Government figures estimate the cost of cyber crime to the UK economy at £27 billion a year. To address this, the EU has set a deadline of mid-2016 for each member state to develop a national cyber strategy.
23 April 2014
In February 2013 the European Commission published a cyber security strategy to design and enforce a harmonious standard of network and information security across the European Union.
Its prime feature was a draft directive that sets mandatory cyberspace policies on public authorities and operators of critical infrastructure in the fields of energy, transport, banking, stock exchanges and health.
The expected deadline for implementation of the directive is spring/summer 2016, by which time member states must have developed a national cyber security strategy and a corresponding suite of sanctions enforced by a chosen regulator.
The principal aim of the directive is two-fold. The first is to ensure that appropriate technical and organisational measures are taken to manage cyber security risks and minimise the impact of related incidents. The second is to facilitate co-operation and information sharing between authorities and the private sector.
Technical reforms to consider are that businesses must ensure they have adequate controls in place to mitigate the risks of cyber incidents. And national authorities will have the power to request that companies undergo a security audit and share the results with them.
Steps to prepare for the directive
Implementing controls to guarantee compliance will be costly. So any cyber security initiative should address its main vulnerability – the human factor. Seventy-eight per cent of data breaches suffered by organisations are because of employee behaviour, which limits technological safeguards in their ability to offer a viable defence.
1. Enforce a mobile device management (MDM) policy: Having a strong virtual private network (VPN) will only protect your data if you are able to retain some kind of control over the devices that connect to it. The trend towards bring-your-own-device (BYOD) means that issuing employees with centrally administered phones is no longer a fail-safe option of managing devices on your network. Seventy-four per cent of respondents to a survey by US security company Fortinet said they brought their own devices to work irrespective of company policy. For best practice:
- Maintain an inventory of all devices used by employees and the applications installed on them;
- Invest in MDM products so you can perform a remote wipe on mobile devices; and
- Administer a strict policy over the level of encryption and inactivity timeouts on personal devices.
2. Educate your employees: FMs must make sure that employees stay abreast of cyber threats by informing them about:
- How to keep their machines clean – workers must be aware of what they can and can’t install on their personal and work devices;
- Maintain physical control over their machines – employees should be trained on where not to use and leave their machines, how to minimise the risk of theft or loss and to routinely back up important information; and
- Report suspicious incidents – training sessions should teach employees how to recognise suspicious occurrences on their device and report any loss, theft or virus to the IT team. Training sessions should be face-to-face events to help to establish a communication channel between employees and IT officers and give staff a chance to ask questions.
3. Co-operation and information sharing:
- Businesses must report incidents that have a “significant impact on the security of the core services”, to regulators;
- National regulators are now required to closely co-operate with the commission to circulate early warnings of risks; and
- Regulators also have a discretionary duty to inform the public of an incident if it determines that disclosure is in the public interest.
4. Implement a breach notification and response plan. Businesses should strategise over how they would respond to an incident in a way that minimises costs and satisfies regulators and stakeholders. To do this you need to consider:
- Categorising your data according to its nature and rank its level of sensitivity;
- Developing response objectives for each category to be achieved in an assigned amount of time; and
- Allocating responsibility to a predetermined team of internal or external experts across all business functions – i.e audit, legal, risk – and specify when the issue needs to be escalated.
5. Form a strategic communications plan: Although IT policies typically focus on the technical side of a breach, often the most destructive implications are the loss of investor confidence and consumer trust that follows. The level of transparency and dialogue that the directive mandates must be met in your response plan with a comprehensive crisis communications protocol.
Assess your in-house capabilities and identify areas where external assistance is needed. Open a dialogue with your preferred provider so you can deploy a comprehensive response strategy within the shortest possible time.
The directive still holds an uncertain future, but what we can see from the proposals is a regulatory push for companies to embrace a cyber-conscious culture.
UK cyber crime victims are losing about £3 million each a year, which suggests that although initial outlay to safeguard your business may be significant, the cost of ignoring the threat will certainly prove to be far greater.
Andrew Durant is a senior managing director at FTI Consulting, Forensic and Litigation Consulting