In any business, cyber security breaches are possible at any number of points at which information is exchanged.
Risks can be external (from activists, criminals and spies) or internal (from employees and systems) – indeed, 80% of breaches that occur are down to human error.
All businesses are now connected by default. As people become more used to working in an online, mobile and virtualised environment, connected objects become commonplace.
At a recent cyber security event for businesses in Hampshire, IBM informed delegates that its acquisitions are now based on connecting things. As businesses adapt to the changes in the way in which it connects its employees to each other and itself to its customers and suppliers, the barriers between these different environments are not watertight.
The World Economic Forum has described the Internet of Things (IoT) as a ‘cyber [security] sub-prime bubble’. This will include links between RFID tags collaborative applications, smart mobile devices, social media, big data, cloud and bring your own device (BYOD).
All of these objects and applications will store data. Customers will want to share their data with a business so that the offers made to them can be tailored to their requirements.
In exchange for this, a customer will want to be reassured that a business understands and has addressed cyber security issues.
A business should assess and audit its information so that it has a clear idea of what might be described as its ‘data crown jewels’.
There is an industry move towards what is known as ‘optimised’ or ‘predictive security’. At its most basic, a business will need to understand and be able to predict what amounts to normal behaviour so that it can identify high-risk groups of employees or areas of its business.
The IT professional also needs to convince management that running unpatched (updated) software is a huge risk. This is usually because a fear of software failure and the effect this will have on the business means that upgrades are not attended to, all of which can leave a system vulnerable to attack. IBM research suggests that 50% of servers used by business will be running on this basis, leaving it vulnerable.
Business advisory bodies, regulators and government departments are all aware that businesses need guidance on cyber security best practice.
Material is available from a number of sources, including the Department for Business Innovation and Skills (BIS). This consists of a basic risk assessment for CEOs and company boards to undertake with some key questions around planning, implementing and reviewing cyber risk.
There is further detailed advice on employee policies, processes and technology.
Cyber risk management is also the subject of an executive briefing document aimed at board members, with the publication of an overview and ’10 steps to cyber security’ guide covering much of the same ground.
The latest guidance comes in the announcement of a Cyber Essentials Scheme launched in June 2014. From 1st October 2014, all suppliers bidding for certain types of government information handling contracts will be required to be Cyber Essentials certified. The process will effectively provide a snapshot of a company’s cyber compliance.
It is not unreasonable to expect that the number of compliance requirements from insurers, customers and data protection regulatory bodies to increase.
The European Data Protection Directive, which will enhance and clarify its provisions when it comes into force, probably in 2015 together with the European Cyber Security Directive under discussion, will require companies in EU member states to ensure they have suitable data protection policy (data protection by design) and suitable minimum IT security mechanisms.
Mandatory reporting of data security breaches and, it is proposed, collection and sharing of information on attacks and threats will create a framework within which businesses must operate.
Failure to meet the requirements could result in substantial fines. Under the Data Protection Directive, this can be as much as 5% of annual global turnover or €100 million, whichever is greater.
Having a data protection policy that also addresses cyber security issues and the needs of customers should be a minimum.
Sourced from Kim Walker, partner, technology team, Thomas Eggar