2016 was a black year in the history of data breaches. With countless websites and applications breached, many users’ details were made available online. Of the reported and published breaches, over 1,167 billion users’ details were leaked. Over half way through 2017, and that figure is close to being surpassed.
Each year the UK government surveys the FTSE 350 companies about their cyber security and data protection measures. Over the past years, we have seen a continual improvement in the adoption of cyber security as a board level conversation. This year, we see the improvements continue although there is still a long way to go.
Board management of cyber risk
The survey revealed that 95% of Boards had either an acceptable or clear understanding of their company’s key information and data assets and can say they have a suitable understanding of their key information and assets. Of these respondents, only 57% have a clear understanding of the potential resulting impact of loss/disruption of key information or data assets. This is supported by the effects of WannaCry in the recent months. While many businesses were aware of their key information and data assets, they had failed to adequately plan for when these assets were unavailable.
One very interesting fact to come out of the survey is that Boards remain split over their approach to reviewing the security of customers data, with only 50% of respondents saying their Board does review and challenge reports on the security of their customer’s data. This is most certainly backed up by incidents at Talk Talk, the AA, Virgin Media, Debenhams to name just a few high-profile incidents.
In today’s highly connected age, accepting you are eventually going to be breached is sensible. Once this is accepted, you can plan your response. During the recent WannaCry incidents, two of our clients had very different response plans. Client A had in their plan a process for this type of incident which involved flipping the master circuit breaker, accepting that a potential loss of 2 hours work is significantly less harmful than a mass denial of access to critical information. Client B’s plan was more methodical but involved removing all connectivity, accepting that a small number of hours of no connectivity was preferable to malware spreading.
This year’s survey reported one in ten businesses have no plan in place. That is one in ten FTSE 350 businesses that will potentially face a catastrophic loss should they be breached.
This year’s survey asked questions around Boards awareness of GDPR and their preparations to meet the requirements of the law. The respondent’s awareness ranged from being very aware (37%) to somewhat aware (45%) and slightly aware (15%). Almost three-quarters of respondents said they were somewhat prepared to meet the new compliance requirements brought about by GDPR. However, only 6% reported being completely prepared to meet their compliance requirements.
Over the last year, our data protection team has been working with many clients to help them get aligned to the new law. When we reviewed the state of many of our client’s pre-engagement, we found a lack of awareness. We noted that while the driver for many clients was to comply with GDPR, many of them were failing to comply with the existing Data Protection Act.
Hedgehog Security offers three core services to businesses:
Continual Cyber Assurance: our cyber security, compliance, governance, and risk management service to help businesses of all sizes manage their cyber risk in a proactive manner.
Continual Cyber Monitoring: our 24x7x365 cyber security monitoring platform to help businesses of all sizes keep alerted to potential and real threats to their digitally connected systems. Combined with the latest in threat intelligence and incident response facets of the service, CCM keeps watching when you are unable to.
Continual Cyber Testing: provides real-time threat analysis, vulnerability assessments and penetration testing of your systems alerting you to where weak points exist in your security and providing you with advice to remediate the weaknesses found.
To find out more call 540 65558 or email firstname.lastname@example.org