Cyber Security – Data Protection reaches the boardroom
It was a wake-up call when the Information Commissioner warned a room full of senior executives at the beginning of the year that data protection was, “not just an issue for the IT guy down the corridor… if you want all the benefits of digital you must manage the risk. It is the responsibility of the Chief Executive”.
Since then Christopher Graham has been vocal in highlighting that there is no excuse for organisations not taking action on data protection and maintaining an effective Cyber Security capability. Referring to the cyber attack on TalkTalk last October as a “car crash”, he stated that, “Any other company with half a brain should be checking their systems now to make sure they don’t land up in the same situation.”
When a watchdog uses this language in front of MPs, as Christopher Graham did during his evidence to the Culture Media and Sport Select Committee, you know a line has been crossed. It is understandable when you accept that it was a preventable attack, and since the October “car crash” TalkTalk has experienced a further breach in the security of its customer records after three people were arrested in connection with making scam calls from an Indian call centre used by the telecoms group.
And if the above isn’t a “wake up and smell the coffee” moment, then the European General Data Protection Regulation (GDPR), which has just been ratified by the European Council, should certainly make General Counsels, lawyers and senior Directors start to twitch. This new EU Regulation (not simply a Directive) places specific obligations on all large companies and introduces an eye-watering maximum penalty for non-compliance set at €20m or 4% of global turnover, together with the potential of criminal prosecution of executives for the most serious of data breaches.
It was the risk of multi-billion dollar regulatory fines for money laundering that put the subject of “compliance” on Boardroom tables and we can see that Data Protection may soon be following. And in all fairness it’s not before time; technology has offered huge growth potential through the manner in which information can be accessed and stored but the thirst for new business hasn’t always been followed by sensible precautions for data security or protection.
That is all likely to change when the new GDPR is phased in over the next year-and-a -half (no matter what happens in the UK’s referendum on EU membership, GDPR will affect UK businesses). Amongst other changes, the new provisions require all personal data stored to have a defined life cycle. Businesses will have to document their Data Protection risk and consider this in all new technology, products and services.
What should companies be doing?
So what should companies “with half a brain” be doing about this? Everything, unsurprisingly, starts with the Board but too few are wrestling with this challenge in an effective manner, that in itself could become a personal risk for Board members. A recent published article by security law expert Thomas Bennett reviews personal liability in the event of a breach and concludes that for the Directors of listed businesses it is a “material possibility”. The pragmatic response is for Board Members to look to their senior staff to provide reassurance that the Threat is being managed. Unfortunately, all too often, those staff are getting it wrong and that is often due to an over-reliance on technology as a solution.
In some ways the term “Cyber” hasn’t helped and it naturally leads some into detailed and often complex conversations about patches, firewalls and IT networks. Of course the technical protection must be in place but the new Data Protection requirements will also place obligations on organisations to think more broadly about their information assets, particularly when you consider that over half of all major data breaches involve people and processes, not technology.
Effective solutions require cultural change and that means a plan including re-training staff and re-configuring important policies and procedures. Some organisations won’t need to do much but others will need to invest substantially. The place to start is with an independent information security health check. It is second nature to have auditors look at our books and Boards can get reassurance that they have discharged their fiduciary responsibilities by doing so. Well, the same applies with Cyber Security; the health check, or a more formal audit, assessment does need to be independent and authoritative and Boards should resist an over-reliance on their own people telling them everything is fine.
Leadership and creating an effective governance accountability framework is next, to ensure that those who control the business operationally also own the information risk. All of this is achievable and good Boards are introducing “Information Assurance” as a standing agenda item, with effective performance information balancing costs against business risk.
Get in order
The new EU General Data Protection Regulation will be formally implemented next year; there is still time to get your house in order. Ambitious companies will grab this risk and turn it into an opportunity. Smart businesses with big brains are already recognising market differentiation and the enablement of the business they can achieve by investing in good Information Assurance and Cyber Security.
Adrian Leppard QPM, Board Director, Templar Executives