Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd Security IT Summit | Forum Events Ltd

Posts Tagged :

Business

Government challenges UK boards to up cyber security game

960 640 Stuart O'Brien

Boards at some of the UK’s biggest companies still don’t fully understand the potential impact of a cyber attack, according to a government report.

The Government’s Cyber Governance Health Check looked at the approach the UK’s FTSE 350 companies take for cyber security.

The 2018 report shows that less than a fifth (16%) of boards have a comprehensive understanding of the impact of loss or disruption associated with cyber threats.

That’s despite almost all (96%) having a cyber security strategy in place.

Additionally, although the majority of businesses (95%) do have a cyber security incident response plan, only around half (57%) actually test them on a regular basis.

However, awareness of the threat of cyber attacks has increased. Almost three quarters (72%) of respondents acknowledge the risk of cyber threats is high, which is a big improvement of only just over half (54%) in 2017.

The reports says implementation of the General Data Protection Regulations (GDPR) in 2018 has had a positive effect in increasing the attention that boards are giving cyber threats. Over three quarters (77%) of those responding to last years health check said that board discussion and management of cybersecurity had increased since GDPR. As a result over half of those businesses had also put in place increased security measures.

Digital Minister Margot James said: “The UK is home to world leading businesses but the threat of cyber attacks is never far away. We know that companies are well aware of the risks, but more needs to be done by boards to make sure that they don’t fall victim to a cyber attack.

“This report shows that we still have a long way to go but I am also encouraged to see that some improvements are being made. Cyber security should never be an add-on for businesses and I would urge all executives to work with the National Cyber Security Centre and take up the government’s advice and training that’s available.”

Ciaran Martin, CEO of the NCSC, said: “Every company must fully grasp their own cyber risk – which is why we have developed the NCSC’s Board Toolkit to help them. This survey highlights some urgent issues companies will be able to address by putting our Toolkit’s advice into practice.

“Cyber security is a mainstream business risk, and board members need to understand it in the same way they understand financial or health and safety risks.”

Meanwhile, more work is being done to improve the cyber resilience of business, and a new project has been announced that will help companies understand their level of resilience. The cyber resilience metrics will be based on a set of risk-based principles to allow firms to measure and benchmark the extent to which they are managing their cyber risk profile.

Once developed these indicators will provide board members with information to understand where further action and investment is needed.

Cybersecurity responsible for 36% of management stress

960 640 Stuart O'Brien

Over half of SME owners count internet issues as one of their biggest bugbears heading into 2019, with phishing emails from overseas ‘billionaires’ topping the list of the strangest mailbox scams from the past 12 months.

In a survey conducted by Q2Q, 52% of company bosses complained that problems with their internet were responsible for some of their firm’s biggest technology-related headaches. While an additional 41% of respondents said that six months on, GDPR compliance was still causing confusion within the workplace.

The research also found that phishing emails – including those masquerading as financial information requests from the CEO, and communications purporting to be from a foreign billionaire looking to pass on significant sums of money – made up 38% of the most common scam communications.

Unsurprisingly then, cyber-security was responsible for 36% of management stress, with 22% of respondents citing emerging online risks as one of their biggest IT challenges heading into the New Year.

The research also found that around 64% of SMEs choose to outsource their IT support, while – shockingly – 10% of company owners didn’t have any sort of technical provision.

Andrew Stellakis, managing director at Q2Q, said; “Hearing that internet issues are still responsible for over half of SME’s IT-related headaches is simply inexcusable in this day-and-age. There are plenty of things which can cause a slow connection, but understanding the root cause is key to getting the most out of our systems, employees and the working day.

“It’s also rather worrying that – six months on – 40% of SME’s are still unsure about the rules and regulations surrounding GDPR. Over the past 18 months, I’ve spent a lot of time working closely with SMEs to ensure they are fully compliant – and it isn’t as daunting as it may seem.

“The appointment of a dedicated IT provider or GDPR officer – either in-house or externally – is often left until something goes wrong. But, as the news has been filled with reports of cyber-attacks and GDPR fines over the past few months, it should be all SME owners’ New Year’s resolution to ensure their company – and reputation – remains intact in 2019.”

What does GDPR mean for your business?

960 640 Stuart O'Brien

With the arrival of the General Data Protection Regulation (GDPR) on May 25th 2018, many companies are still unsure as to how the new legislation actually affects them and the implications on how organisations store, secure and manage personal data.

Ian Kilpatrick, executive vice president of Cyber Security for Nuvias Group, explains what GDPR means for business:

“GDPR will affect the whole of the EU Zone, which currently spans 28 member countries and half a billion citizens. Its goal is to unify data protection across the European Union, but because GDPR applies to individuals within the EU or the European Economic Area (EEA), companies outside these zones will still have to meet the standards if they want to continue using data from customers in the EU.

“The purpose of the new regulation is to shift control of personal data back to the owner of that data. Every organisation should be aware that with GDPR comes huge fines for data breaches – up to four percent of annual global turnover or €20 million, whichever is greater. Therefore, the consequences of any data loss could be financially devastating for any company.

“The data in question could be usernames, location data, online identifiers like IP address or cookies, or passwords. The loss of personal or work-related information – whether that’s access details, passwords, or any other customer data – is endemic today; almost 1.4 billion data records were lost in 2016 alone, an increase of 86 percent compared to the year before.

“After next May, organisations will have 72 hours to disclose any serious data breaches to the relevant authorities – in the UK it’s the Information Commissioner’s Office (ICO), as well as the victim of the breach. The penalty for failing to notify them of a breach will be up to €10 million, or two percent of revenues.

“Analyst firm IDC predicts that the severity of fines, coupled with the substantial changes in scope, will drive enterprises to radically shake up their data protection practices, seeking the assistance of new technologies to assist with compliance.

“Despite all this, a survey by information services group, Experian, reports nearly half of businesses (48 percent) admit they are not ready for GDPR, and are only in the early stages of preparing for the regulations.

“If they are not doing so already, organisations need to start putting plans in place now if they’re to meet the May 2018 deadline.

“So, what steps can companies take to ensure their GDPR-compliance? The ability to ensure confidentiality, integrity, availability and resilience will be crucial – as will be restoring data in a timely manner in the event of an incident. Organisations will need a process for testing and evaluating the effectiveness of their security processes, meaning they will need to demonstrate they have taken adequate steps to protect the data.

“GDPR doesn’t prescribe specific data protection technologies, but rather processes that organisations should undertake. However, companies should be talking to their IT providers about core data security solutions that cover things like encryption, access and identity management, two factor authentication, application control, intrusion prevention and detection, URL filtering, APT blocking and data loss protection. Also, they shouldn’t neglect the network, by securing wireless access points, for example.

“Having a demonstrable security policy in place and making sure employees are fully trained in the correct security practices will prove invaluable.

“Larger organisations and public bodies will require a data processing officer; this is a senior role that operates independently of the IT department and will enjoy significant protection, along with the responsibility of reporting any data breach. They will act as a fulcrum for developing, enacting and continually testing security compliance posture.

“However, GDPR compliance is everyone’s responsibility, and shouldn’t be left to one team – legal, IT, HR and other business functions must all be involved with visible support from the executive level.

“Something else that GDPR will likely affect is insurance. As the regulations require every business to report any data breach, there is going to more of an emphasis on liability and who is to blame as data losses come to light.

“In simple terms, businesses should document everything they have done at a technical and policy level to show due diligence. There are several framework documents created at a national level that can help. For example, the UK’s national cyber security centre has a number of 10-step programmes that offer a basic checklist of areas that should be covered.

“With heavy financial and reputational risk threatening, the sooner the new regulations are adopted, the more confident a company can be that it will not be found wanting when GDPR comes into effect.”