What EU cyber security regulations mean for your business by Andrew Rogoyski
British boardrooms are sleepwalking into a perfect storm of cyber security risk. While business leaders are comfortable dealing with established forms of risks where they can leverage their experience and understanding, their ability to appreciate IT or cyber security risk is often poor. In a world where business is increasingly conducted digitally, an understanding of the problems that poor security can create for a business is a new imperative - and very few boards have acquired the skill to properly assess such risks.
We recently interviewed over a hundred C-level executives from the UK’s largest companies as part of some forthcoming commissioned research. Early analysis reveals that only a third discuss cyber security at every board meeting and the vast majority admit to only having a 'moderate understanding' of the cyber security reports that are presented during those meetings.
I’m not surprised. Many senior business leaders don’t have a deep understanding of the digital nature of their businesses, so cyber security, a technically obscure art at the best of times, is often completely opaque to them.
As if business leaders really needed another reason to look again at cyber security, they’re about to get one in the form of The Network and Information Security Directive (NISD), which was agreed on the 8th December in Europe and is expected to come into force in the first half of 2016. In parallel, the European General Data Protection Regulation was also agreed.
These two pieces of legislation represent a significant challenge to UK Boardrooms (and businesses that operate in the UK). Although it may sound innocuous, the NISD has far-reaching implications for firms operating in Europe and it spells the end for the 'keep quiet' culture that has been the norm to date. Banks, energy, water, transport, digital and telecommunications firms will all soon have new obligations to report cyber security incidents to regulators and affected customers, publicly, some for the first time.
As these breaches are reported, we are likely to witness significant damage to the reputations of the UK’s largest firms and a poorly handled attack could see even the most successful company fail. The need to disclose publicly necessitates far stronger scenario planning - legal, communications and senior management teams that must all work together to limit the impact of a cyber security incident. Breach notification has been mandatory in most states in the US for several years now and we have seen household name after household name fall victim, including Sony, Target, JP Morgan and many others.
Ultimately, the result has been reputational damage for the brand, occasional board level resignations and long-term costs in the hundreds of millions of dollars for some companies - perhaps explaining the rapid expansion in the cyber security insurance market.
WHAT YOU CAN DO
So, how can time-pressured boardrooms across the UK set the tone that prepares their organisations for the NISD? The first place to start is understanding if your company will be subject to the legislation. If your operations could be considered in any way central to the operation of the economy, the answer is probably ‘yes’. Once the NISD is finalised, the UK will have to define which industry sectors are considered to provide ‘essential services’. The NISD highlights obvious market sectors such as finance and utilities as being essential but adds some interesting new ones, including healthcare and digital services, like search engines.
If your company is on the list, I’d recommend that you prioritise a full review of your information handling strategy, looking at what sensitive data you keep and how you currently protect it against deliberate attack, accidental loss and other ways that a breach can be enabled. Of course, you don’t have to be on the list of essential services to do this kind of review – any digitally aware company ought to be thinking about these challenges.
This legislation will increase the need to demonstrate your company has taken ‘reasonable steps’ to protect the sensitive information with which it has been entrusted. Such a review is less than straightforward. Breaking it down into the key areas of: access controls (who can log-on), policies (what employees are supposed to do), data, system and network separation (keeping the sensitive information separate) and training can help.
The last one really can’t be underestimated. All the firewalls in the world won’t protect your organisation if those handling the data aren’t accepting responsibility for their own practices. The biggest impact any company can have on its security stance is to make sure employees understand what they need to do to keep the company secure.
If all this sounds like too much hard work or an unnecessary cost it really is worth considering two questions. ‘What is the cost of recovering from a public data breach’ – just ask TalkTalk, Sony, Target and the others. Secondly, ‘how can my business really succeed if it isn’t able to operate securely in the digital world?’
Andrew Rogoyski is head of UK Cyber Security at CGI.