Cyber Security is an element of Information Security. Information Security is an element of Risk Management. Risk Management must be overseen by the board. It must never reside in the IT Department and putting it there massively raises risk.
Business interruption, repetitional damage and cybercrime are, in that order, the top three concerns of businesses. The threat to business from criminals who use the internet to commit their crimes is exponentially rising, multiplying enormously the scale of the first two problems.
A huge proportion of cyber crime – IBM says 95% and we think it is higher – has its origin in user error or insider malicious activity. Whatever the true extent of the ‘insider threat’, manage it down and life will become easier for everyone.
The EU’s General Data Protection Regulation (GDPR) takes effect on May 25th, 2018. This Regulation is a seismic step change in how we must look after data in our care. Whilst two years may seem a long time, there is much to do. Those who hold data must begin their preparation now. They must know what they hold and where it is. If it’s in a ‘Cloud’, it remains their responsibility – if the ‘Cloud’ provider is negligent, responsibility will still lie with the ultimate custodian.
The law of unintended consequences may see GDPR creating more aggressive regulators. Each national regulator will benchmark themselves against the others. None will want to be seen as a soft-touch. In addition, international data-protection cooperation is increasing – so custodians need to be cognisant of where their extra-territorial liabilities lie. We expect many jurisdictions to demonstrate an increasing appetite for testing their legal reach in coming years. Criminal convictions are now possible everywhere. Custodial punishments will become increasingly common.
Like cars and guns, computers are not intrinsically dangerous. Carelessness, pressure or malice will change this in a moment. The broad purpose of most data protection laws is to encourage enterprises to take care of data. Management must lead by example. In the past, data breaches have resulted in such frenetic finger pointing that it would make a fine source of renewable energy. GDPR takes us beyond this. In the future, any board or C-Suite which tries to blame a data breach on the IT Department will quickly find that that lifeboat is not seaworthy.
A well constructed governance regime, proactive management and dynamic security culture should be at the heart of any Information Security regime. Effectively executed, this will go far in countering the ‘insider’ threat thereby ensuring a significant lowering of general cyber risk. In the process this will create more trained eyes supporting enterprise security efforts and in doing so, improve crisis management capability and overall business resilience.
Andrew Taylor
CEO of Bronzeye IBRM
BronzeyeIBRM offers an affordable monthly subscription-based information and cyber security service to SMEs and others.