You will no doubt, like most of us, have continued to approve the cookies and policies that present themselves in your browser after the May 2018 strengthening of the Data Protection Act. You might also have been following the cybersecurity discussions in the national press, and perhaps wondering if there’s a connection.
In the UK there are two sources of advice and regulation associated with data protection and cybersecurity.
- The Information Commissioners Office (ICO) enforces four Acts of Parliament; the Data Protection Act 2018, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
- The National Cyber Security Centre, which was “set up to help protect our critical services from cyber-attacks, managing major incidents and to improve the underlying security of the UK Internet through technological improvement and advice to citizens and organisations. Our vision is to help make the UK the safest place to live and do business online.”
Let’s put these two organisations into some context. In June 2018 Dixons Carphone Warehouse (DCW) told the ICO that it had exposed the customer data of 10M people to unknown hackers. That’s a huge amount of data. And while all of it would happily fit on one USB stick, the equivalent data on paper would be a stack of A4 sheets reaching 4,160 feet into the sky. That’s taller by far than the highest mountain in the UK.
The ICO is to investigate the DCW loss, and can award fines if they feel that DCW was in breach of any of the Acts that the ICO regulates. The penalties for abusing or losing customer data have changed markedly since May 2018. Fines can extend to 4% of turnover and €20M.
So, what’s the role of the NCSC here? Their aim is both to help consumers of DCW to counteract any exploitation of the breach, but also to help businesses avoid the same issues in the future.
The NCSC website is chock-full of helpful advice, guidance and toolkits for consumers and IT professionals. But they also identify some key principles that businesses should concern themselves with – and this is not advice that should be devolved to IT: senior management teams are still on the hook.
Specifically, their advice to Boards can be summarised as follows:
- Does the Board realise that the protection of key information assets is critical?
- How confident is the Board that the most important information in the business is being properly managed and is safe from cyber threats?
- Are they clear that the Board members themselves are likely to be key targets?
- Does the Board have a full and accurate picture of:
- The impact on the reputation of the business, if the existence of sensitive internal or customer information held by the business were to be lost or stolen?
- The impact on operational services if online services were disrupted for a short or sustained period?
- Who might compromise information and why?
- Does the Board receive regular intelligence from the Chief Information Officer/Head of Security on who may be targeting business information and IT, their methods and their motivations?
- Does the Board encourage its technical staff to enter knowledge-sharing exchanges with other organisations in the sector and across the economy to benchmark, learn from others and help identify emerging threats?
- Does the Board proactively manage cyber risk?
- Given that cybersecurity risks impact public confidence, reputation, culture, staff, information, process control, brand, technology, and finance; is the Board confident that:
- They have identified the key information assets and thoroughly assessed their vulnerability to attack?
- Responsibility for the cyber risk has been allocated appropriately?
- Does the Board have a written information security policy in place, which is championed fully by the Board and supported through regular staff training?
- Is the Board confident that the entire workforce understands and follows it?
That’s quite a checklist of issues that should trigger a great deal of detailed thinking. Some of these steps are going to take months to deliver. Whatever your initial thoughts are to address the very clear and present danger presented by cybercrime, Boards cannot afford to ignore the Regulators and must have plans to implement their advice and guidance.
Let’s look at the last two bullet points of the NCSC principles: “a written information security policy” and, related to it, confidence that “the entire workforce understands and follows it”. That’s a task that will not only require Learning and Development of the whole workforce, but some evidence of compliance that appropriate training has been undertaken.
The advice and guidance of the ICO and NCSC clearly identifies that people are central to an organisation’s consistent compliance with the ICO regulations. They suggest that having processes, policies and technology are not enough in themselves.
The good news is, at least for those last two points, there is some help close to hand. Bloor Research and Cognisco have joined forces to provide a human risk-based GDPR readiness assessment tool.
Bloor have provided technical subject matter expertise, but crucially Cognisco’s Occupational Psychologists have brought human factors insight to the table: because GDPR compliance and cybersecurity protection both demand recognition that people at all levels of a business have different capabilities, different degrees of technical knowledge and different attitudes to risk.
The result is a free GDPR Personnel Competence Assessment. So now Boards can take the first step in tackling the cybersecurity and data protection elephant; with a little confidence that instead of just trying to attain a legally-defined benchmark, they can proactively protect their businesses.