An opinion piece by Stanislas de Maupeou, VP Strategy and Marketing, Critical Information Systems and Cybersecurity, Thales, was recently published in the French daily business newspaper Les Échos.
WannaCry and NotPetya are stark reminders of just how vulnerable businesses are to cyberattacks. They need to learn the lessons as a matter of extreme urgency.
"It was a strange coincidence. A year before Europe’s General Data Protection Regulation (GDPR) is due to come into force on 25 May 2018, two cyberattacks perpetrated on an unprecedented scale brought into focus the vital need to protect computer systems and the digital data they contain.
The WannaCry and NotPetya ransomware attacks held data hostage on hundreds of thousands of computers around the world, demanding a ransom for its release. These attacks serve as a brutal reminder to European governments and businesses that the tempo is not about to slow down in the fight against cyberattacks. Data is the "black gold" of the 21st century — and keeping it safe is more critical than ever.
The GDPR requires all companies in Europe to take appropriate technical and organisational measures to prevent data breaches, imposing heavy fines — up to 4% of annual worldwide revenues — for non-compliance.
Inadequate cybersecurity is bad for business
But the GDPR is about much more than legal compliance. Meeting these new requirements is a strategic imperative for businesses. Implementing the required measures calls for an effective framework of cybersecurity governance. And that framework is woefully inadequate today.
Rather than a set of constraints, companies should view the changes as an opportunity to build trust and, in turn, generate growth. Building trust by ensuring the security and confidentiality of personal data is one of the keys to successful customer relationships. In today’s increasingly interconnected world, with open networks, cloud computing and connected devices, would anybody knowingly entrust their private data, bank details, medical records or other personal information to a company that cannot provide robust guarantees that the data will be safe?
Without cybersecurity, trust cannot exist. And without trust, it’s impossible to adopt new technologies, pursue the transformation of our societies and benefit from all the opportunities of big data and other digital technologies. The growth that will come with the digital revolution hinges largely on trust, and that trust must be demonstrable.
Cybersecurity isn’t an end in itself, but an enabler of human endeavour. The GDPR is more than just a ticking clock. It is galvanising IT, legal and finance departments to work together to meet a new set of obligations, such as appointing a Data Protection Officer for their organisations. Implementing the regulation may seem like a lot of work, but it’s an important step toward the goal of methodically addressing cybersecurity issues when systems are first designed and throughout their lifecycles.
Further attacks likely
It’s been said before, but it’s worth saying again: the real story behind WannaCry and NotPetya is that they were attacks waiting to happen. Both exploited a similar vulnerability, which had already been reported: installing the relevant patches effectively eliminated the risk of falling victim to the attacks. The problem was preventable because the people in charge of monitoring events, issuing advisories and providing remedial measures had already taken action and released the patches. And it’s almost certain that other attacks will attempt to exploit these weaknesses in the future.
It’s appalling to think that certain organisations, for lack of policy, planning or comprehension of the risks — even after the warning served by the WannaCry crisis — didn’t apply the security fix when it was made available in March, yet were quite capable of doing it in a matter of hours when the crisis struck. This won’t always be the case. Let’s learn the lessons now and finally make cybersecurity a reflex. The success of our digital economy depends on it."