The Most Expensive Software In The World Will Not Save You If Your Human Fire Wall Isn’t Turned On Companies should not underestimate the risk from cyber crime and new legislation GDPR (General Data Protection Regulation)… When an online bank or a telecoms company hits the headlines as the victim of a cyber attack, it can reinforce the perception among other businesses that they have little to fear because they’re smaller or not in the same sector. This is a potentially dangerous mistake. In fact, companies in almost every sector are falling foul of cyber criminals every day. It just isn’t headline news. Worryingly, many still think it is the responsibility of the IT Department and not a safety or a security problem. 40 Furthermore, most companies are so busy worrying about a technological ‘silver bullet’ to protect them they completely overlook the weakest link – people. The one constant in all of this is that the vast majority of these events involve ‘insiders’; that is employees or contractors doing (or not), something they should (or shouldn’t have). Sometimes this consists of errors, sometimes it’s malicious. By the ‘vast majority’, we mean more than 60%. IBM estimates that 95% of ALL breaches may have an insider element. The building sector and their related industries are as much as at risk as any other. For these industries, the stakes can be even higher than those of banking or communications. In addition to the huge reputational and financial damage at risk, building companies must also consider operational disruption, and, as has happened with offensive intrusions into industrial control systems, even the potential for significant damage to property, injury or loss of life. Managers typically underestimate the disruption that is possible and their responsibility for it. Whether ‘user-error’ or malicious, virtually all ‘insider’ driven vulnerability is created through poor governance. A lack of awareness leads to workers who don’t understand the threat and, therefore, don’t understand just how important their role is in combatting it. This is directly the responsibility of management. It is their responsibility to mitigate the risk facing their business. They control budgets and set the rules, processes and procedures which should provide the structure upon which good cyber-hygiene must stand. Even where vulnerability is created through malicious activity, the responsibility, again, lies with management because it is good governance that is the first and best line of defence against such behaviour. The Information Commissioner, Elizabeth Denham, described cyber security as “not an IT issue”, but “a board issue”. Denham has made it clear that she will make companies accountable for their data protection. The recent Tesco Bank hack required Tesco to repay its customers £2.5m in stolen funds; had this happened after the General Data Protection Regulation (GDPR) comes into force in 2018, the fines imposed would in all likelihood have dwarfed the cost of the attack itself. Fines of up to 4% of a group’s global turnover are available to regulators, and the current message is that they are going to be keen to make use of them.
The prevalence of the ‘insider’ risk, combined with these new imminent data protection laws, must focus the mind of boards and executives. New laws in Europe (the General Data Protection Regulation (GDPR)) and elsewhere have raised the imperative for everyone to get their data protection houses in order. Data protection is about to become the most important thing any business does. Compliance with data protection legislation will shortly move from semi-optional –businesses were rarely monitored and were only caught and penalised after a data breach – to very obligatory and monitored. Under the new laws, defensive software must be “state of the art” but so too must be the governance of everything surrounding the protection of data. No company is too big or too small to be of interest to cybercriminals. Every bit of data – everything – has value to the criminal. Small businesses are not a ‘main target’ but act as conduits to a larger prize; they are the weak links in the supply chain. Fortunately, there are some relatively simple steps that will make your organisation safer. Start with governance, accept cyber security as a business risk and make sure your organisation is ready to deal with a breach. Bridge the gap between IT, HR, security and senior management, to make