The current cybersecurity landscape has forced us to learn how to cope with surrounding cyber threats. By assisting our clients and international law firms in large and complex data breach incidents, we have learned the pain points and relieving factors in the data breaches of today. Based on our experience of the busiest ever data breach year of 2022, we predict that the increase of risks and malicious cyber attacks will just continue. Our team has compiled our key takeaways into five categories of the old and new elements of cybersecurity.
Technical core elements
Cybercriminals often target the “low hanging fruits”. In order to secure employees, customers, services, business partners as well as the whole business and its continuity, it is necessary to build a strong technical cyber shield in one’s IT systems and environments. Therefore, organisations need to be familiar with the possible threats, available best practices and requirements of law whenever IT systems, products and services are sourced and upgraded. We need to think ahead – cybersecurity must carry on during the whole lifecycle of the system, product and service and beyond that. This entails updating, monitoring and assessing the security levels as well as applying sufficient and sustainable contractual terms in technology agreements.
Even the best available cyber team cannot secure the whole organisation without teamwork. Large data breaches often commence with email attacks, like phishing, which are sometimes difficult to spot among the email floods. Malicious attackers often target members that are considered either the most vulnerable, such as new employees who have not yet learned the ropes, or the most influential, such as members of the management team. Collaboration and shared responsibility forms one of the key elements in protecting the organisation. This means that all members of the organisation, as well as external partners, need to collaborate in a responsible manner towards the common goal. The privacy and security functions together with all the legal counsels of the organisation have a pivotal role to play in this continuous preventive work that entail a vast field of different tasks from sourcing procedures and internal policies to third party agreements and data protection impact assessments.
A certain level of training must be provided to all members of the organisation. Everyone should be familiar with the risks that are relevant in their area of responsibilities. In addition to the cyber threats, organisations need to be familiar with the relevant legal requirements stemming from data protection and cybersecurity legislation, including sector-specific legislation. Consequences and risks increase if a data breach incident reveals that mandatory legal requirements have been disregarded. In most cases, the management of organisation bears the responsibility for compliance with the applicable legal requirements.
Cybersecurity entails thinking ahead, constantly. According to the leading Finnish cybersecurity experts, data breaches will occur in all organisations sooner or later. It is vital to have an extensive plan for recovery measures as well, including mapping and contacting necessary external advisors from areas of technical consultancy and legal advice. Typically, organisations face an unexpected situation when the data breach notification must be filed with the competent data protection supervisory authority or authorities within 72 hours of becoming aware of the breach. Even though the notification can be filed as preliminary and completed later, the list of requested information for the initial notification is quite extensive. Sometimes, the notification must be filed in several countries by following varying local filing procedures. Our existing international networks of law firms and other experts cover all jurisdictions globally and ensure the possibility to fulfil these obligations within the set time requirements.
Cyber risks and their actualisation causes distress to organisations and their people and customers. A data breach, which involves personal data of individuals, may be a devastating shock to the involved data subjects. When resources are reallocated during incident management, external advisors may be helpful in reducing the distress, when some of the internal resources need to be allocated for supporting the organisation and the affected individuals. Managing cyber risks is not only protecting the business, but also taking care of the people, their security and wellbeing.