Firms must form cyber incident plans and get board buy-in for security strategy

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.v3.co.uk/v3-uk/interview/2432199/firms-must-form-cyber-incident-plans-and-get-board-buy-in-for-security-strategy


UK businesses must adopt rigorous cyber incident plans that demonstrate
exactly how they will respond to a cyber attack, according to Jeremy King,
international director of the PCI Security Standards Council (pictured).

King, who joined the Standards Council in 2010, told V3 that a cyber threat
can come at any time and is often viewed as a 'worst case scenario' for
many chief information security officers (CISOs) responsible for securing
large organisations.

"You get the phone call and it says you've been breached. It can come from
law enforcement, it can come from banks, and that's the first you know that
your world is about to end. The CISO gets the call and it's the worst day
of his life," he said.

"[The call] can come at any time and on any day, and at that point there
will be a list of things to do: talk to the bank, talk to law enforcement,
talk to customers. CISOs have no idea how big the breach is or what data
has been stolen, so having an incident security plan is critical."

King stressed that computer networks are now "a criminal's paradise"
because so much information is being retained by data-hungry companies.

"Companies store far too much data. Our message from day one has been if
you don't need it don't store it. Just get rid of it. Organisations have
now got to start looking at all of their data with that mindset," he said.

Indeed, this "mindset" is quickly seeping in as serious cyber attacks
continue to affect businesses of all sizes. Most recently, mobile and
internet provider TalkTalk suffered a breach that is now estimated to have
affected millions of customers.

This sea change comes as business directors are becoming increasingly aware
that their positions are now at risk.

Cybercrime, from the hack at the US Office of Personnel Management to the
breach at Target, is now a real and tangible risk to those put in charge of
protecting data.

"People always think of data security as an IT project. But it's not, it's
an organisation project and it starts at the board," said King.

"If the board doesn't buy into it, it doesn't happen. I say to people,
especially CISOs, that your best friend is your finance director because
they have their hand on the money. One of the things I always try to do is
reach the boardroom. [Cyber attacks] get the boardroom's attention.

"There's a huge amount of spend going on in data security. The problem is
that it's quite easy to spend it badly."

However, UK businesses will soon be forced to adopt better security
practices, as legislation is now being drafted that has the potential to
make breaches an even more costly liability for UK organisations.

Three main laws on the horizon - the European Banking Authority Security of
Internet Payments, the Payment Services Directive 2 and an updated Data
Protection Act - will levy heavy fines at businesses found to have broken
new security rules.

"In about two years' time the UK is going to be facing these three pieces
of legislation. The big thing about the Data Protection regulation is
breach notification," King explained to V3.

These new rules will introduce a general 72-hour breach notification rule
and fines of up to two percent of annual global turnover for businesses
found not to have protected sensitive data adequately.

"You can choose not to inform the Information Commissioner if you don't
think it is a noteworthy breach. However, if they then decide it was
something you should have notified they can fine you," King warned.

Public agencies and charities could also face fines of up to €1m for
breaking the updated data protection rules.

"You can roll the dice on whether you will inform them or not, but it's a
€1m fine if you get it wrong. If that doesn't get people's attention in the
boardroom I give up," he said.

"If [the changes] are going to arrive in 2018 we have two years to get
ourselves sorted out. You have to be aware of what's coming; you cannot
wait to get your organisation set up."

King is concerned that not enough notification has been given to merchants
and business owners that these changes are approaching.

"If most organisations look at their risk profile, internal and external,
cybercrime crosses every boundary and affects every aspect of the business
and that is a big challenge. If governments can do more, they can do more
to make organisations aware of what is coming," he said.

Cyber attacks in the UK are on the rise, and companies need to be aware of
the new landscape in which they operate. The Office for National Statistics
(ONS) revealed recently that crime is quickly moving online as fraud
incidents soar.

The ONS logged an estimated 5.1 million incidents of fraud in the 12 months
to May 2015 affecting 3.8 million adults in England and Wales, meaning that
online fraud has overtaken traditional offences for the first time.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!