Perspective in Practice: Information (Data and Cyber) Security; Food for (Uncomfortable) Thought

Information security is the responsibility of the leaders of every organisation.
If your organisation is affected by an information security breach, the very best that you can hope for is to mitigate some of the damage; no-one walks away completely unscathed, not ever.
Having supported UK businesses in regulated sectors and also multinational ‘household names’ for almost two decades, the pursuit of keeping information secure is a subject close to my heart.
I liken cybercrime to icebergs. Not only is most of their extent hidden from sight, but that which is out of sight also changes shape, is constantly in motion and in truth, is impossible to avoid absolutely, no matter how careful you are.
In conversation with a ‘cyber expert’ you might hear phrases such as ‘Phishing’, ‘Spoofing’, Ransomware’ and ‘Malware’. Brains spin as organisations try to understand what these mean and attempt to find solutions to beat them.
It is not unusual to encounter a ‘head in the sand’ approach from organisations; not because they are complacent, but because they assume that cybercrime occurs as a result of a technical or software failure and that by having a robust IT security solution in place, they believe that their organisation will be safe.
Here’s a few statistics that should therefore, give cause for alarm, but it should also give hope: At least 63% of cyber breaches occur due to human factors in the organisation (not a technical or software problem). The insurer Hiscox recently suggested that the human fault element could be far higher, at up to 90%. IBM indicates in excess of 95%. And, the ICO puts at least two thirds of data breaches down to human error.
The ‘alarm’ sentiment is obvious, but what about the ‘hope’? Well, every organisation has the opportunity to put measures in place to educate and empower staff to take action to protect the organisation; even just small changes in this respect can significantly reduce risk.
Feel free to smile and nod as you recognise probably having seen each and every one of the following preventable information security risks, all of which are ‘people problems’: Somebody using a laptop or sending an email or making a business call whilst on a crowded train, writing down a password on a post-it note or having a password constituted of the name of the family pet, opening a link in an email that purports to offer you tracking information on the delivery that you are (apparently) expecting. These practices are all inviting enormous risk and are entirely attributable to human error, but they are 99.99% preventable.
To put aside a myth, Apple devices are not immune from contributing to the transfer of ‘nasties’ in the cyber world. A business team might for example, be using Apple mobile devices; one day one of the team receives an email on their iPhone that purports to be about a business event that they are due to attend. They forward this to their colleagues back at the office who, having received the email from their ‘trusted colleague’ assume that the email must be safe, and so they open it on their desktop PCs and they click the link to ‘find out more’ about the business event… tragedy swiftly unfolds through the malware that is unleashed!
But what if a breach takes place? Surely, if organisations are able to plug the gap quickly and run a PR smokescreen to try to mop-up the reputational damage, and their insurance company pays out, there ends their exposure to risk on that occasion, right? Wrong! Regulators with their viciously sharp claws could step into the ring just at the point that an organisation is already on its knees following a breach.
Make no mistake, information security must be considered by every organisation in the UK that holds data that could be used to identify living individuals. In a world where 95% of organisations operate online and 60% of all staff use a computer at work, and it is estimated that by the year 2022 there will be 50 billion computing devices on the Internet, it is a matter of indisputable fact that data protection is inextricably linked to cyber security.
We have a team at PDA Legal that is dedicated to providing data protection consultancy, support and training to organisations all over the UK. Some of the organisations that we have been assisting got in touch with us having only recently realised that GDPR coming into force is merely a matter of months away. Such organisations are now taking appropriate steps, but we know that there are hundreds more who are not suitably aware of GDPR or its implications.
On the subject of awareness, a common but rarely fully considered situation is that of cyber criminals (also known as ‘Threat Actors’) acquiring a portfolio of credible information about people by targeting the Facebook profiles of their children. This portfolio is then used to attack organisations or their clients or suppliers. Along the way, the Threat Actors are, with remarkable ease, likely to learn your name, what you look like, where you last went on holiday, the name of your pet dog, the names, photographs and dates of birth of your children and those of your extended family, the type of car you drive and possibly even the name of the educational establishment that your children attend. The spine-tingling awareness that you and your loved ones are being hunted, tracked and scrutinised like this makes for uneasy contemplation, doesn’t it?
Some organisations have attempted to improve their level of protection by adopting the Cyber Essentials scheme or attaining the ISO27001 benchmark on information security. Achieving either standard/benchmark is certainly better than doing nothing at all and both include a measure of focus on the ‘people’ element of information security.
But, Cyber Essentials is by its own admission, simply ‘basic hygiene measures’. And, in March of 2017, the now notorious ransomware debacle produced near-catastrophic consequences for a number of NHS Trusts despite the fact that some of them had ISO27001 in place.
So, if such standards and benchmarks are failing, to whom does an organisation turn to seek help? And, what can it do to demonstrate to its staff, suppliers, associates, customers, patients, regulators and insurers that it has taken significant and robust steps to protect it and them?
Our team had been watching the rise and proliferation of cybercrime for several years and it was when, nearly 4 years ago, we heard the statistics as to the volume of cyber/information breaches which were attributed to the human element, that we experienced our ‘lightbulb moment’.
With years of auditing, regulatory and risk-management experience to inform us, we wrote the most robust people-centric cyber/information security benchmark available in the UK today.
Ours is an advanced and interlinked set of rules and records; an auditable Standard, that provides organisations, their clients, customers, staff, suppliers, regulators and insurers with verifiable independent evidence that they have taken steps to protect them and the organisation from cyber attack.
Our Standard is based, independently, upon GCHQ’s NCSC requirements (it was GCHQ’s NCSC team that helped to resolve the NHS ransomware breach in March of this year), with all of Cyber Essentials rolled in and almost all (ie. the relevant parts) of ISO27001 and elements of the US’s Centre for Information Security benchmark.
If you would like to have a chat about how to best protect your organisation in respect of information security, cybercrime and data protection/GDPR, please get in touch.