Regardless of an organization's scale, cyberattacks and other cybersecurity incidents, such as data loss or merchant/vendor incidents, pose a significant threat to businesses globally. A quick search online easily identifies current cyberattacks being unleashed against corporations operating in today’s global economy including American Express and Change Health. With a proliferation of applications using around-the-clock connectivity, we find ourselves woven into an intricate and evolving scenario of cyber concern. With this backdrop, companies must have access to seasoned professionals well-versed in data security and privacy.

According to the Allianz Risk Barometer, cyber incidents such as ransomware attacks, data breaches and IT disruptions are the biggest worry for companies globally in 2024. Business interruption ranks second in their report, which is one step removed from cyber incidents. Natural catastrophes (#3), changes in legislation and regulation (#4) and macroeconomic developments (#5) round out the top 5 most important global business risks for 2024.

Not surprisingly, the study highlights cyberattacks and associated data loss as the top corporate risk. Year-over year, the concern has surpassed and holds steady over other significant risks such as regulatory concerns, climate change and a shortage of skilled workers threats. Cyber incidents sitting in the top spot simply reflects the escalating threat landscape fueled by cybercrime and the profound financial and reputational impact on companies and executives.

Allianz Risk Barometer report states, “[c]yber threats are constantly evolving as hackers and criminals gain access to new technologies or find new ways to exploit old vulnerabilities. Hackers are beginning to use artificial intelligence (AI) powered language models to increase the speed and scope of ransomware attacks, as well as create new malware and produce highly convincing phishing emails and deep fakes. Such attacks are likely to proliferate during 2024.”

The impact of the COVID-19 pandemic continues to exacerbate vulnerabilities as many organizations transitioned to permanent or hybrid remote work setups, providing fertile ground for cybercriminals to conduct operations. Additionally, human error still accounts for most of the patient zero triggers we see in daily incident response situations allowing the initial network intrusion and making employee training a key component of best practices. Ransomware activity alone is projected to cost its victims $265 billion annually by the start of the next decade[1]. These staggering figures underscore the imperative for businesses to bolster their cybersecurity posture.

To mitigate cyber risks, organizations must adopt best practices for cybersecurity and privacy compliance:

• Adopt and implement a formal cybersecurity framework ie. NIST CSF 2.0.
• Data Mapping: Perform a data mapping audit to document the personal information your company holds, how the data is collected and from where (the data flow) and any third parties that the data is shared with (such as third-party organizations that process your company’s data).
• Conduct annual privacy impact and cyber risk assessments.
• Establish, and regularly update, external facing privacy policies and website/application terms to outline data processing and data protection measures. Most privacy notices currently in use by global organizations are insufficient for compliance purposes under applicable data regulations. Privacy notices must be clear and easily understood, and must include all required information as outlined in applicable data regulations in order to obtain valid consent from data subjects.
• Address Record-Keeping Requirements: Data Controllers may be required to maintain thorough, accurate and complete records of the personal data they collect, as well as how that data is processed, used and stored. Audit your current record-keeping procedures and make changes and improvements as necessary.
• Evaluate Data Retention Procedures: Data Controllers are only permitted to maintain data about subjects as long as necessary for the purpose the data was originally obtained. Every company should evaluate their current data retention procedures, and many will need to make changes to their data storage and data retention processes to comply.
• Employee Training: All employees should receive adequate training to ensure that they are aware of current cyber risks and follow appropriate risk mitigation and data handling procedures. Keep records of training, and implement ongoing training to ensure that employees continuously are being tested against the latest cyber risks.
• Refresh Policies and Procedures: Companies must establish a clear set of data protection policies, both internal and external, such as a corporate data protection policy, an incident response plan (a checklist for responding to data breaches), policies related to the processing and retention of customer data (including data processing addendums (DPAs)), third party vendor/supplier policies, employee policies (including employee handbook and remote work policies), ecommerce or web based terms and conditions and privacy policies. 

Footnotes

[1] https://commercial.allianz.com/content/dam/onemarketing/commercial/commercial/reports/Allianz-Risk-Barometer-2024.pdf