TAKE THE RIGHT SECURITY PRECAUTIONS OR RISK HUGE FINES BUSINESSES TOLD
Completely security is impossible, but firms must take the right precautions or risk massive penalties, according to an expert. Speaking at R3 2016, Steve Durbin, managing director of the Information Security Forum explained how businesses can reduce the fines they have to pay when they suffer breaches by proving they have taken the right precautions to protect their data.
“Why are we seeing an increase in breaches?” he asked the audience at Etc Venues St Paul’s.
“It’s very simple: information has a value… We are increasingly seeing concern, certainly across our membership… in terms of how do we identify, how do we protect and how do we stand up in front of people and say we did all that was reasonably possible?”
Durbin said this ties in with firms’ concerns about the reputational impact of cyber breaches. “What we have to bear in mind when we are looking at this is that 100 per cent security does not exist,” he told the audience. “100 per cent security will never exist and we want to make our businesses as unattractive as possible to hackers.”
He warned that businesses cannot throw “a protective security blanket” across everything they have – instead, they need to be able to “pick and choose” and protect their most important data and services, which he termed their “crown jewels”.
Overseeing all of this, Durbin said firms need to have cyber governance and planning, not least because this is the first thing the Information Commissioner’s Office will expect to see in place when it is notified following a data breach.
They should also have situational awareness and intelligence mechanisms, ways of assessing their cyber resilience and plans for cyber responses.
“That, in a nutshell, is probably going to be enough for many organisations – especially at the small- to medium-sized end,” Durbin said of these precautions.
But there are also long-term goals businesses must consider, like targeting behavioural change among their employees to ensure their day-to-day work is carried out in a secure way.
“This isn’t a sprint,” he said. “It’s a marathon that never finishes.”