Cybersecurity for Busy Executives – What is Cybersecurity?
“Cyber security, computer security or IT security is the protection of computer systems from the theft and damage to their hardware, software or information, as well as from disruption or misdirection of the services they provide.
Cyber security includes controlling physical access to the hardware, as well as protecting against harm that may come via network access, data and code injection. Also, due to malpractice by operators, whether intentional or accidental, IT security is susceptible to being tricked into deviating from secure procedures through various methods.
The field is of growing importance due to the increasing reliance on computer systems and the Internet, wireless networks such as Bluetooth and Wi-Fi, the growth of “smart” devices, including smartphones, televisions and tiny devices as part of the Internet of Things.”
Ok, so here we are with the second blog in your Executive (Cyber) education. Firstly, I need to make an apology. I made some grand statements in the last blog about providing practical advice. That will come, but before we get to that, it is important to understand some basic Cybersecurity terms, as these underpin everything else. Cybersecurity practitioners are a precise bunch – who can blame them, they have to be – so although practitioners need to be able to speak the same language as the board, Executives can meet them half way by understanding some of the key concepts and terms.
People are key to protecting your organisation, and they need to have the right level of understanding for them to be effective. The next few blogs will help raise your level of understanding.
It is not just about Technology…….
We will start with some context and basic explanations on what cybersecurity really is. It is a common misconception that Cybersecurity is only about the technology that protects an organisation’s IT infrastructure, network, applications and devices (I will shorten these to IT Estate for ease) – and the data and information that they contain. Yes, that is a very important part of it. Cybersecurity, however, is a much wider concept. It is also about empowering the people who have access to an organisation’s IT Estate and data; the culture of an organisation; policies and processes/procedures; the governance of the organisation; and lastly physically protecting the organisation itself.
Let us delve a bit deeper into each one:
Cybersecurity can seem like a scary concept to non-practitioners, as it is assumed that it involves complicated technology that only expert developers and cyber professionals can understand. Whilst that is not entirely untrue, good Cybersecurity is no different to the smooth running of any other part of an organisation. There are complicated elements to it, as there are in a Finance Department, Strategy Department or on the production line of a car manufacturer, for example. However, like all parts of an organisation, there is a need for clear understanding and communications at the interface between general management and Cybersecurity practitioners, and effective governance (with underlying policies) should seek to do just this. Cybersecurity practitioners need to empower the people as well as enabling the Executive.
One of the reasons for a disconnect between the board, Executives and cybersecurity practitioners, is that practitioners can struggle to articulate cybersecurity in a language the management understands, and its applicability, i.e. in the context of the wider business. This is to be expected. Cybersecurity is a relatively new concept – the definition of cybersecurity only appeared on Wikipedia recently, and there is no seat on the board for the Chief Information Security Officer – but as it starts to establish itself even more, I would expect this to change.
To make the whole concept easier for you to understand, we have built a diagram below which shows a highly simplified example of what your organisation’s IT estate might look like, and how Cybersecurity applies to that. As we go through this blog series, this will form the basis of how we describe the different concepts. We will be using a fictional company XYZ Ltd. The larger and more diversely technical an organisation, the more complicated this diagram can become, but it forms a good building block on which to explain the key concepts.
Most people’s understanding of cybersecurity is focussed on protecting the organisation itself and its customers’ interests, and people mistakenly believe good cybersecurity defence is simply building a wall around the organisation. When you consider that the diagram above is a simplistic representation of an organisation and reality is that organisations could have over 2,000 third party suppliers and possibly 100 offices, organisations have multiple areas that hackers could target. The image above does help to give us a starting point and we will add to this as we develop your knowledge.
So now, it is hopefully clearer that Cybersecurity is a much broader topic than people realise, and you now understand a little bit more about the different areas that are part of it. Next week, we will move onto talking about the different type of attackers who could be targeting your organisation. Until next time.
Download this article in PDF
Rizikon started life as a Cyber Security Risk assessment tool, which has been adopted as a standard by a number of Consultancies and Professional Advisers. In February 2017, we chose to add a substantial GDPR readiness assessment and planning section – so that it now also works as a strong GDPR consulting tool.
With everyone declaring themselves a GDPR expert, well ahead of comprehensive guidance from the ICO, Rizikon now actually allows Consulting organisations to offer a comprehensive GDPR readiness audit and planning tool – for as little as £50 per client (at volume.)
Consultants and Advisers who want to offer up-to-date guidance on GDPR should take a look at Rizikon and how it deliver GDPR assessments at low cost.
The advisory reports are kept up-to-date with the latest from the ICO, with updates every 4 to 6 weeks.
To find out more about our GDPR Consulting tool Rizikon, just contact us or request more informatino about becoming a Rizikon Partner.
What is the GDPR?
- The General Data Protection Regulation (GDPR) will, from May 2018, significantly extend the provisions of the Data Protection Act
- It defines the data covered to include anything about an individual EU citizen that could identify them e.g. an IP address captured at login
- It requires that clear and affirmative consent to collect, store and process data is obtained (and sustained) from the individual. e.g. Not just pre-filled tickboxes.
- It requires you to tell them, free of charge and in a timely manner, what data you hold about them. And in a portable electronic format if they so request.
- It requires you to respond if they withdraw their consent for you to process it, or request that you rectify it (if wrong), or to request full erasure of the data. There are some circumstances in which you can keep data but the onus of proving the need is on you.
- If you have passed on their data to third parties, then you have an obligation to inform those third parties of any changes in consent, in the data and to advise of erasure.
- It has provisions to fine you up to the higher of €20M or 4% of Global annual revenue for some categories of personal data breech. So you had better have really good cyber security! A personal data breach means a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
- In case you’re now wondering, it also has provisions to fine you up to €10M or 2% of Global annual revenue if you fail to report a notifiable personal data breech to the relevant authorities within 72 hours. In the UK that will very likely be the Information Commissioners Office
- If you sign up to a GDPR related certification scheme, and fail to adhere to the rules, there are also provisions to fine you up to €10M/2%.
More accurately it is Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
GDPR and Brexit
Some news for those in the UK. The GDPR is probably not going away because of Brexit. The UK is already committed to implement it by 25th May 2018 when the country will still be in the EU. Even if the UK Government subsequently waters it down or implements it’s own version, it will still apply to any data held about EU citizens.
Governance & Accountability
The main two drivers of the legislation are to increase citizen’s rights concerning the data held about them, and to increase the accountability of the organisations and their management in taking those responsibilities seriously. This will require you to have better governance of data, privacy issues and cyber security.
In many cases you will need new policies & procedures and it is likely that new roles & responsibilities will need to be created. More than anything a new mind-set is needed amongst non-technical leadership to both demand the right things from their IT providers, and to pay for them. Not that it’s exclusively an “IT problem”. The whole organisation will need to readjust how it looks upon data about individuals.
You need to start your GDPR preparations in 2017
Thinking prudently, once the regulation is active you should assume that;
- Individuals will start exercising their rights (to know what data you have about them, to request erasure, etc.) Potentially some will exercise these rights quite aggressively. You will want self-service for most of this by then.
- You will be fined if you have serious breeches – and that you will have to report breeches within 72 hours, or be fined. You’ll need better defences, better monitoring and slick breech-reporting.
- You will have to show that you have serious governance in place managing these regulatory requirements. Covering everything from doing data impact assessments, having good cyber security, breech reporting, data requests and so on.
All of this means that, even though some of the details are yet to be decided, you need to start work now. This is because these are not trivial changes. This is of the order of magnitude of a Y2K. It means looking at all of your systems that hold affected data and working out how the regulation impacts it – and then implement the changes and get them live. It means putting someone in charge of the programme and giving them a budget. It means understanding where you are now and where you need to get to in good time for May 25th 2018.
Three GDPR suggestions to do right now
- Read about the GDPR (here is a good starter for ten on the ICO web site) but also discuss it with your legal advisors. Review your existing DPA processes and understand how much more you will need to do.
- Because it’s a long process (and getting harder), start improving your cyber security by taking a cyber security risk assessment – you must reduce the risk of personal data breeches well before 25/5/2018!
- Discuss the possible impact of GDPR at management meeting(s) and assign someone the responsibility of pulling together a cross-functional action plan covering IT, HR, Marketing and “the business”. Get some expert help in if you need support.