Despite attacks from Stuxnet to Sony demonstrating the very real IT security threats organisations face, legislation is still slow to act. The EU’s data protection legislation, originally due to come into effect this year, has suffered repeated delays. Sources have claimed it has been pushed back to 2016, a date that has already been called unrealistic by those closest to it. In the face of state sponsored cyberattacks, advanced fraud from cyber criminals and the damage from single data breaches affecting millions of customers, clearly an organised response to the cybersecurity threat is needed. The question now is: who will provide it?
The landscape of data security
Cybersecurity now is very much like the early days of automotive safety, when seatbelts were introduced for the first time. While hardly anybody today would doubt the benefits a seatbelt provides, it took the combined incentives of legal pressure and gradual cultural changes to make wearing a seatbelt part of behaviour. A similar, two pronged approach is now needed to combat cyberattacks. Governments need to provide incentives for creating robust cybersecurity, as well as the legal force to punish those organisations that do not act as responsible businesses or custodians of sensitive customer data.
This needs to go hand in hand with a change in corporate culture, to one where threats are understood, managed and mitigated with the same rigour as other business risks. This must replace a culture where cybersecurity is merely paid lip service, or acts as a simple tick box on an audit sheet. Only then will UK PLC begin to address a global challenge which is evolving and affecting more businesses by the day.
The role of government and regulators
Recent data breaches, such as millions of TalkTalk customers being exposed to fraud after a major loss of sensitive information, demonstrate the urgent need for a robust defence. While TalkTalk has taken steps to prevent any repeat of its breach, it is only a matter of time until we hear of the next business whose customer base has been put at risk by cyberattack.
The priority of governments should be to do everything possible to minimise losses like these and mitigate the risk. While the government has given powers to organisations such as the Information Commissioner’s Office to impose penalties, in too many cases these potential fines are woefully low. The ICO’s maximum financial penalty of £500,000 pales in comparison to Ofcom’s recent £800,000 fine on BT for late delivery of applications; or the Financial Conduct Authority fining RBS, NatWest and Ulster Bank Ltd. £42 million for IT failures.
Even when it does impose its largest fines, organisations can still appeal the decision or pay early to reduce the penalties further. This is clearly an ineffective incentive for businesses generating millions of pounds of profit a year. Such a business could simply choose to take a calculated risk that it will occasionally have to pay a fine, which would represent a minor setback to overall profits.
One of the major proposals of the EU data protection legislation is making financial penalties proportional to an organisation’s annual turnover. This would represent a much more notable risk to businesses, and act as much more of a stick for the ICO. In order to change attitudes in this way, the government both needs to put robust laws in place; and ensure that those laws keep pace with technology, rather than how IT was used a decade ago. For example, the current Data Protection Act dates back to 1998, before the current explosion of online activity and when the threat of cyberattack was much smaller than today. UK laws need to make current cybersecurity best practice mandatory. This includes ensuring that all customer data is encrypted, as is credit card information in PCI DSS compliance, and is deleted when no longer needed.
Strength from within
Whilst the government can impose order with laws, motivation also has to come from within the organisation. Many will see the examples of "car crash" cyberattacks in the news, but too often think that it such attacks only happen to others.
Organisations need to realise that cyberattacks are no longer just a likelihood, they are an inevitability. The simple fact is that criminal organisations and hackers have far more resources, and most importantly time, at their disposal than any single potential target. Over time, any defence will be penetrated. As a result, the most important lesson for any organisation is "Prepare to fail": any cybersecurity strategy should assume that security has been breached, and work backwards from there.
For instance, when Sony’s PlayStation Network was breached, the main damage wasn’t due to immediate downtime. Instead, it was that the hackers were able to steal passwords and personal details that were stored in Plain Text. If Sony had prepared to fail, they would have encrypted all of that data: ensuring that even if their databases had been sucked dry of information, any thieves would have found it next to useless.
This isn’t to say that "traditional" security, such as firewalls, antivirus and the people in an organisation, should be ignored. Organisations need to combine the three Ps of People, Process and Planning in any cybersecurity strategy. They should remember that an attacker will always look for the weakest link in any system, and ensure that even the weakest part of their armour is protected. When planning a new project that will add new data and access points to the organisation, one of the very first questions should be, "How will we protect this?" This approach has to cover all aspects of security; from technology such as antivirus and encryption, to policies and best practices that workers follow from the CIO to the shop floor.
A complete approach is needed
It is clear that a robust cybersecurity framework equipped to deal with escalating threats will need both internal and external motivations to make organisations protect themselves. Laws must more closely reflect the times we live in and deter those handling data irresponsibly, while organisations themselves must recognise cybersecurity, and the inevitability of attack, as essential parts of their IT strategy. Then and only then can we be sure we are adequately guarding against the wolf at the door.
By Chris McIntosh, CEO, ViaSat UK