CONTENTS

politics first | Special Section: Cyber Crime
ADVERTORIAL
96
Legislators need to devise a strategy
to counteract cyber crime
The digital economy is an increasingly important part of the UK economy.
Our nation’s finances are boosted by around £145 billion a year from
digital technology, and the UK has the largest internet economy in the
G20. But as the digital economy grows, the opportunity for cyber-crime
increases, and the challenge to make the UK a safe place to do business
in becomes ever more important. Earlier this year, the Culture, Media
and Sport Select Committee carried out an inquiry and published a
report on the topic.
Given the importance of e-commerce to the British economy and
the prevalence of e-services, coupled with the mounting threat of cyberattacks,
companies must continually invest in cyber-defences and
ensure that they are keeping ahead of criminals and hackers. TechUK
estimates that cyber-crime costs the UK economy £34 billion a year.
According to evidence submitted to the inquiry by the Federation
of Small Businesses, a third of their members had been the subject of
cyber-crime. The recently published Cyber Security Breaches Survey
2016, commissioned by the Department for Culture, Media and Sport,
found that 25 per cent of companies experience a cyber-breach at least
once a month. Cyber security attacks are an inevitable part of being in
the digital economy today.
In major organisations, where the risks of attack are significant,
the person responsible for cyber-security should be fully supported
in organising realistic incident management plans and exercises.
Someone on the board needs to be ultimately accountable for cyber
security, while day-to-day responsibility should reside with someone
senior - and both should be sanctioned if the company has not taken
sufficient steps to protect itself and its customers from a cyber-attack.
Companies and other organisations need to demonstrate not just how
much they are spending to improve their security but prove that they are
spending it effectively.
Cyber Essentials, a government-backed, industry supported scheme
to help organisations protect themselves against common cyber-attacks,
sets out the technical controls organisations should have in place to
demonstrate that they are following a basic level of “good practice”. The
scheme provides a base level of readiness for the organisation to defend
itself from internet-based attacks.
Nigel
Huddleston,
a member of the Culture,
Media and Sport Select
Committee and Conservative
MP for Mid Worcestershire
Whilst Cyber Essentials provides a good check list for small and
medium-sized firms, it needs revision. It was established in 2014 and
has not been updated since then. The Government’s expectation is that
larger organisations, and those that hold large amounts of data, would
need to undertake other measures above and beyond those included in
the Cyber Essentials scheme.
The most high profile cyber-attack in recent times was on
telecommunications and internet provider TalkTalk in October of last
year, when customer names, addresses, dates of birth, phone numbers,
email addresses, TalkTalk account information, credit card details and/or
bank details were compromised.
Consumers are increasingly concerned about data protection and
cyber-security. According to the Institute of Customer Service, 43 per
cent are concerned that cyber-attacks might compromise their personal
information, while financial loss is the principal concern. Consumers
need to be able to identify which suppliers and retailers are implementing
effective data protection and security defences.
As Financial Fraud Action UK told the committee, as fraudsters
increasingly concentrate their attacks on customers, a major part of the
response must be through awareness-raising about how customers can
identify fraudulent approaches and protect themselves. There needs
to be a step change in consumer awareness of on-line and telephone
scams.
As we look to the future, there will be rapid technological
advancements which will increase opportunities for hostile actors.
The tools and techniques that are currently rare will be commonplace.
Cyber-crime will significantly increase and criminals will exploit those
new opportunities for fraud and theft.
We legislators need to ensure that appropriate regulatory bodies
have teeth to deal with the issue, that those who break the law can
be identified and prosecuted, and that those companies which store
consumers’ data do all that they can to protect it.
As consumers, we all need to better understand where and how our
data is stored, doing more to ensure we are only putting our data in the
hands of those who we feel can be trusted to look after it.
UK Companies, particularly SME’s,
are not ready for the legal changes
racing toward them
Data Protection (DP) keeps executives and legislators awake at night. The
sharp end of ‘Cyber Security’ (properly ‘Information Security’, because DP
encompasses much more than just ‘cyber’) is about to get tough with stiff
punishments, which are meant to hurt, for non-compliance. Companies must
retain appropriate expertise on their Board - and to police their supply chain
compliance. Regulators are increasingly taking action against individual
executives where negligence is a factor. Woe betide those who fail to ensure
the safety of data in their care.
SME’s are our engine for growth.
Information Security services to SME’s
through our affordable BeCyberSure
monthly subscription service.
Andrew Taylor
CEO of Bronzeye IBRM
020 3290 0686
On 25 May 2018, the EU’s General Data Protection Regulations (GDPR) will take
effect. On that date, the UK will probably still be a member. If we’re not out, we’re
still in. Grey areas will proliferate. There will be more opinions than lawyers. We
could easily tie ourselves into legal Gordian Knots wondering what the Information
Commissioner’s (ICO) stance will be on GDPR.
Whatever legal construct we end up with, the UK risks putting itself in a poor
regulatory position if it doesn’t adopt or replicate GDPR. The least we can expect
is an uprated Data Protection Act (DPA2.0) to make sure we stay with the pack
- otherwise we risk placing ourselves on a lower standard of governance to our
counterparts in the EU, North America and the Antipodes.
companies to know in detail their data footprint; what, where, why and what
effective purging and destruction procedures for when it is no longer extant
Most are a million miles from being able to do any of that right now.
More worrying is that most UK companies are blissfully unaware that this regulatory
tsunami is heading toward them. There is much to do, time is tight. We worry that
companies will be tempted to use the tried, tested (and failed!) parking of this
Cyber Security is an element of Information Security which is an element of Risk
Management. Risk Management must be supervised from the Board Room.
If most breaches - 95% according to IBM - have their genesis in human errors/
actions, not technology, education and training is paramount.
The general thrust of GDPR is to force all companies to address the entirety
concatenated, functional and effective governance regime.
Most at risk are the smaller companies. Less sophisticated, less well funded and
traditional cyber security vendors because they lack scale and deep pockets.
We need to get to work to prepare these companies or they won’t be ready and
that will be a disaster for the country and our small businesses.