PwC cybersecurity lead on GDPR: ‘Everybody is starting too late’

15 Sep 2017

From left: Pat Moran, PwC Ireland cyber leader, with Grant Waterfall, PwC global cyber leader. Image: Maxwells

As the countdown begins to GDPR, Irish and European organisations are seriously underprepared, says PwC’s Pat Moran.

For the second year running, Irish CIOs and CEOs are being invited to take part in PwC’s Economic Crime Survey (deadline Friday 22 September). It is already apparent to the consulting firm’s Irish cybersecurity lead, Pat Moran, that very few tech leaders in Ireland are investing sufficiently in their cyber defences.

This is despite an unprecedented rise in cyberattacks globally, manifesting in major malware such as WannaCry, botnets targeting the internet of things, embarrassing data leakages at local banks and the recent data breach at Equifax.

‘We are foreseeing not so much the big fines getting the headlines, but an increase in customer litigation and actions that will be inevitable with GDPR’

“We had a fair response a year ago and we expect a fair quantum of respondents from Ireland to benchmark against other countries,” said Moran.

“The big headline coming from last year is the growth of cybercrime when it comes to fraud. One in three frauds impacting businesses last year had a cybercrime element to it, just behind asset misappropriation and cash fraud.”

Moran warned that the average cost to a business dealing with serious fraud is now running to €500,000, an amount that would capsize any SME in Europe.

“What makes Ireland stand apart is that when it comes to cybercrime, most organisations see it as a threat and yet, very few are spending money or investing to get it right.

“Many are doing traditional technology controls and maturity assessments to see how good or bad their defences are, but very few are addressing core issues like educating their people, raising cybercrime awareness and improving their security culture.”

This assessment was reflected this week in PwC’s 2017 Irish CEO Pulse survey, which reported that around 40pc of Irish CEOs are not addressing cybersecurity breaches or critical business information systems.

The GDPR alarm clock fails to ring for many firms

In May 2018, the General Data Protection Regulation (GDPR) will come into effect across the EU, bringing with it hefty fines and the spectre of consumers taking litigation against businesses if they feel their data privacy rights have been infringed in any way.

“This is not being addressed and not being invested in sufficiently,” Moran warned.

“This regulation is going to be the biggest change that will impact SMEs and the entire private sector and public sector when it comes to data protection.

“Everybody is starting too late and nobody wants to know about it despite people banging the drum for over a year now.”

One of the stipulations of GDPR is that public sector bodies appoint privacy officers. “There is going to be a scarcity of these people. You are going to need people who are both savvy in terms of technology, but also familiar with all of the GDPR’s regulations and capable of working with the business in terms of systems and designing privacy controls.

“We are foreseeing no so much the big fines getting the headlines, but an increase in customer litigation and actions that will be inevitable with GDPR.”

John Kennedy is a journalist who served as editor of Silicon Republic for 17 years