A parliamentary report released this month on the protection of personal data online (Cyber Security: Protection of Personal Data Online) recommends several tough new corporate measures and – in our view very valid – suggestions to improve the cyber security of UK organisations.
The report was drafted in response to an inquiry into the TalkTalk data breach. The inquiry is still ongoing.
Among the recommendations were the following eight notable points:
Executive oversight and compensation
- Cyber security should be assigned to a senior individual with board oversight who can “take full day-to-day responsibility […] and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack.”
- A “portion of CEO compensation should be linked to effective cyber security, in a way to be decided by the Board.”
Routine cyber attacks should not be tolerated
The report responded to the unconfirmed suggestion that the TalkTalk cyber attack was a product of an SQL attack, saying that routine forms of cyber attacks should no longer be tolerated, and that breaches of this nature (or continued vulnerabilities and repeated attacks) should trigger a significant fine.
- “The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”
- Security by design “should be a core principle for new system and apps development and a mandatory part of developer training”.
- Companies should not just focus on preventing cyber attacks but, given the prevalence of such incidents, anticipate such attacks and prepare themselves accordingly in order to develop an adequate response.
Incident management and response plans
The report stressed the importance of incident management plans and exercises in the event of a breach. It stated that in “the 2016 Cyber Breach Survey for DCMS, it was striking that only 29% of companies had formal written cyber-security policies, and on average 10% of companies surveyed had a cyber-incident management plan, although 42% of large companies did have one.”
- Customers should be able to easily “claim compensation if they have been a victim of a data breach”, and the Law Society could “provide guidance to its members on assisting individuals to seek compensation”.
The MPs who drafted the report also recommended that the Cyber Essentials scheme, albeit effective as offering a basic defence for small and medium-sized organisations, should be “regularly updated to take account of more recent attacks, including the need for security, incident management and recovery plans and processes for responding to cyber-ransom demands.”
Security plans to be reviewed annually by the ICO
- Organisations should demonstrate whether they are indeed spending their security budgets effectively, and recommend that they should report annually to the ICO on:
- “Staff cyber-awareness training;
- “When their security processes were last audited, by whom and to what standard(s);
- “Whether they have an incident management plan in place and when it was last tested;
- “What guidance and channels they provide to current and prospective customers and suppliers on how to check that communications from them are genuine;
- “The number of enquiries they process from customers to verify authenticity of communications;
- “The number of attacks of which they are aware and whether any were successful (i.e. actual breaches).”
Security plans to be included in annual reports
- Companies submitting such reports should also “include such data in their own annual accounts to help give confidence to customers, shareholders and suppliers that they take security seriously and have effective processes in place”.
ISO 27001, which provides the framework for implementing a holistic ISMS (information security management system), offers the full spectrum of prevention and response tactics to reduce the fall-out of a cyber attack. Certified companies can benefit from the added assurance it provides to stakeholders and customers that the correct and effective processes are in place, and that they are audited by an independent third party.