Trying to explain to a business manager why IT security is so important is like trying to tell a teenager what is wrong with downloading files illegally: they hear what you're saying, but you don't get the feeling it really sinks in.
Security still is a difficult topic for a lot of business managers. On the one hand, they do understand there are people who try to crack the ones and zeros on the company’s servers, but on the other, it’s still very abstract to them. This is strange. After all, the amounts of money involved in cyber crime are not to be sniffed at. I won’t try to put a price tag on the data that criminals may extract from your servers, but if you’ve paid a bit of attention, you know that with effect from 1 January, companies in the Netherlands now have an obligation to report data leaks. That means you could suddenly be fined something like €820,000 if you're unable to prove you've done everything you could to protect sensitive data within your organisation.
And still, the message isn't hitting home. The Personal Data Authority recently concluded that the new reporting duty seems to have had little effect so far. During a period in which 20,000 data leaks were reported last year, only 1,600 reports have been made since the duty to report came into effect. “When you realise that there are 130,000 organisations in the Netherlands that process personal data, surely there must be more data leaks,” deputy chairman Wilbert Tomeson said to the NOS. Strange. You would think that businesses attach more importance to the data of their customers, partners and employees.
Perhaps it's a case of denial. If you ask businesses about the measures they have taken so far, the initial response usually is that everything is hunky dory. But if you ask a couple of more questions, you discover they're not really too sure whether things have been properly organised. Ask them straight out if they would entrust their children to their IT department and the conversation suddenly turns awkward.
Perhaps it's a case of distress. IT Security suppliers have been warning us for years about the growing threat of cyber crime. Authorities have published comprehensive reports about the subject and the media regularly tell us about data leaks with the information of millions of users being left in a suitcase on a train. Managers are no longer surprised by it. It doesn’t affect them. They allocate a budget for a number of targeted solutions, but there hardly is any serious coordinated approach.
And perhaps its hypocrisy. Apparently, things have to get personal before businesses are prepared to invest in security. Because at the end of the work day, those same managers get into their expensive lease cars full of security features that were paid for without raising an eyebrow. Seatbelts, whiplash protection systems, ABS, EPS, satellite tracking devices, stability control, traction control, blind spot monitoring, collision warning, lane departure warning, tyre tension control... A single beep or light on the dashboard prompts them to head for the garage to have it fixed immediately. Sorry, what did you say? Winter tyres? Well, if you say so...
Whatever it is, time is seriously running out. Once the European legislation comes into force (the General Data Protection Regulation was adopted by the European parliament in April and this will apply throughout the EU as of 25 May 2018), an inadequate security policy may suddenly cost you 4% of your company’s total international annual turnover. For quite a lot of organisations, that’ll be the end of them.
As things stand now, we wait for the first business manager to wrap his business around a virtual tree. As the deadline approaches, feel free to call me for some advice. But something tells me we might be very busy all of a sudden...