In occasione del Global Dimentions of Protecting the Economic Competition – conference held by Center of Complex Research on Antimonopoly Policy (Ukraine) del 28 Febbraio scorso è stato presentato l’importante documento di ricerca sulle numerose problematiche connesse alla sicurezza informatica nell’ambito del business mondiale, realizzato dalla professoressa Nataliia Kochkina, PhD in Economics, Associate Professor Taras Shevchenko National Universitye di Kiev.
All’interno dell’analisi, alla cui stesura ha partecipato anche Joy System con l’intervento del Ceo Filippo Rossi, viene fatto un ampio focus sulle principali problematiche legate alla cyber securirty internazionale in riferimento soprattutto allo sviluppo economico dell’Ucraina.
Tra i vari temi trattati: i rischi a cui è sottoposta l’enorme quantità di dati che viaggiano all’interno delle reti, le tante violazioni e i continui attacchi informatici che hanno subito alcuni fra i principali brand attori del business internazionale, la scarsa consapevolezza e percezione che le aziende hanno della sicurezza informatica e l’entrata in vigore del nuovo Regolamento Europeo sulla protezione dei dati personali (GDPR) a cui l’Ucraina, pur non facente parte dell’Europa, si sta adeguando per garantire gli accordi internazionali con aziende del vecchio continente.
Ecco di seguito il capitolo della tesi dal titolo BUSINESS SECURITY IN A WORLD OF A GLOBAL CYBER THREATS, scritto dalla Prof.ssa Nataliia Kochkina con il contributo di Filippo Rossi, Ceo di Joy System.
The world has changed. We live in an age of information, the volume of which exponentially grows every day. If in 2010 the volume of global data was 1.2 ZB, then in five years it increased by 7 times. Experts expect that by 2020 this figure will reach 35.0 ZB, with one third of the data stored nline [1].
The sphere of business accounts for 80% of global information. Hence it is the main object of cyber attacks. The volume of data breaches is growing every year. In 2005 there were 136 global data breaches, in 2006 – 321, in 2010 – 953, in 2015 – 3930. The number of exposed records in 2015 reached 736 million (compared to 96 million in 2010) [2]. In 2016, only US reported 1093 massive data breaches with 36.6 million records lost. 45.3% of them were in the business sector. In the first quarter of 2017, half of the records breaches were business data [3].
Since 2013, more than 9 billion records have been stolen or lost. Table 1 shows TOP-10 largest data breaches in recent years. The biggest percentage goes to identity theft. The most affected are the financial sector and retail. However, high-tech companies haven’t got immunity against data breaches. In 2013, Adobe Systems Inc.
lost 152 million records through unauthorized access to financial data. In October 2017, Yahoo announced an exposure of 3 billion records in 2013 – 2014. This means that in today’s world no single business can feel completely protected.
However, cyber attacks are aimed not only at stealing data, but also at gaining control over users’ computers by spreading malware. By 2017, the world experienced three massive attacks of ransomware: WannaCry, NotPetya and Bad Rabbit [5]. The main target of the second attack was Ukraine. According to Microsoft, 12,500 computers were infected [6]. Among the victims – the banking sector, infrastructure facilities (including Kyivenergo, Kievvodokanal, Boryspil airport and Chornobyl NPP), mass media, governmental structures, telecom operators, retailers, healthcare organizations, large and medium-to-small companies in various business spheres, including FedEx and British advertising agency WPP. Thus, it was the largest cyber
attack in the history of Ukraine, which showed cyber insecurity of the country at all levels.
More local cyber attacks on Ukraine’s infrastructure and business occurred in the past [7]. In the first case it always has a significant social impact. As a result the country invests in increasing the level of security. However, when a business is attacked, it remains a problem of this business. The largest losses are borne by small and medium-sized companies, which do not have enough resources to protect themselves against global threats. According to the Ponemon Institute [8], each lost record costs the company $141 in average. This is a significant amount of money for
small businesses.
The paradox is that the owners of this business usually do not experience their own vulnerability, because they consider themselves not interesting enough for cyber attacks. However, according to the National Cyber Security Alliance [9], in recent years about 50% of small businesses have been hacked. In general, the majority of cyber attacks (70%) are aimed specifically at small and medium-sized businesses.
Improvement of the current situation should be facilitated by the introduction of the General Data Protection Regulation (GDPR) [10] – the new EU law, which enters into force on May 25, 2018. The GDPR regulates the behavior of organizations that collect or process personal data. GDPR is based on the human right to privacy.
Each person should always be able to export, correct or delete personal information, as well as prohibit access to it. In turn, companies are obliged to protect personal data by personnel trainings and recording information processing activities, including immediate notification of authorities about unauthorized access. Improper compliance with the requirements of the rules provides for a penalty of 4% of the company annual global turnover or criminal liability. GDPR is extraterritorial. It regulates business that collects or process personal data of EU citizens, regardless of the country where that activity takes place. Thus, GDPR influences the Ukrainian companies that employ EU citizens, carry out marketing and other research of EU market, use information of EU citizens in their own products, and supply goods and services to EU. That means that under the
GDPR regulation fall not only the international business, but also touristic companies, hotels, airlines and railway, financial institutions, universities and even private entrepreneurs that sell their goods to EU citizens.
Obviously, the level of readiness to implement the GDPR principles in Ukraine is minimal. The degree of EU readiness also remains not so high. According to a Global Forensic Data Analytics Survey of risk managers in 19 countries conducted by Ernst&Young in October-November 2017 [11], only 33% of respondents noted that their company has already carried out activities to guarantee information protection. 17% has got acquainted with the document, but has not made the appropriate changes in the system of collecting and processing personal data. 11% stated that they are still studying the document, and 39% did not yet begin to investigate the GDPR requirements.
European integration of Ukraine requires compliance with EU legislation, including the personal data protection. This will increase the level of economic security of Ukrainian business against the backdrop of global cyber threats.
