Governance should always come first
Although the paper was first published in December last year it has a lot of relevance to issues from the last two months. The first thing that the paper deals with is Governance. This is something that has come back to bite a lot of companies. For example, too many companies just accepted the statement from US companies that they had Safe Harbor accreditation. What they should have done is ask to at least see a photocopy of the foil certificate they would have been awarded.
Another part of governance is dealing with how the company itself understands the issue of cyber security and how well it is integrated into the fabric of the business. The paper makes it abundantly clear that this is not just something to devolve to a technical person. The board must take responsibility for policy, how it is implemented and have plans to deal with any failure.
Perhaps the most important statement from the report is:
A “blind” board is a poor board. It is often said that only those at the very top of an organisation can stimulate the biggest change of behaviour and approach. If they do not see the security failings or incidents, they do not understand what their customer sees or recognise what they have to personally change in their business.
Laws and regulation
From governance to understanding the laws is essential and this is where the report takes the reader. While Europe is preparing for the introduction of the General Data Protection Regulation (GDPR) next year, it won’t be the last piece of legislation they will have to manage. After the mass outbreak of hacking in the UK in the last month it is likely that we will see more regulation in that area.
Governments are also introducing draconian approaches to data controls in the name of anti-terrorism and cyber crime prevention. These will have an impact on companies yet few actively monitor regulation in their own country. This is a must if companies are not to find themselves caught out by changes in the law which then cost them dearly in having to adjust their systems at the last minute.
Intellectual Property and protecting data
Almost all companies have Intellectual Property whether they realise it or not. It doesn’t always have to be patents or research conducted in skunk work environments. It is the secret to their success, the secret sauce behind their products and the thing that differentiates them from their competition. For many companies it could be the code they have written to customise the software they use or something as simple as the customer database they hold.
Another part of this problem is protecting data and creating not just policies but working systems that identify sensitive data and come up with ways to always protect it. This doesn’t mean the data isn’t available to users just that it is encrypted where necessary, prevented from being sent to competitors and protected when on devices that leave the enterprise. The trick here is not to over complicate the levels of data but to keep it simple and make sure that whatever is decided upon is deliverable.
Conclusion
There is much more to this report than we have briefly mentioned and it is worth the time reading through it. Not all 100 items will be relevant for every company but it would be fair to say that at least 50 are.
This is a well thought out list of questions to which companies should be able to add a number that are focused on their own business. While nothing will guarantee that security is absolute, asking these questions and giving serious consideration to the responses will at least help companies improve their cyber security stance and raise the bar to make hacking a little more difficult.
