Search

Cyber security is a boardroom issue

The ICO recently issued its largest ever fine to TalkTalk for failing to protect customer data from a cyber-attack, senior policy officer (business and industry) at the ICO Alastair Barter explains why



LinkedIn Twitter
LinkedIn Twitter
Alastair Barter, senior policy officer (business and industry), ICO
Alastair Barter, senior policy officer (business and industry), ICO

The £400,000 fine was issued because TalkTalk failed to take basic steps necessary to keep customer data safe.

 

The fine was significant and reflected the severity of the breach, but we’ll have greater fining powers from 2018 when new data protection rules come into force as part of GDPR.

 

TalkTalk’s fine and the impending new rules should make organisations sit up, take note and take action.

 

Cyber security is not an IT issue. It is a boardroom issue. And its place at the heart of an organisation is being recognised.

 

The government has stressed the importance of cyber security in a thriving digital economy by announcing a £1.9bn investment in the National Cyber Security Strategy over the next five years.

 

A new National Cyber Security Centre has also been opened to keep the UK’s cyberspace safe.

 

Not only will better cyber security protect the wider economic interest, it will also help to protect the privacy rights of individuals who should be able to trust organisations with their data.

 

In the digital economy, organisations that build a trustworthy reputation through good data handling can gain an advantage.

 

The information commissioner, Elizabeth Denham, recently announced her aim to build a culture of data confidence in the UK.

 

An ICO survey found that 75 percent of individuals do not trust organisations with their personal data. Being one of the organisations that consumers do trust, has obvious benefits.

 

Privacy and innovation

 

An organisation’s ability to keep data secure is a key area of consumer concern. With data becoming an ever more valuable asset, it pays to protect it appropriately.

 

But increasing privacy measures and information security does not have to lock down data and stifle innovation.

 

By taking a privacy by design approach and building in appropriate measures from the outset, privacy and innovation can work in tandem, giving consumers the products and services they want as well as confidence in the brands that provide them. It’s not privacy or innovation, it’s privacy and innovation.

 

As the TalkTalk case shows, cyber attacks tend to make the headlines and that means bad publicity for the affected organisation.

 

Naturally, some sophisticated attacks by determined hackers are increasingly difficult to defend against and leave organisations as victims, as well as those whose personal data may have been compromised.

 

The ICO recognises this, but many of our investigations into data breaches – including TalkTalk – show that often it’s an absence of simple measures that leads to breaches.

 

To be compliant with the DPA, organisations must ensure that appropriate measures are in place to protect the data they hold. A lack of basic measures, such as adequate penetration testing, poor password controls and inadequate encryption are commonplace and have resulted in regulatory action.

 

Our role is to ensure organisations protect personal data. We have the option of enforcement, but our aim is to help organisations comply and we do that through education and advice.

 

Lots of guidance is available on the ICO website, ico.org.uk. For the fundamentals see our Practical Guide to IT Security which is ideal for small businesses. We’ve also got guides about technical solutions and information gleaned from others’ failings: Protecting personal data in online services: learning from the mistakes of others.

 

There is also a range of government guidance available and schemes such as Cyber Essentials can set organisations on the right path to achieving levels of information security that suit their requirements.

 

Information security has always been an important area of compliance, but GDPR will raise the stakes.

Reassessing information security measures now is something that organisations should be doing.

 

Not only will this help to prepare for GDPR but it will help organisations comply with current requirements.

 

Importantly, it will also help to build a culture of confidence - that’s always good for business.

LinkedIn Twitter
YOU MIGHT ALSO LIKE

Cyber attack affects 143 million US Equifax consumers

A cyber attack on Equifax has exploited a website application vulnerability to gain access to consumer files, the credit reference agency reported yesterday (September 7)

Tesco Bank and Capita extend mortgage services contract

Business processing outsourcer Capita has agreed a contract extension until 2020 to provide mortgage services to Tesco Bank.
LATEST IN ANALYSIS

The CS Interview

Renaissance man
LinkedIn Twitter

Renaissance man

Features

Engineering a self-service solution in car finance
LinkedIn Twitter

Engineering a self-service solution in car finance

Opinion

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"
LinkedIn Twitter

"It’s up to the financial services industry to help teach students the necessary skills to manage their finances"

Dispatches

Lloyds results reveal £2bn of debt in forbearance
LinkedIn Twitter

Lloyds results reveal £2bn of debt in forbearance

Credit Strategy

Did you find our website useful?

Thank you for your input

Thank you for your feedback

creditstrategy.co.uk – an online news and information service for the UK’s commercial and consumer credit industry. creditstrategy.co.uk is published by Shard Financial Media Limited, registered in England & Wales as 5481132, Axe & Bottle Court, 70 Newcomen St, London, SE1 1YT. All rights reserved. Credit Strategy is committed to diversity in the workplace.
@ Copyright Shard Media Group