You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Security Management<br />
as gdpr nears:<br />
New data protection rules will have<br />
an impact, a round-table gathering<br />
recently heard.<br />
About EEMA<br />
A not for profit think tank, it<br />
covers identification and<br />
authentication, privacy, risk<br />
management, cyber<br />
security, the Internet of<br />
Things and mobile<br />
applications. It’s recently<br />
joined the European Cyber<br />
Security Organisation<br />
(ECSO). Visit eema.org.<br />
The view of a rainy<br />
summer London from<br />
the EEMA seminar venue,<br />
Atos in Triton Square<br />
Photo by Mark Rowe<br />
48<br />
UNHAPPY<br />
‘Sharing information<br />
that we do not 100pc<br />
trust, without fact<br />
checking is a dangerous<br />
practice. As well as<br />
fuelling the fake news<br />
fire, we could be<br />
inadvertently spreading<br />
malicious activity and<br />
supporting cybercrime.’<br />
Raj Samani, chief<br />
scientist, McAfee.<br />
The man making that prediction<br />
was Richard Preece, and the<br />
forum was a ‘fire-side’ by<br />
EEMA - the European Association for<br />
E-identity and Security. As the name<br />
suggests, it covers cyber; its 30th<br />
anniversary conference this summer<br />
in London was hosted by Microsoft.<br />
Jon Shamah, Chair of EEMA, chaired<br />
the smaller gathering at the central<br />
London offices of the IT firm Atos.<br />
The title was ‘prepare your board for<br />
a cyber attack’. As the sub-title was<br />
‘your reputation gone in 60 seconds?’,<br />
the other speaker was Rod Clayton<br />
of the public relations agency Weber<br />
Shandwick.<br />
Tip of the spear<br />
Now as a speaker last year at the<br />
Fraud Advisory Panel conference on<br />
fraud against charities, he featured in<br />
our January issue. So first to Richard,<br />
a former British Army officer, now<br />
in his words a ‘hybrid’ or ‘portfolio<br />
consultant’ who for instance works on<br />
cyber crisis management for a client;<br />
information security for another; and<br />
that GDPR (general data protection<br />
regulation) for a small business. In<br />
passing, we might say that as Richard<br />
went into that field while in the<br />
Army, that shows the sort of roads<br />
you can go down in the Army; it’s<br />
not all packs and yomps. Despite the<br />
UK leaving the European Union, the<br />
EU’s GDPR will happen here, as set<br />
out in the Queen’s Speech in June.<br />
The UK Government wants it to<br />
‘incentivise good behaviour’, Richard<br />
said. He sees GDPR as ‘the tip of<br />
the spear’; while he thinks it’ll take<br />
12 months before the data protection<br />
regulator will hand out larger fines<br />
under this new regime, he warned:<br />
“We are entering an era where claims<br />
companies are going to be using<br />
GDPR as a very useful source of<br />
revenue creation, shall we say; and<br />
that in many ways, if you have large<br />
amounts of data that suffers a breach,<br />
is probably more dangerous than the<br />
regulatory fines for some companies.”<br />
As Richard added, GDPR is new, for<br />
insurers and everyone. GDPR will<br />
matter particularly he suggested with<br />
SEPTEMBER 2017 PROFESSIONAL SECURITY<br />
Risk in the<br />
‘sensitive data’ collected; about for<br />
example political views, or what race<br />
you are. He planted work to prepare<br />
for GDPR next year in managing risk,<br />
‘actually a pretty simple process’.<br />
People talk about enterprise risk<br />
management, he noted, ‘but it doesn’t<br />
happen’; people, in institutions, don’t,<br />
or don’t want, to ‘join the dots’. A<br />
lack of forward thinking means that<br />
an institution may go through with<br />
some innovation, but that has second<br />
or third-order consequences, not<br />
thought about. Risk management<br />
needs to be wider, and broader, and<br />
less retrospective, he said. This<br />
includes planning for and ‘walking<br />
through’ scenarios. Such as; under<br />
GDPR, if you have a data breach, you<br />
have 72 hours to tell the regulator<br />
(although the details are hazy still).<br />
Always on a Friday<br />
Now to Rod Clayton, who also picked<br />
up that 72 hours rule. As someone<br />
around the table lamented, ‘it’s always<br />
on a Friday’, when a cyber breach<br />
gets reported inside a business, that<br />
is; which does rather suggest that the<br />
IT staff had known for at least part<br />
of the week and were now admitting<br />
defeat before the weekend. While<br />
the regulator the ICO (Information<br />
Commissioner’s Office) has publicly<br />
urged everyone to prepare for GDPR,<br />
it has not, as featured in our June<br />
issue, given guidance yet on (for<br />
example) when the clock starts to tick<br />
on those 72 hours. Is it when anyone<br />
first notices something is wrong, or<br />
round<br />
when someone checks and calls in a<br />
consultant? Yet such things can have<br />
an impact on reputation, he said. He<br />
urged care also on what words you<br />
use to describe a cyber breach. Is it<br />
even a breach, for instance? To call it<br />
one, from an insurance or legal point<br />
of view, may have consequences.<br />
“The consumer doesn’t necessarily<br />
understand the subtleties.” Or as he<br />
equally neatly put it, people aren’t<br />
all rational or ‘well grounded’, so the<br />
debate about your firm in its crisis<br />
may be distorted, even deliberately.<br />
Joining the dots<br />
He had begun by agreeing with<br />
Richard Preece that ‘joining the dots’<br />
is one of the biggest problems in any<br />
organisation. The end of his talk was<br />
the story of a Greenpeace protest<br />
at a building; that client called in<br />
Weber Shandwick. Clayton - leaving<br />
aside whether you agree or not with<br />
Greenpeace’s campaigns - made the<br />
point that Greenpeace always has<br />
dialogue with the place it’s going<br />
to target. The client denied that;<br />
until it turned out that Greenpeace<br />
had written; to the sustainability<br />
department, which had however<br />
thrown it in the bin. And did not<br />
bother to tell any other part of the<br />
business; that might however have<br />
assessed that a problem was coming.<br />
Clayton’s point; people in a business<br />
fail to connect with each other, and<br />
don’t think about ‘risk in the<br />
round’. On his specialism of<br />
corporate, and crisis, public<br />
➬<br />
www.professionalsecurity.co.uk