Cybercrime is a growing concern. Hackers and criminals have taken opportunity to use technological advances to gather sensitive information on you, me and anybody. And over time we have seen big companies fall victim to such attacks; Uber, T-Mobile, Equifax and even Pizza Hut, have been victims of vicious cyberattacks, causing an uproar and individuals feeling greatly at risk, because let’s face it, we never really know who has our data and information.
With GDPR coming into effect in May 2018, we are long anticipating whether the new regulations will help tackle cybercrime, or at least the after effects of such an event. This month we speak with Andre Pienaar, who is the founder of C5 Capital and a lawyer, as well as an expert on cyber law and cybercrime. He explains how when a prominent company such as Uber have been breached, the legal counsel will be at hand to deal with such an issue. Nonetheless, bounty programmes are fraught with compliance and fraud risks
Therefore, Andre speaks on the first course of action any company should take when faced with a cyber risk and if GDPR addresses all issues cybersecurity presents.
What would you say is the first course of action any company should take when under a cyber-attack?
Don’t panic. Understand what is at risk, consult the incident/crisis response plans that every company should have on file (and should be tested regularly) and determine what the appropriate action is. Engage experts for specialist incident response and forensic skills, or when an independent investigation is required.
What is the most complex form of a cyberattack and how would you say a company should work around it?
A regular complex form of cyber-attack is the insider threat. It is often said that employees are a company’s most valuable asset. This is of course true. They have access to the most sensitive information and we rely on some of them to maintain the security and functionality of our systems.
From file hijacking, keylogging and taking screenshots, which poses the most complexity when trying to overcome the damages?
Ransomware regularly makes headlines when it cripples a business by denying them access to their own information and systems. But the most complex and dangerous attack to overcome is a sophisticated targeted cyber-attack aimed specifically at your company. Defending against such targeted attacks is a challenge most businesses cannot muster and even more cannot even detect that they have been breached; thus, allowing an unknown unauthorised attacker to access sensitive company secrets, without the knowledge of the business. We have seen this result in valuable intellectual property and research being stolen, or competitors getting inside information about deals or strategy.
Do you believe the GDPR Act addresses all cybersecurity issues? If not, what else do you think should be addressed?
The European Union General Data Protection Regulation focuses on protecting European citizens and, more specifically, their personal identifiable information. Many of the principles GDPR introduces (such as Privacy by Design, which ensures that security is properly considered from the outset of any project that will handle personal data) are founded on cyber security best practices. But there are other areas of cyber security, such as the availability of systems or security controls on areas that do not pertain to personal information, that go beyond GDPR.
Data controllers will be required to report data breaches to their data protection authority unless it is unlikely to represent a risk; what classes as a risk?
Under GDPR it will become mandatory to report a breach involving personal data, unless the data breach is unlikely to result in a risk to the individual’s “rights and freedoms”. These rights and freedoms are detailed in Recital 75 of the GDPR and include any personal attributes or personal data being revealed. Regardless of the type of data, there is also a provision that breaches involving a large amount of data or affecting a large number of individuals, must be reported.
Moreover, do you think paying ransom is the best option? What other options are there?
Paying any ransom does not guarantee the return of one’s data or service and it incentivises financial crime in the future. Additionally, it does not absolve the company of any regulatory disclosure responsibilities either.
As you have worked in a variety of jurisdictions, do you think cybersecurity needs to be better addressed in some countries more than others?
The cyber security threat is global and in our interconnected world, attacks from anywhere could reach you wherever you are in the world. We need to do more to share information within sectors and between governments to establish collective security defences.
Managing Partner and Founder, C5
www.c5capital.com
Andre is a Managing Partner and the Founder of C5, a specialist technology investment group focused on cybersecurity, cloud computing and big data analytics with offices in Washington, London, Luxembourg and Bahrain. Andre serves on the boards of several cybersecurity companies including the Haven Group in Luxembourg, ITC Security in London and Omada in Copenhagen.
Mr Pienaar started his career in Kroll Inc where he became the youngest managing director until the successful sale of the company to Marsh Mclennan. In 2004 Andre founded G3, an international consulting firm that advises global companies and international law firms on cybersecurity. He sold G3 in 2011 to Europe’s leading technology investment holding company.
Andre advised the 6th Duke of Westminster on the establishment of the new Defence and National Rehabilitation Centre (DNRC) in the United Kingdom as a state of the art centre for the rehabilitation of British military veterans.
Mr Pienaar is a member of the U.S. Government’s Institute of Peace (USIP) International Advisory Council and a Director of the PeaceTech Lab in Washington DC. He is a member of the National Council on White House History, an US not for profit that is the custodian of the White House, its art and history, as well as being a Director of the International Centre for Missing and Exploited Children (ICMEC) and a trustee of the David Shepherd Wildlife Foundation, a British charity focused on wildlife conservation.
A family capital-backed investment firm, C5 Capital build long-term relationships with committed investors, innovative founder teams and global companies keen to maintain their edge. Operating out of London, Luxembourg, Cape Town, Washington D.C. and Manama, they identify, nurture and support partners, whether they’re just starting out, or embarking on the next phase of their growth.
Given their specialist industry knowledge and execution capability throughout EMEA, they are able to offer a powerful combination of expertise, funding and growth opportunities, all the while ensuring that we are contributing to the public good.