Earlier this week the Culture, Media and Sport Committee in the UK published its report Cyber Security: Protection of Personal Data Online. The report was inspired by the cyber attack on TalkTalk, the telecommunications and Internet access company.
CEO Must Be Cyber Security Commander
One of the big takeaways from the report is that “It is appropriate for the CEO to lead a crisis response, should a major attack arise.”
I agree. The notion of the CEO being involved in cyber security is essential. Often the implications and remedies to IT security issues cut across every aspect of an organization’s operations.
The bad guys don’t have to wade through politics and bureaucracy to cross those lines. However, everyone within an organization will, unless they have immediate and prioritized access to executive backing. When data breaches occur, it’s absolutely required that executives use their powers to ensure response is swift and complete.
Raising Awareness of Cyber Threats
The report also recommends that initiating, “a public awareness-raising campaign, on a par with its campaign to promote smoke alarm testing.” The comparison of cyber security awareness with smoke alarm testing is good. But the analogy falls apart even as it’s made. Just like the public needs to proactively ensure their smoke alarms are in good shape, they must also proactively behave in safe ways online and looking for the signs of a scam as they happen.
The message should not simply be about how to handle the wake of incidents. It also needs to be about how to avoid both being taken in by scams. There must also be an emphasis on how to behave in ways that lessen the impact of breaches when they are out of your control.
Financial Penalties Won’t Resolve IT Security Lapses
There’s one point of the report that I diverge from. That’s the emphasis on levying fines to ensure that businesses enforce effective cyber security. The report recommends introducing “a series of escalating fines, based on the lack of attention to threats and vulnerabilities which have led to previous breaches.”
Governing bodies should be cautious about deploying systems of fines and other financial penalties for cyber security lapses. Putting a price on these risks simply allows organizations to make a calculation about how little to spend on cyber defense to offset the costs of fines.
You see this at work in the regulatory world. An organization often decides to simply pay fees for being out of compliance. They consider that preferable to spending what they feel would be more to be in line with the statutes. What happens if cyber security simply becomes another set of regulations? A check box mentality will rule. We will see minimum effort and minimum expenditures.
The risk of cyber security must be kept akin to the risk of real world crime, where organizations know that a big heist could be an existential threat to their business and act accordingly.