BreachExchange mailing list archives
Firms must form cyber incident plans and get board buy-in for security strategy
From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Thu, 29 Oct 2015 19:28:33 -0600
http://www.v3.co.uk/v3-uk/interview/2432199/firms-must-form-cyber-incident-plans-and-get-board-buy-in-for-security-strategy UK businesses must adopt rigorous cyber incident plans that demonstrate exactly how they will respond to a cyber attack, according to Jeremy King, international director of the PCI Security Standards Council (pictured). King, who joined the Standards Council in 2010, told V3 that a cyber threat can come at any time and is often viewed as a 'worst case scenario' for many chief information security officers (CISOs) responsible for securing large organisations. "You get the phone call and it says you've been breached. It can come from law enforcement, it can come from banks, and that's the first you know that your world is about to end. The CISO gets the call and it's the worst day of his life," he said. "[The call] can come at any time and on any day, and at that point there will be a list of things to do: talk to the bank, talk to law enforcement, talk to customers. CISOs have no idea how big the breach is or what data has been stolen, so having an incident security plan is critical." King stressed that computer networks are now "a criminal's paradise" because so much information is being retained by data-hungry companies. "Companies store far too much data. Our message from day one has been if you don't need it don't store it. Just get rid of it. Organisations have now got to start looking at all of their data with that mindset," he said. Indeed, this "mindset" is quickly seeping in as serious cyber attacks continue to affect businesses of all sizes. Most recently, mobile and internet provider TalkTalk suffered a breach that is now estimated to have affected millions of customers. This sea change comes as business directors are becoming increasingly aware that their positions are now at risk. Cybercrime, from the hack at the US Office of Personnel Management to the breach at Target, is now a real and tangible risk to those put in charge of protecting data. "People always think of data security as an IT project. But it's not, it's an organisation project and it starts at the board," said King. "If the board doesn't buy into it, it doesn't happen. I say to people, especially CISOs, that your best friend is your finance director because they have their hand on the money. One of the things I always try to do is reach the boardroom. [Cyber attacks] get the boardroom's attention. "There's a huge amount of spend going on in data security. The problem is that it's quite easy to spend it badly." However, UK businesses will soon be forced to adopt better security practices, as legislation is now being drafted that has the potential to make breaches an even more costly liability for UK organisations. Three main laws on the horizon - the European Banking Authority Security of Internet Payments, the Payment Services Directive 2 and an updated Data Protection Act - will levy heavy fines at businesses found to have broken new security rules. "In about two years' time the UK is going to be facing these three pieces of legislation. The big thing about the Data Protection regulation is breach notification," King explained to V3. These new rules will introduce a general 72-hour breach notification rule and fines of up to two percent of annual global turnover for businesses found not to have protected sensitive data adequately. "You can choose not to inform the Information Commissioner if you don't think it is a noteworthy breach. However, if they then decide it was something you should have notified they can fine you," King warned. Public agencies and charities could also face fines of up to €1m for breaking the updated data protection rules. "You can roll the dice on whether you will inform them or not, but it's a €1m fine if you get it wrong. If that doesn't get people's attention in the boardroom I give up," he said. "If [the changes] are going to arrive in 2018 we have two years to get ourselves sorted out. You have to be aware of what's coming; you cannot wait to get your organisation set up." King is concerned that not enough notification has been given to merchants and business owners that these changes are approaching. "If most organisations look at their risk profile, internal and external, cybercrime crosses every boundary and affects every aspect of the business and that is a big challenge. If governments can do more, they can do more to make organisations aware of what is coming," he said. Cyber attacks in the UK are on the rise, and companies need to be aware of the new landscape in which they operate. The Office for National Statistics (ONS) revealed recently that crime is quickly moving online as fraud incidents soar. The ONS logged an estimated 5.1 million incidents of fraud in the 12 months to May 2015 affecting 3.8 million adults in England and Wales, meaning that online fraud has overtaken traditional offences for the first time.
_______________________________________________ Dataloss Mailing List (dataloss () datalossdb org) Archived at http://seclists.org/dataloss/ Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss For inquiries regarding use or licensing of data, e-mail sales () riskbasedsecurity com Supporters: Risk Based Security (http://www.riskbasedsecurity.com/) YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus on the right security. If you need security help or want to provide real risk reduction for your clients contact us!
Current thread:
- Firms must form cyber incident plans and get board buy-in for security strategy Audrey McNeil (Oct 30)