The value of a broader approach to cybersecurity at the enterprise level was a key point recently underscored by Elizabeth Denham, head of the UK's data protection authority, the Information Commissioner's Office ("ICO"). Ms Denham, speaking last week at the National Cyber Security Centre's CYBERUK 2018 event, warned companies that they should be handling cybersecurity as a boardroom-level issue.
Ms Denham warned that: "We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings." She also cautioned that "If left solely to the technology teams, security will fail through lack of attention and investment." In her speech, Ms Denham also named and shamed several companies which have been the victims of breaches that could have been avoided if they had robust and tailored cybersecurity plans in place.
The ICO expects companies to take active steps to protect themselves from criminal cyberattacks following the implementation of new data protection legislation (GDPR, The Data Protection Bill and the NIS directive), which require companies to be transparent, follow tailored and proportionate systems and controls based on regular risk assessments, and account to customers and enforcement agencies. Importantly, the ICO is far from alone in taking this view. In the United States for example, contractors doing business with the federal government, banks and insurance companies operating in New York state, and several other sectors subject to specific data and cybersecurity laws, must have in place measures to ensure that the whole company is alive to the threats and vulnerabilities posed by cyber attacks. In this respect, the ICO’s advice is crystal-clear "Don’t just shut the door. Lock it. Then check the locks. And be mindful about who you allow to have a key." We would add that as an enterprise you should also decide where to put your house (which networks and IT to use), what stuff (“data”) to keep at home, and who is allowed in and out of our house (“access”).
FOR QUESTIONS OR MORE INFORMATION, PLEASE CONTACT: