The Culture, Media and Sport Committee has published its report Cyber Security: Protection of Personal Data Online. This inquiry was launched in October 2015 following the cyber-attack on TalkTalk’s website. The Committee looked at cyber-security and the response to cyber-crime and broader issues around data protection. Jonathan Sander, VP of Product Strategy at Lieberman Software commented on this report below.
Jonathan Sander, VP of Product Strategy at Lieberman Software:
“The notion of the CEO and Board being involved in cybersecurity is essential. Often the implications and remedies to cybersecurity issues cut across every aspect of an organization’s operations. The bad guys don’t have to wade through politics and bureaucracy to cross those lines, but everyone within an organization will unless they have immediate and prioritized access to executive backing. When these breaches occur, it’s absolutely required that executives use their powers to ensure response is swift and complete.
The comparison of cybersecurity awareness for the public with smoke alarm testing is good, but the analogy seems to fall apart even as it’s made. Just like the public needs to proactively ensure their smoke alarms are in good shape they must also be proactively behaving in safe ways online and looking for the signs of a scam as they happen. The message should not simply be about how to handle the wake of incidents, but also about how to avoid both being taken in by scams and how to behave in ways that lessen the impact of breaches when they are out of your control.
The ICO and other bodies should be cautious about deploying systems of fines and other financial penalties for cybersecurity lapses. Often putting a set price on these risks simply allows organizations to make a calculation about how little they may spend on cyber defense in order to offset the maximum costs of fines. You see this at work in the regulatory world where an organization often decides to simply pay fees for being out of compliance rather than spend what they feel would be more to be in line with the statutes. If cybersecurity simply becomes another set of regulations, then a check box mentality will rule and we will see minimum effort and minimum expenditures. The risk of cybersecurity must be kept akin to the risk of real world crime, where organizations know that a big heist could be an existential threat to their business and act accordingly.”
[su_box title=”About ” style=”noise” box_color=”#336588″][short_info id=’69811′ desc=”true” all=”false”][/su_box]
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.