Responsibility for cyber security can not be outsourced, the board needs to take control.
Directors believe there should be tougher punishments for inadequate cyber security. The majority of decision makers, however, are unaware of the Cyber Essentials scheme. The board needs to take control and ‘own’ their cyber security.
An article in the Telegraph recently reported that the majority of directors believe that companies should face more severe punishments for failing to meet basic cyber security requirements.
Their report was based on research by ComRes which revealed that seven out of ten board members believes that regulators should be tougher on companies who fail to implement basic cyber security measures.
ComRes also interviewed 508 London business decision makers online between 16th May and 6th June 2016. This poll revealed that, of those interviewed, 86% were not aware of the government backed Cyber Essentials Scheme. This scheme was introduced in 2014 with the aim of helping businesses to protect themselves from approximately 80% of common internet threats by meeting the basic security requirements referred to above. It is relevant for organisations of all sizes and costs from as little as £295. It is a great first step for businesses to take to start implementing cyber security.
The Information Commissioners Office (ICO) can currently fine companies up to £500,000 for failing to protect sensitive data. In 2018 the General Data Protection Regulation was due to come into force which would have increased those fines to £20m or 4% of global revenues. It is still uncertain whether the UK will seek to follow this legislation with the recent vote to leave the EU.
Organisations need to be able to demonstrate that they have taken adequate steps to protect sensitive data. This will vary depending on the data held, but a minimum standard would be to have implemented Cyber Essentials. With so many business decision makers unaware of the scheme we can only ask ourselves who is taking responsibility for this and what steps have they taken?
Seek independent professional advice for Cyber Security
Responsibility for cyber security cannot be outsourced to your IT provider, it has to be owned by the board. A cyber security breach will have a significant impact on an organisation, and it will be the board who will have to answer the inevitable question “what steps have you taken to secure your organisation against a cyber security attack?” The outsourced IT provider are unlikely to be the ones facing penalties for failing to do this.
If you don’t know whether you are adequately protected seek some independent advice from a qualified industry specialist such as a Certified Information Systems Security Professional (CISSP). They will be able to carry out a thorough review and identify any vulnerabilities that could be easily exploited, and unfortunately these can often start with your outsourced IT provider.
In addition ask a CISSP, to carry out a firewall review. The rules implemented on these may make it easy for access in and out of your network for the IT provider, but also provide attack vectors for criminals.
Implement Cyber Essentials
Implement Cyber Essentials as the very minimum. This consists of five basic controls around good practice. They are not expensive to implement and are designed to protect against common, un-targeted, opportunist internet threats.
Cyber Essentials Plus will give you, and your customers, an increased level of confidence. The Cyber Essentials questionnaire is independently verified by the Certification body, and internal and external penetration tests carried out to identify any vulnerabilities.
Being able to use the Cyber Essentials logo will demonstrate to your customers and other businesses that you have taken these essential basic steps. With the increase in news reports about cyber attacks, customers and businesses will be selecting companies that they can trust to do business with. Cyber Essentials is a small price to pay to provide them a level of reassurance.