In the wake of the Meltdown and Spectre flaws revealed on 3 January 2018, the Information Commissioner’s Office (ICO) has warned that existing vulnerabilities could lead to punishment when the EU General Data Protection Regulation (GDPR) is enforced.
Even though the GDPR won’t take effect until 25 May 2018, organisations failing to identify and patch vulnerabilities before this date face strict disciplinary measures. The Regulation gives supervisory authorities the power to fine non-compliant organisations up to €20 million (about £17.5 million) or 4% of their annual global turnover – whichever is greater.
Although the ICO has stated that fines will be a last resort (and punishments of that magnitude will almost certainly be reserved only for egregious violations), any disciplinary action could be costly. The ICO will most likely impose enforcement actions on non-compliant organisations, which will include an investigation into the organisation’s practices and a mandate to address any aspects that fall short of the GDPR’s requirements.
Nigel Houlden, head of technology policy at the ICO, said: “[T]here may be some circumstances where organisations could be held liable for a breach of security that relates to measures, such as patches, that should have been taken previously.”
He added: “Failure to patch known vulnerabilities is a factor that the ICO takes into account when determining whether a breach of the seventh principle of the Data Protection Act is serious enough to warrant a civil monetary penalty.”
New laws typically aren’t retroactive, but the ICO’s statement acknowledges the importance of patch management and effective information security management systems. The ICO often lists poor patch management as the reason for fining organisations, as was the case in the recent £400,000 fine levied against the Carphone Warehouse for a 2015 breach that exposed more than three million people’s personal data.
Installing patches and updates when they’re available is one of the simplest ways of staying cyber secure. Any organisation concerned about its patch management policy should consider certifying to Cyber Essentials, a government-backed scheme that sets out a baseline of cyber security.
The scheme includes five key controls that, when implemented correctly, can stop most cyber attacks. These controls are:
- Patch management
- Secure configuration
- Boundary firewalls and Internet gateways
- Access controls and administrative privilege management
- Malware protection
The scheme is a prerequisite for government suppliers, but it can be invaluable for any organisation. In 2017, Matt Hancock, then minister for digital and culture, said the number of certified organisations tripled in the past year, proving that Cyber Essentials is “an effective tool which can be built on to achieve greater security in our organisations”.
Benefits of Cyber Essentials
Organisations that certify to the Cyber Essentials scheme will be able to:
- Demonstrate their security to clients, insurers, investors and other interested parties;
- Increase their opportunities, having an advantage in the private sector and the necessary qualifications to bid for government contracts; and
- Save money, because insurance agencies look favourably on organisations with Cyber Essentials certification.
The Cyber Essentials scheme will also help organisations comply with the GDPR and other laws.
Those who want to experience these benefits should consider certifying to the Cyber Essentials scheme with IT Governance. We are the leading CREST-accredited certification body and have awarded hundreds of certifications since the scheme began.