do not always seek ransom or phish for credit card details but can be damaging in other ways. In one instance, an attacker gained access to an IoT device in a warehouse and raised the temperature of the cold storage unit, resulting in the unplanned defrosting and spoilage of the contents.
With the need to protect data and the threats from cyber crime here to stay, how do we manage this new normal? What should our business plan look like? There are three key dimensions we should consider when developing an organisational data protection plan:
How far we may insure the risks is perhaps an obvious consideration, but still important. As with all insurance there is a danger that protection from losses creates a moral hazard; but cover can provide a useful discipline for organisations and a source of support when putting technology, policies and procedures in place, as well as in the event of an actual data breach.
Policies and premiums come at a cost, and insurers will look for evidence of your existing technology, processes and procedures. Insurance is unlikely to cover fines by regulators and there are question marks over its use to pay ransomware demands. Indeed, the legality of such payments is doubtful given that many of those demanding a ransom may be linked to terrorist organisations, and the Terrorism Act 2000 explicitly makes such payments illegal in the UK.
It is essential to recognise that this is an issue of when, not if, and that it needs to be the responsibility of a firm’s board or principal to deal with it. You should assemble your cyber-response team – even if it consists only of you with support from professional advisers – with legal, senior executive, IT, information security, risk and compliance, PR and HR departments all involved as well. Your plans and communications should not depend on your current systems either, because in the event of an attack these themselves may also be compromised.
Your plans should address both personal data and all other sensitive data. GDPR has been in place for almost two years now and its impact has been immediate and wide-ranging; for instance, a Swedish high school attracted fines and other sanctions under the regulation for using CCTV and facial recognition technology on its pupils. Since GDPR protects EU and EEA nationals wherever they reside and covers all data processing in the EU and EEA, its effects are felt beyond Europe itself, with firms around the world recognising their responsibilities to EU citizens. Other jurisdictions are setting the bar for personal data handling at similar levels, with legislation coming into force at state level in California early this year, for instance.
The box below details the factors you should therefore consider when making your plans. While some of these relate to technology and infrastructure, many concern processes, documentation, education, and working closely with suppliers to ensure that data is protected at every stage. Although cyber crime is the new normal, many of the common-sense approaches we already use for physical security can be applied digitally.