Cyber Security & Data Protection

Categories: CISO, From the Darkened Room

2016 was a black year in the calendar of data breaches. With countless websites and applications being breached, user’s details were made available online. Of the reported and published breaches, over 1.167 billion user’s details were leaked. Over halfway through 2017 and that figure is close once again.

Each year the UK government surveys the FTSE 350 companies about their cybersecurity and data protection measures. Over the past years, we have seen a continual improvement in the adoption of cybersecurity as a board-level conversation. This year, we see the improvements continue, although there is still a long way to go.

Board management of cyber risk

The survey revealed that 95% of Board’s had either an acceptable or clear understanding of their company’s key information and data assets and can say they have a suitable understanding of their key information and assets. Of these respondents, only 57% have a clear understanding of the potential resulting impact of loss/disruption of key information or data assets. This is supported by the effects of WannaCry in recent months. While many businesses were aware of their key information and data assets, they had failed to adequately plan for when these assets were unavailable.

One very interesting fact to come out of the survey is that Boards remain split over their approach to reviewing the security of customer’s data, with only 50% of respondents saying their Board does review and challenge reports on the security of their customer’s data. This is most certainly backed up by incidents at Talk Talk, the AA, Virgin Media, Debenhams to name just a few high-profile incidents.

Incident response

In today’s highly connected age, accepting you are eventually going to be breached is sensible. Once this is accepted, you can plan your response. During the recent WannaCry incidents, two of our clients had very different response plans. Client A had in their plan a process for this type of incident which involved flipping the master circuit breaker, accepting that a potential loss of 2 hours work is significantly more acceptable to a mass denial of access to critical information. Client B’s plan was more methodical but involved removing all connectivity, accepting that a small number of hours of no connectivity was preferable to malware spreading.

This year’s survey reported one in ten businesses have no plan in place. That is one in ten FTSE 350 businesses that will potentially face a catastrophic loss should they be breached.

Data Protection

This year’s survey asked questions around Boards awareness of GDPR and their preparations to meet the requirements of the law. The respondent’s awareness ranged from being very aware (37%) to somewhat aware (45%) and slightly aware (15%). Almost three-quarters of respondents said they were somewhat prepared to meet the new compliance requirements brought about by GDPR. However, only 6% reported being completely prepared to meet their compliance requirements.

Over the last year, our data protection team have been working with many clients to help them get aligned to the new law. When we reviewed the state of many of our client’s pre-engagement, we found the mirror opposite of awareness. We also noted that while the driver for many clients was to comply with GDPR, many of them were failing to comply with the present Data Protection Act.