Author: Security Experts / Source: Information Security Buzz
The latest government ‘cyber governance health check’ and a survey of the UK’s top 350 companies revealed that more than two-thirds of boards have not received training to deal with a cyber incident. IT security experts commented below.
Mike Simmonds, Managing Director at Axial Security Systems:
“I am constantly surprised by the lack of preparation we experience in the corporate world when it comes to cyber-security; we see a relaxed attitude to securing hardware, data and communications almost every day in interactions with existing and new customers. One of the most worrying aspects is the lack of understanding of the serious nature that ignorance brings.
“Ignorance of basic security practices and operations that must be at the top of every companies ‘to do’ list.
“The government has taken the need for education very seriously and have set up accessible bodies to educate at every level of a business, but it is still incumbent on the business leaders to oblige their staff to follow and certify themselves against this training – and re-visit the skills that they have learned on a regular basis – it is vital to stay current.
“Cyber-security is the same as road-safety. It should be taught from an early age, you never stop learning and practicing what you have learned, and it needs to be taken very seriously. When you think that ‘it will never happen to me’ it probably will, or in the cyber-world, it might already have happened, but you have yet to notice.”
Brian Vecci, Technical Evangelist at Varonis:
“GDPR is making it mandatory for organisations to keep their data private. Unfortunately, most have a long way to go in order to get there. Privacy regulations like GDPR are fantastic for consumers–they get extra assurance that their personal information is being protected.
Protecting your customer’s and partner’s data might seem like a low bar to meet, but according to a recent survey of IT leaders in the UK, Germany, France, and the US — where GDPR can apply if you’re doing business with European consumers — 75% of companies say they’ll struggle to be ready by the deadline. It sounds crazy, but it will take years for some companies to make sure this data is secured properly. More than half–52%–say they can’t even find personal information or have any idea who’s got access to it, who’s using it, or when it should be deleted. Even more say they can’t meet GDPR article 17, the “right to be forgotten,” meaning they can’t go out and delete your data if you asked.
GDPR may help elevate data security and privacy at the top of organisations’ to-do lists, but many organisations are struggling with just knowing where it all is. The threat of heavy fines may help change the economic equation and spur organisations forward, but increasing threats like insider breaches and cyberattacks like ransomware have been helping many organisations make these kinds of changes for years. GDPR mandates some basic, common sense controls for data that organisations will benefit from following whether they’re subject to penalties or not. Just knowing where that kind of sensitive data is, building privacy and security into the design of the system, limiting who can access it all and monitoring everything will mean that you limit the potential damage of any kind of break or attack and you’ll know far faster when something goes wrong.”
Marco Cova, Senior Security Researcher at Lastline:
“The recent waves in ransomware attacks have shown that cyber attacks can have significant impact on the real-world operations of the affected organizations: we have seen hospitals in the UK forced to send away patients during the WannaCry attack; employees at large and small companies unable to conduct business for days…
Click here to read more
