It seems like every week, sensitive data is being lost or stolen from companies. And as we become more IT reliant in business and our personal lives, the issue is becoming more regular and more disconcerting.
Just look at the sectors, where data or systems have (or may have) been compromised by “cyber-attack” or failed in recent months.
- Health (NHS)
- Cross sector (Ransomware)
Without going into further detail here, its going to get a whole lot more challenging in a world of the Internet of Things (IoT). Simplistically, a very joined up world where machines like your fridge checks and orders food for you.
Our friends at the International Standards Organisation think so too. “Are we safe in the Internet of Things?”.
So, what exist to help protect businesses and consumers' data and systems.
There are two aspects to people protecting their IT Systems. While much attention is paid to and rightly so the protection of personal data, particularly financial details, less attention has been paid to the operation of the systems which gather, maintain and use the data.
We have had Data Protection Regulations since 1995, and we know it as the Data Protection Act. Its been around for about 20 years and we have probably all taken it a bit for granted, assuming that our data is handled and professionally held and managed.
This is what “Data Controllers” are supposed to do under the Data Protection Act.
They must make sure the information is:
- used fairly and lawfully
- used for limited, specifically stated purposes
- used in a way that is adequate, relevant and not excessive
- kept for no longer than is absolutely necessary
- handled according to people’s data protection rights
- kept safe and secure
- not transferred outside the European Economic Area without adequate protection
There is also stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- sexual health
- criminal records
But if we move to the here and now, legislators have been looking more closely at IT as a global entity and the potential erosion of the individuals rights and access to data held about them.
Enter The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).
So what is it?
Its a Regulation intended to strengthen and unify data protection for all individuals within the EU. It also addresses the export of personal data outside the EU. The GDPR aims primarily to give control back to citizens and residents over their personal data and to simplify the regulatory environment for international business by unifying the regulation within the EU.
In addition to the requirements already found in current Data Protection legislation, it will also look at automated analysis (profiling), privacy by design, outsourced activities and include companies based outside the EU, that collect or process data on EU citizens.
Business has begun to wake up to the prospect of implementing it by next year and it is now a growing topic of discussion in the commercial world.
Having looked at Data, what about operations and the provision of IT services.
Operations and Services
This is basically, the infrastructure (hardware/software) and the services that are produced from them.
There are periodic outages of systems, which can vary from the annoying, ie slow broadband to the personally distressing, ie access to your money at the bank.
But there is another group of activities, where the potential impact of failure could be more widespread and catastrophic. These are the essential services eg: emergency services, military networks, air traffic control, medical records.
In a response by governments to boost network and information security and prevent cybercrime and attacks, including in essential services, the NIS Directive which the EU introduced in 2016 and will have to be implemented by 2018.
It requires the Operators of Essential Services (OESs) to ensure that organisations in the electricity, transport, water, energy, health and digital infrastructure sectors put in place systems to protect their IT systems. Examples of affected organisations are NHS, rail operators, airports and airlines, data centres.
This protection will require actions to mitigate failures to hardware, environmental impacts and power outages, whether from failures or deliberate attack.
To focus attention on the importance of such measures, fines up to £17m will be levied.
Working with a range of businesses, we are finding that there is,
- Sometimes a relaxed attitude to data, its gathering, storage and management. In fact a survey by the Information Commissioners Office (ICO) found that only 25% of consumers trust businesses with their personal information.
- Assumptions about who is responsible within the organisation. The most common comment is that its IT that look after all that or we employ a company to look after all our IT.
- Assumptions that when outsourcing IT services, their perceived expertise will protect you.
Without being critical in any way, its simple to understand why. IT is seen as very specialised and technical and basically, a lot of us don’t understand the mechanics. We are only interested when it does not work.
Data protection can be seen as complicated and bureaucratic. A Report from 2015 showed that 80% of European businesses surveyed agreed with this.
However, we still believe that it is crucial and in the interest of all businesses to relook at their IT and data protection now.
Government is proposing that essential operators will be required to:
- develop a strategy and policies to understand and manage security risks to their network and information systems
- implement methods to avoid cyber-attacks or system failures, such as preventing unauthorised data access, actively managing software vulnerabilities, and increased staff awareness and training
- ensure system security defences are effective so as to detect attacks
- report incidents as soon as they happen and take steps to understand the root cause
- have systems in place to ensure that they can recover quickly after any event, with the capability to respond and restore systems.
In some ways it looks similar to implementing an Information Security Management System (ISMS) such as ISO27001, where these key requirements are covered.
And how long before the expectation to have an ISMS in place moves to all business. It might be in your interest to look at what you have in place and ask the question,
“Would I be better protected by putting in a more formal Information Security Management System now?”
We can help.
Spedan, we Inform, Support, Sustain