UPPING THE SECURITY STAKES
With less than a year till the EU General Data Protection Regulation (GDPR) comes into force, it’s no surprise to see surveys on UK plc’s readiness – or lack of it – starting to litter the media.
For example, in July electronics company Sharp reported that that many organisations are at risk of falling on the wrong side of the GDPR. Findings revealed that 10% of office workers had had access to confidential information that they should not have had, while 25% admitted to storing data in the public cloud without permission, and 30% were taking work home to complete, again without authorisation.
Invariably these surveys will be sandwiched between cyber threat stories. In August we had the annual Cyber Governance Health Check, which found that one in 10 FTSE 350 companies had no plan to cope with cyber incidents and that more than two-thirds of Britain’s biggest businesses had confessed to staff lacking training to deal with the growing threat of cyber attacks.
Of course, these are really two sides of the same coin: inadvertent data breach on the one side, malicious data theft on the other, either way it comes down to what should perhaps be best described as overarching information governance. And this is as it should be as it recognises the full scale of the challenge of keeping data safe and companies compliant: it’s not just about security technology, not just about policy and procedure, nor is it solely about culture or behaviour. It’s about all of these meshed together, and with an approach predicated on good governance, companies are better positioned to ensure that every element is as tight and as strong as it can be.
There was an illuminating quote from Richard Elson, director of IS at law firm Trowers & Hamlins, in a recent Computing magazine interview. When asked about the impact of the GDPR on the firm, Elson said that although the regulation would bring a fairly onerous set of responsibilities, good data governance has accelerated their preparations. "We did an awful lot of work around the ISO 27001 and we did a lot of work for the Cyber Essentials Plus [scheme] and got the accreditation for that last year; and also in preparation for looking at the cyber insurance, about two and a half years ago, we put together a systems map of our Personally Identifiable Information." Richard also mentioned earlier in the article that the firm had “tried to take a security-first approach to all of our technology projects”, again highlighting the importance of getting all your fundamentals aligned – systems, regulations, policy, day-to-day habits.
In a previous blog we explored the merits of a layered security model, and we certainly see this as a solid foundation for GDPR compliance as well as cyber risk mitigation. Also, as Richard Elson points out, those with ISO 27001 and an assurance-aware fabric may have less of a leap to make. But as IT ecosystems grow in size, shape and complexity, companies need to make careful choices as to how best they protect themselves from fines or theft. Can you keep everyone happily working within a corporate firewall, giving them the tools and accessibility and usability that will wean them off their reliance on shadow IT? Can you develop your hybrid strategy and orchestrate your workloads between private and public clouds without a misstep? Can you meet users and consumers’ insatiable appetite for wireless networking with complete confidence? Can you ensure that all your data held across an expansive hybrid estate, with perhaps multiple vendors, will remain safe and sovereign at all times?
In one sense, the game hasn’t changed in that adequate protection of systems and assets has always been a top priority for IT teams. From a commercial, regulatory and reputational perspective, there has always been a need for holistic security provision and security-minded working. Yet for all the headline grabbing, fine-incurring TalkTalk-type incidents, most breaches go unreported, with disruption and impact internalised, and many even go undetected. It’s almost come to be an accepted part of working life, a case of not ‘if’ but ‘when’.
And that’s why in another sense, the game has changed beyond all recognition. The onerous reporting regime and the potentially punitive fines around GDPR infringements really need to encourage the opposite mindset, not ‘when’ but ‘if’. And while many may feel there is a certain inexorability about being hacked deliberately or breached accidentally, that is no excuse for not taking the most robust approach possible to both technology and people. Indeed those companies that do fall foul of GDPR but can still evidence strong information governance across the board, from systems and architecture through to policy and training, will be treated more leniently than those who can’t. So the security stakes have certainly been upped – to the tune of 4% of revenue, the maximum fine under GDPR. For those of the ‘when’ mindset, probably best to ask yourself ‘if’ you can afford it?