"Time for Action" say MPs, as Report Warns of Bigger Fines for Cyber Breaches
Xyone welcomes the House of Commons inquiry into Cyber Security which appeals to firms to act fast on its recommendations to mitigate risks and enhance security awareness.
Yesterday the House of Commons Culture, Media and Sport Committee released a report entitled "Cyber Security: Protection of Personal Data Online", which highlights some of the key failings of businesses to keep data secure and how the threats to the data can be mitigated.
Among its recommendations, it highlighted that staff and systems need to be regularly tested, security should be kept in mind at all stages of building and implementing any new systems, apps or processes and that there should be larger sanctions for those firms who suffer breaches.
One of the principle recommendations is that, in accordance with the new General Data Protection Regulations, due in March 2018, the level of fines should increase to prompt all firms into action to mitigate their risks now. "The ICO should introduce a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches. A data breach facilitated by a ‘plain vanilla’ SQL attack, for example, or continued vulnerabilities and repeated attacks, could thus trigger a significant fine."
At Xyone we believe your people are your biggest asset and greatest threat, and the report acknowledged the 2016 Breaches Survey statistics that 42% of breaches were caused by internally. The Committee identified the social engineering attacks, through phoney telephone calls, as a key threat to data security: "There needs to be a step change in … awareness of on-line and telephone scams". The report repeatedly prescribes staff awareness training as a compulsory measure to take to deal with this.
The Committee recommended that systems need to be regularly tested, both in terms of technical scenarios and also with the growing threat of the socially engineered threats. "The person responsible for cyber-security should be fully supported in organising realistic incident management plans and exercises, including planned communications with customers and those who might be affected, whether or not there has an actual breach." This approach should include identifying and testing the physical, digital and verbal threats to a firm, through Manipulate techniques such as email spoofing, phishing and physical penetration testing of offices.
The report also made it clear that there needs to be a culture of "security by design" when building new web and mobile applications. "We were also surprised that there is no requirement to make security a major consideration in the design of new IT systems and apps. We therefore recommend that security by design should be a core principle for new system and apps development and a mandatory part of developer training, with existing development staff retrained as necessary." For firms without an in-house team or wanting an external third party to test their work, the report describes ways in which you can implement "security by design" into the development process through web application solutions.
Throughout the Report, the Committee make it clear that their recommendations are not just applicable for the telecommunications sector, but for all businesses that hold personal data.
You can read the Culture, Media and Sport Committee's Report in full here.
Do you want to know more information about how you can build your resilience before a breach? Call 0333 323 3981 today for a free consultation with one of our cyber security experts.