CONTENTS
POLITICS-FIRST-SEPT-OCT-2016-FINAL
POLITICS-FIRST-SEPT-OCT-2016-FINAL
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
politics first | Special Section: Cyber Crime<br />
ADVERTORIAL<br />
96<br />
Legislators need to devise a strategy<br />
to counteract cyber crime<br />
The digital economy is an increasingly important part of the UK economy.<br />
Our nation’s finances are boosted by around £145 billion a year from<br />
digital technology, and the UK has the largest internet economy in the<br />
G20. But as the digital economy grows, the opportunity for cyber-crime<br />
increases, and the challenge to make the UK a safe place to do business<br />
in becomes ever more important. Earlier this year, the Culture, Media<br />
and Sport Select Committee carried out an inquiry and published a<br />
report on the topic.<br />
Given the importance of e-commerce to the British economy and<br />
the prevalence of e-services, coupled with the mounting threat of cyberattacks,<br />
companies must continually invest in cyber-defences and<br />
ensure that they are keeping ahead of criminals and hackers. TechUK<br />
estimates that cyber-crime costs the UK economy £34 billion a year.<br />
According to evidence submitted to the inquiry by the Federation<br />
of Small Businesses, a third of their members had been the subject of<br />
cyber-crime. The recently published Cyber Security Breaches Survey<br />
2016, commissioned by the Department for Culture, Media and Sport,<br />
found that 25 per cent of companies experience a cyber-breach at least<br />
once a month. Cyber security attacks are an inevitable part of being in<br />
the digital economy today.<br />
In major organisations, where the risks of attack are significant,<br />
the person responsible for cyber-security should be fully supported<br />
in organising realistic incident management plans and exercises.<br />
Someone on the board needs to be ultimately accountable for cyber<br />
security, while day-to-day responsibility should reside with someone<br />
senior - and both should be sanctioned if the company has not taken<br />
sufficient steps to protect itself and its customers from a cyber-attack.<br />
Companies and other organisations need to demonstrate not just how<br />
much they are spending to improve their security but prove that they are<br />
spending it effectively.<br />
Cyber Essentials, a government-backed, industry supported scheme<br />
to help organisations protect themselves against common cyber-attacks,<br />
sets out the technical controls organisations should have in place to<br />
demonstrate that they are following a basic level of “good practice”. The<br />
scheme provides a base level of readiness for the organisation to defend<br />
itself from internet-based attacks.<br />
Nigel<br />
Huddleston,<br />
a member of the Culture,<br />
Media and Sport Select<br />
Committee and Conservative<br />
MP for Mid Worcestershire<br />
Whilst Cyber Essentials provides a good check list for small and<br />
medium-sized firms, it needs revision. It was established in 2014 and<br />
has not been updated since then. The Government’s expectation is that<br />
larger organisations, and those that hold large amounts of data, would<br />
need to undertake other measures above and beyond those included in<br />
the Cyber Essentials scheme.<br />
The most high profile cyber-attack in recent times was on<br />
telecommunications and internet provider TalkTalk in October of last<br />
year, when customer names, addresses, dates of birth, phone numbers,<br />
email addresses, TalkTalk account information, credit card details and/or<br />
bank details were compromised.<br />
Consumers are increasingly concerned about data protection and<br />
cyber-security. According to the Institute of Customer Service, 43 per<br />
cent are concerned that cyber-attacks might compromise their personal<br />
information, while financial loss is the principal concern. Consumers<br />
need to be able to identify which suppliers and retailers are implementing<br />
effective data protection and security defences.<br />
As Financial Fraud Action UK told the committee, as fraudsters<br />
increasingly concentrate their attacks on customers, a major part of the<br />
response must be through awareness-raising about how customers can<br />
identify fraudulent approaches and protect themselves. There needs<br />
to be a step change in consumer awareness of on-line and telephone<br />
scams.<br />
As we look to the future, there will be rapid technological<br />
advancements which will increase opportunities for hostile actors.<br />
The tools and techniques that are currently rare will be commonplace.<br />
Cyber-crime will significantly increase and criminals will exploit those<br />
new opportunities for fraud and theft.<br />
We legislators need to ensure that appropriate regulatory bodies<br />
have teeth to deal with the issue, that those who break the law can<br />
be identified and prosecuted, and that those companies which store<br />
consumers’ data do all that they can to protect it.<br />
As consumers, we all need to better understand where and how our<br />
data is stored, doing more to ensure we are only putting our data in the<br />
hands of those who we feel can be trusted to look after it.<br />
UK Companies, particularly SME’s,<br />
are not ready for the legal changes<br />
racing toward them<br />
Data Protection (DP) keeps executives and legislators awake at night. The<br />
sharp end of ‘Cyber Security’ (properly ‘Information Security’, because DP<br />
encompasses much more than just ‘cyber’) is about to get tough with stiff<br />
punishments, which are meant to hurt, for non-compliance. Companies must<br />
retain appropriate expertise on their Board - and to police their supply chain<br />
compliance. Regulators are increasingly taking action against individual<br />
executives where negligence is a factor. Woe betide those who fail to ensure<br />
the safety of data in their care.<br />
SME’s are our engine for growth.<br />
<br />
Information Security services to SME’s<br />
through our affordable BeCyberSure<br />
monthly subscription service.<br />
Andrew Taylor<br />
CEO of Bronzeye IBRM<br />
020 3290 0686<br />
On 25 May 2018, the EU’s General Data Protection Regulations (GDPR) will take<br />
effect. On that date, the UK will probably still be a member. If we’re not out, we’re<br />
still in. Grey areas will proliferate. There will be more opinions than lawyers. We<br />
could easily tie ourselves into legal Gordian Knots wondering what the Information<br />
Commissioner’s (ICO) stance will be on GDPR.<br />
Whatever legal construct we end up with, the UK risks putting itself in a poor<br />
regulatory position if it doesn’t adopt or replicate GDPR. The least we can expect<br />
is an uprated Data Protection Act (DPA2.0) to make sure we stay with the pack<br />
- otherwise we risk placing ourselves on a lower standard of governance to our<br />
counterparts in the EU, North America and the Antipodes.<br />
<br />
companies to know in detail their data footprint; what, where, why and what<br />
<br />
effective purging and destruction procedures for when it is no longer extant<br />
<br />
<br />
Most are a million miles from being able to do any of that right now.<br />
More worrying is that most UK companies are blissfully unaware that this regulatory<br />
tsunami is heading toward them. There is much to do, time is tight. We worry that<br />
companies will be tempted to use the tried, tested (and failed!) parking of this<br />
<br />
Cyber Security is an element of Information Security which is an element of Risk<br />
Management. Risk Management must be supervised from the Board Room.<br />
If most breaches - 95% according to IBM - have their genesis in human errors/<br />
actions, not technology, education and training is paramount.<br />
The general thrust of GDPR is to force all companies to address the entirety<br />
<br />
<br />
concatenated, functional and effective governance regime.<br />
Most at risk are the smaller companies. Less sophisticated, less well funded and<br />
<br />
traditional cyber security vendors because they lack scale and deep pockets.<br />
We need to get to work to prepare these companies or they won’t be ready and<br />
that will be a disaster for the country and our small businesses.