More executives state responsibility for data security should reside outside of IT

Many UK businesses are confused about who should manage data security procedures, leaving them at potential risk from escalating cyber attacks. This is according to a new report entitled ‘The Data Security and Risk Management Review’ and sponsored by managed service provider Advanced 365.

Cyber criminals are constantly exploiting businesses’ vulnerabilities around storing data in multiple locations as more and more devices become connected to the Internet. This has created a widening knowledge gap between IT professionals and employees as organisations struggle to keep pace with new and evolving threats. As a result, senior executives have become increasingly concerned as to whom they should entrust with driving their security strategies.

In the report’s survey of 300 UK IT decision-makers, 49% stated the definitive authority for data security should reside outside of CIOs and the IT Department. 75% of those surveyed said data owners should assume responsibility for data which belongs to a business. 71% argue that security is a wider issue than just data, while 56% believe it should fall under the remit of other departments (such as compliance).

In contrast, 41% felt that IT should keep hold of the reins due to having ‘experience of dealing with security issues’, while 10% were unsure as to whether security should sit within or outside IT.

Top of the corporate agenda

Neil Cross, managing director of Advanced 365, commented: “Highly publicised data breaches involving large enterprises have catapulted security to the top of the corporate agenda. While it’s reassuring that Board members are now taking greater interest in the subject, this has clearly created a difference of opinion as to who should lead on addressing security issues, which could leave businesses even more exposed.”

Organisations must also review existing controls around storing and accessing data ahead of imminent changes to the EU’s General Data Protection Regulation (GDPR) legislation to avoid significant fines in the event of a breach. Under the new EU law, any organisation tasked with managing and securing third party access to data has a legal obligation to ensure it’s secure. Those who fail to do so could face fines of up to 5% of their annual turnover.

Cross added: “To reduce the risk of a potentially damaging breach, businesses simply must define who’s responsible for each specific area of security. This includes ensuring that robust governance frameworks are in place for managing and safeguarding third party access to their data in order to avoid significant fines under the imminent GDPR compliance requirements.”

He continued: “The new legislation will also have major implications for the providers of hosted and cloud services. Businesses must think carefully before choosing a trusted and experienced partner, and pay particular attention as to the location of where their data will be stored.”

*Click here to read ‘The Data Security and Risk Management Review 2015’ in full

Heads will roll

Glasswall Solutions, the UK cyber security company, has just issued its Top Five predictions for 2016. The list covers the five key developments that the company’s team of experts believes will have the biggest impact on cyber security over the next 12 months.

“Businesses around the globe now face unprecedented threats from every kind of hacker and cyber criminal,” said Greg Sim, CEO at Glasswall Solutions. “We believe the next 12 months will see some of the most significant developments in the history of cyber security as powerful new EU regulations loom and enterprises come to realise that their defences are dangerously unprepared and antiquated.”

Sim also said: “2016 promises to be an extremely interesting year in which many new opportunities will emerge to boost our collective security. The $64,000 question is whether businesses around the world will grasp them.”

The five predictions issued by Glasswall Solutions are as follows:

New threats

Cyber security threats will continue to grow throughout the year, with e-mail attachments the most dangerous point of vulnerability for businesses without effective defences in place. In 2015, cyber crime cost £36 billion, with 94% of successful attacks conducted via e-mail attachments.

Criminals will continue to steal insights from leaky documents, websites and social media profiles for use in social engineering, targeting employees and turning them into ‘dupes’ who unwittingly assist in the hacking of their own companies by opening files hiding malicious exploits.

As the cost of these attacks grows, we can expect to see a bigger effort within businesses to understand the nature of the threat. For example, it comes as a surprise to many that the majority (75%) of threats within files are not in JavaScript, Macros or URLs, but rather in the manipulated DNA of the commonly used files we employ every day.

Change in corporate culture

2016 is set to be the year when a change in culture sweeps through many organisations in response to the growing sophistication of cyber attacks. As has been apparent in the US, C-Suite jobs are now on the line, while the forthcoming EU GDPR holds executives directly culpable for the security of their organisation’s data.

The risk of loss of customer data and the knock-on effects of supply chain confidence, customer loss and even share price demise is now too great.

From top to bottom, organisations must shift their attitudes and take back control of document security. This will extend beyond the organisation’s own borders and into the supply chain where cyber security will become a major factor in the ongoing business relationship between organisations and their suppliers.

Within most companies a trusting culture has been bred, from sharing (and collaborating on) documents to being accepting of incoming files and URL links. This culture is commonly reflected from C-Level executives down to the most junior of employees, with everyone at equal risk of becoming a target.

Decisions on what’s safe will no longer rest with employees, but will be a matter of policy, determined in conjunction with experts from the sphere of corporate cyber security technology.

CISOs will stand tall

Sadly, we can expect that continued reliance on outdated security solutions makes it inevitable that a serious data breach will occur in 2016, leading to a ‘minor bloodbath’ in the C-Suite.

Chief executives have been warned – they saw what happened to TalkTalk last year – but, suggests Glasswall Solutions, too few are ‘walking the walk’ when it comes to boosting security in their own organisations. A major loss of data or a breach of old-fashioned perimeter security is going to cost CEOs heavily in 2016.

By contrast, in organisations where security is taken more seriously, the role of the Chief Information Security Officer (CISO) is going to have greater prominence. More and more CISOs are going to be appointed and, increasingly, they’ll report directly to the CEO and sit on the Board if information security is to be taken seriously.

In businesses where they’re already at work, over half of CISOs report to the Chief Technical Officer, in turn demonstrating “a real lack of urgency” about cyber security at Board level. This has to change.

Steve Katz, a member of Glasswall Solutions’ Advisory Board and the world’s first Chief Information Security Officer (resident at Citigroup and JP Morgan), predicts a further development in 2016. Katz believes the year is likely to witness the emergence of the Chief Information Risk Officer (CIRO).

“A single hacker only has to win once for an organisation to find its reputation has been torched,” explained Katz. “The havoc wreaked by some of these attacks leaves such a trail of destruction that organisations never recover. Cyber security is now about managing risk, rather than just security, and the Board-level role of the CIRO should absolutely reflect that.”

Regulation

The EU’s forthcoming GDPR imposes increased penalties and fines on companies failing to protect their data adequately, or which are subject to a breach.

In the first quarter of 2016, Glasswall Solutions believes that businesses will “start to wake up to the potentially enormous consequences” of this first real overhaul of Europe’s data legislation in two decades.

Minimum fines are likely to be set at 2% of global turnover, with the maximum running to 5%. Had the TalkTalk breach occurred under the EU regulation, for example, the company’s fine could have amounted to a staggering £90 million.

In addition, the new regulation will impose disclosure of data breaches in the public interest, meaning there’s no hiding place for those firms caught with their cyber security regime found wanting.

“As businesses realise what’s involved,” states Glasswall Solutions, “we can expect to see them struggle to achieve compliance throughout the year, scrambling to hire consultants or investigate outsourcing solutions as 2016 draws to a close.”

Innovation

Set against the backdrop of increasing threat levels, 2016 is going to be “a great year” for cyber security innovation, replacing legacy and even relatively modern security technologies which are failing their customers in protecting from the ever-increasing wave of sophisticated attacks.

The new wave of sandboxing and advanced threat analytics in particular are simply not working. The overwhelming feedback from the cyber security industry is that security professionals don’t trust what they’re being sold from the mainstream suppliers.

Industry analyst Frost & Sullivan stated in its own 2016 predictions that “we can see widespread acceptance of a new approach to business risk and cyber security, moving the focus from detection of ‘known threats’ towards validation of the ‘known good.’”

 

About the Author
Brian Sims BA (Hons) Hon FSyI, Editor, Risk UK (Pro-Activ Publications) Beginning his career in professional journalism at The Builder Group in March 1992, Brian was appointed Editor of Security Management Today in November 2000 having spent eight years in engineering journalism across two titles: Building Services Journal and Light & Lighting. In 2005, Brian received the BSIA Chairman’s Award for Promoting The Security Industry and, a year later, the Skills for Security Special Award for an Outstanding Contribution to the Security Business Sector. In 2008, Brian was The Security Institute’s nomination for the Association of Security Consultants’ highly prestigious Imbert Prize and, in 2013, was a nominated finalist for the Institute's George van Schalkwyk Award. An Honorary Fellow of The Security Institute, Brian serves as a Judge for the BSIA’s Security Personnel of the Year Awards and the Securitas Good Customer Award. Between 2008 and 2014, Brian pioneered the use of digital media across the security sector, including webinars and Audio Shows. Brian’s actively involved in 50-plus security groups on LinkedIn and hosts the popular Risk UK Twitter site. Brian is a frequent speaker on the conference circuit. He has organised and chaired conference programmes for both IFSEC International and ASIS International and has been published in the national media. Brian was appointed Editor of Risk UK at Pro-Activ Publications in July 2014 and as Editor of The Paper (Pro-Activ Publications' dedicated business newspaper for security professionals) in September 2015. Brian was appointed Editor of Risk Xtra at Pro-Activ Publications in May 2018.

Related Posts