When 2% is Too Much

@InfoSecuritymag webinar with Guy Bunker  

Recently I took part in a webinar with InfoSecurity magazine, focusing on data protection and globalisation. It is a much talked about issue within the industry as globally regulators are increasingly taking a tough line when it comes to legislation and data protection. The webinar itself had nearly 300 people attend. I wanted to share with you some of my thoughts on the topic.

We have seen that cyber-criminals know no bounds. It is just as easy to launch an attack from a small village in England as it is from Beijing or Bangalore. We are therefore seeing the return of a ‘need-to-know’ policy and data segregation -  where information is being kept to the minimum number of people who require it rather than the old ‘open system’s all data for everyone’ system. This is driving different data protection policies in different regions around the globe – which can create the weakest link for a cyber-attack. The good news is that we are now seeing critical information being put behind multiple layers of security within the organisation, with increasingly restricted access.

Security incident response teams need to be global, there are currently a number of national teams in place but a global solution is yet to be agreed. With data breaches currently, sanctions in Europe are limited and fines are rare, but the new proposal in the EU draft Data Protection Regulation will consist of imposing a 2% fine on annual worldwide turnover aimed to attract board level attention. Practically speaking, how this will be implemented is a different matter, although we are expecting the changes to happen over the next two to three years. It is no-doubt a great shock tactic; as we could see these fines taking businesses out of existence – not good for the business, employees or world trade in a time of economic hardship. If you take a look at the current implications in the UK with the Information Commissioners Office, data breaches are costly but the cost to remediate the breach can be very expensive as well, with the fine becoming a fraction of the overall costs to deal with the incident.

Overall many businesses will be aware that it is not the case of if a breach will happen but when. It is the responsibility of all senior personnel within the organisation to oversee data protection and all employees to be involved in the processes and procedures. The most effective method is to be prepared with a global breach notification team to handle the incident when it occurs. Standardising policies, procedures and solutions across the globe is also key, so there are no weak points, minimising the risk and consequences.

Finally it is important to remember that corporate information security policies should reflect changes in business practice, whether this is adoption of cloud or BYOD, to ensure businesses are not compromised with potentially costly repercussions, not only financially but reputational.