GDPR puts security front of mind

Data security

The Institute of Directors (IoD) recently conducted a survey of UK firms on cyber security and the results make for sobering reading for an economy that is dependent upon the internet to operate.

Only 57% of respondents said that they had a formal cyber/information security strategy. While 91% said that firewalls, anti-virus and encryption were important to their business, 6% said that they spent nothing on cyber security over the last 12 months which suggests that there are organisations which are relying on safety features built in on purchase which are not necessarily up to date. Evidence of this was abundantly clear in the recent high-profile attacks on the NHS and other services which were reliant on older versions of software.

If we add in that 1 in 8 members of the IoD experienced damage due to a cyber attack that interrupted business and 11% of these suffered actual financial loss, it is difficult to understand why cyber security isn’t further up the list of imperatives for every organisation.

Stephen Ridley, acting Head of Technology, Cyber and Data at Hiscox has these words of warning:

Businesses have no choice but to take steps to improve their security posture and data protection processes, and they would be well advised to commence that process sooner rather than later.

The IoD survey covers businesses of every type, many of which won’t be as dependent upon data as the event and publishing industries are. 59% of the survey sample said they outsourced their data storage – a model which the IoD believes is only set to increase, but only 57% knew where the data was physically stored. Given that data is arguably the biggest asset of a business, losing control of it can be described at best as extreme folly.

What causes this ‘loss of control’ – for many organisations it is looking for a quick, and cheap, fix. My heart always sinks when someone says that there are ‘lots of cheap tools out there for you to use’ which the inexperienced take as carte blanche to always pay as little as possible for any digital service they require (the speaker frequently means ‘added extras’ rather than your fundamental system). There are online CRM systems available which charge very little for the service, but the truth is that you have absolutely no control of structure or service. Take yourself through a scenario where your service provider disappears overnight – can you trace them – how long did it take you? Here is what Richard Archdeacon, CT IS Strategy – Hewlett Packard Security Services has to say on the subject:

Moving your IT function to a cloud provider often makes sense for any organisation as it provides greater flexibility and reduces the risk of having to recruit and pay for teams who are a scarce and expensive resource. However the provider must be trusted with their record, size and stability absolutely key. It is easy enough to think your data is secure; it is essential you know it is.

Think it couldn’t happen to you? Here are some numbers from the National Office of Statistics for the year ending June 2015 of the number of cases reported to the authorities:

  • Computer misuse: 2,460,000 cases
  • Unauthorised access to personal information (inc. hacking): 404,000 cases
  • Computer virus: 2,057,000 cases

Given that 90% of the world’s data was created in the last 2 years, the data explosion shows no sign of abating and the GDPR legislation enforces Privacy by Design, i.e. secure storage and processing of data it is time for every organisation that relies on quality data to conduct their business to sort themselves out. Data discipline will be hard for many who are used to open and easy access to files, but it must come and once adopted will be second nature.  Ashling O’Connor, head of the Media, Technology & Entertainment Practice at The Inzito Partnership sums this up very succinctly:

Business has to stop thinking of cyber security as an IT issue; it is a matter of corporate governance and industry reputation. Leadership must therefore start at the top, with cyber expertise in the boardroom, so the right actions are embedded in strategy and best practice percolates down to each and every employee. For a Board, the subject should be as routine as audit.

Anecdotally we know that the key GDPR focus for many in the event and publishing sector has been on Consent – but we can’t reiterate enough that this is a sideshow to the main concern – the security of your data. If you are still using Excel as your main data tool, you need to stop. If you haven’t worked out how you are going to migrate your data into a database, you need to start.