We are living in a constantly interconnected society, where each individual walks around with one or more gadgets with access to internet. These devices contain unlimited personal data about consumption, preferences, bank accounts, activities, behavior in social media, etc. All this intelligence being of an uncountable value for certain stakeholders (companies, organizations, individuals, etc). Meanwhile, these users live blindly and little aware of he magnitude of the dangers they are to which they are susceptible.

Every individual has become a risk factor, an entrance portal exposed to any type of cyber-attack. Only in Spain, cyber-attacks have increased exponentially in recent years; According to studies presented by the Spanish National Institute of Cyber-security (INCIBE), the biggest jump has occurred in the last twelve months, from 50,000 to 120,000 attacks (a 357 percent more in the last year). This could be extrapolated to the rest of the world with the recent example of the WannaCry hackers’ attack. This ransomeware affected over a 150 different countries and many global companies.

When becoming part of a company, every individual brings with them all those threats to which they are daily exposed. Companies maintain strict controls on all fixed terminals under their radar, but despite the efforts, all mobile devices are beyond that control. According to PR Newswire, in 2016, 90 percent of cyber-attacks originated from information stolen from employees. Society has evolved to the point that digitalization has reached all aspects of everyday life. Despite this development, companies have maintained their security procedures without taking into account the new dynamics, leaving larger breaches uncovered.

Due to the rapid increase of these types of attacks in recent years, and the lack of corporate reporting policies with regard to these incidents, the European Parliament has decided to intervene to promote a better risk management and to ensure that all attacks are reported. The Directive 2016/1148 of the European Parliament and Council “on measures to ensure a higher common level of security for information networks and systems in the European Union” will be effective from 2018 onwards. Non-compliance with this new regulation will result in fines of up to 20 million euro or 4 percent of the sales volume of the affected companies.

The main problem lies within the fact that though many large companies suffer thousands of attacks every day, they have no major consequences. A constant communication of these encounters could be detrimental to their own reputation and/or their customer’s perception of how the firm is dealing with their personal information. In addition to this, the implementation of these measures will also imply the constitution of specialized departments in this sort of communications, and the readjustment of the company’s procedures to comply with the new regulations. These added measures are making them assume very high additional costs, with which many companies will not be able to cope.

The new reputational paradigm has naturally shifted towards cyber-security and will become one of the most important challenges for companies. They will now have to learn the new way in which business is done, in this change of era where threats can come also from within.