The UK government’s announcement of new investment in a £1.9bn cybersecurity strategy was welcome by The IET (Institution of Engineering ad Technology), but they are calling for the emphasis to be on education and behaviour change, which needs to be led by business leaders.

The problem Prof Roy Isbell, the IET’s cyber security expert, believes is that: “Any organisation is at risk of being hacked, however good their security measures. But while most have plans for how to cope with a hacking incident, very few CEOs have seen or understand their plan.”

Isbell points out that: 

• organisations typically invest millions in cyber security measures and protection, but frequently only train one or two members of staff. Having the plans is not enough – it’s far more important that people at all levels of an organisation, including its leadership, can implement them effectively
• cyber security is not just about information, it is about all areas of the business; including automated manufacturing processes, which if hacked could lead to a significant loss of production
• humans are the ‘weakest link’- so, for example, organisations need to rethink the way employees use the internet at work, including using work email addresses for personal use. And most organisations have two or three levels of access to data, usually based on the internal company hierarchy rather than on individuals’ ‘need to know’
• companies need to eliminate the ‘blanket’ policies that are applied indiscriminately to all kinds of data sets. This is because they often don’t understand the value of their data or how to cost the risk of being hacked so fail to create data protection policies based on the value of their data.

Prof Isbell concluded that, “As part of the Government’s new cyber security strategy, there is a real opportunity to educate organisations in how they approach and prioritise cyber security planning. Training a new generation of cyber security experts is vital – but so is making sure that today’s leaders understand and can tackle the extent of the challenge we face.”

In US shareholders are suing companies for lying about cyber security

Litigators in the USA are now advising boards and shareholders regarding legal implications of data breaches. Two key ways have emerged that companies can take a hit as the result of a breach. The first is a breach can result in the loss of corporate intellectual property, and competitive advantages along with it. The second is that a breach can give rise to consumer litigation, securities fraud litigation, even liability for corporate directors. 

Although, this type of litigation is quite new, most experts think that the exposure will increase. This is because the markets are becoming much more sophisticated in their understanding of the financial consequences of such breaches. There are two ways that breaches can give rise to suits: 1) from boards making a decision regarding cyber security which just didn't work, and 2) the failure to take any precautions at all.

---

CTMfile take: 1) is your data access policy determined by hierarchy rather than ‘need to know? 2) Cyber security is an integral part of managing a company. If boards and senior management are negligent here, shareholders have every right to sue them.