According to the 2015 Information Security Breaches Survey for the Dept for Business Innovation & Skills, 91% of large organisations had a security breach with an average cost of data breach of between £1.46m and £3.14m in the year 2014-15. This does not count the loss of brand image they must then make up and the customers they have to replace following the exodus of affronted clients that had trusted their details would be safe and were proven wrong.
The same survey revealed;
- 50% of these breaches were caused by inadvertent human error,
- and 28% of the worst breaches resulted from management not giving sufficient priority to security.
According to another survey, cyber crime has impacted one in four firms in the last two years (irrespective of size of firm). 44% of all crimes that companies experience are now executed electronically. PwC go on to say that they forecast that this will become more severe in the next two years. Furthermore, 70% of British companies think the risk of a cyber attack has increased but the study showed that 33% of companies do not have a plan for how to respond to an attack. Do you?
So the Senior Management role is clear: action needs taking to ensure credible resistance to the cyber threat. But what to do?
There are a range of separate organisations that provide solutions. In (approximately) increasing order of complexity and effectiveness (and of difficulty to attain) these are:
1. Cyber Essentials – a Government contract requirement, requiring a check-list on cyber controls.
2. ISO 27001 – most globally recognised – requires controls on financial and confidential data – helping to identify risks and put in appropriate controls.
3. CSA STAR Certificate for Clouds – the most powerful program for security assurance in the cloud.
4. ISO 27018 – for Cloud service providers against the loss of Personally Identifiable Information so as to raise public confidence. A set of controls required to be implemented plus guidance to cover contractual and regulatory requirements.
5. Cyber Essentials Plus – Cyber Essentials with internal security assessment of end-user devices. Tested using a range of attack scenarios – provides a testing snapshot rather than ongoing peace of mind.
6. Secure Digital Transactions Kitemark – part of the planned BSI Kitemark range – requires independent and rigorous testing of websites covering the security controls on financial and personal information data it transacts. Requires ISO 27001 plus rigorous internal and external penetration tests scanning for vulnerabilities and security flaws.
7. Digital Security Kitemark - part of the planned BSI Kitemark range– building on the Secure Digital Transactions Kitemark with an expansion of scope to cover Network Application, Infrastructure, Operations, IS Risk Management and Security management. Third party tested using a range of required methodologies.
This looks scary, but are you going to leave it for a while longer? Well, in May 2018 the General Data Processing Regulations (GDPR) will kick in. These are a new piece of EU legislation (that the UK initiated and wants, so it will happen despite Brixit) that will increase penalties on directors and companies that do not prevent the loss of private data. These penalties will now increase from a maximum of £250,000 per incident to a maximum of 4% of global corporate turnover (not profit). It will also include the possibility of prison sentences for directors. So, if your organisation handles personal data (staff or customer data, financial, health, pension, address or other personal data) – and especially if you cannot, hand on heart, say that it is and always will be secure – then you want to think how you intend to protect your data, and yourself, once this law comes into force.
So now you know some of the options out there – but do you know what to do next? Does the phraseology leave you cold? Call us at Qualitation – we can give you a human view on the issues and we have the experts on hand to assist you through the step(s) you want to take.
0845 600 6975