Everyone has a responsibility to fight back against the cyber criminals, which means being aware of the threats at work and at home, and changing our behaviour.

Steve Durbin is managing director of the independent, not-for-profit membership organisation Information Security Forum (ISF). He says the industry is focusing this year on the risks posed by ‘people’ because humans are often the weakest link when it comes to cyber security.

“The government announced earlier this month that school children in England will be offered lessons in cyber security. They will take that knowledge into adulthood, but adults today need to be better informed of the risks and threats,” he says.

He adds that with so much content and data accessed and stored on mobile devices everyone needs to change the way they act when using technology, and think before they click on a website or connect to a Wi-Fi network.

“People wrongly assume that cyber security is just another piece of technology or service you can buy to solve the problem but there is no silver bullet,” says Durbin. “The industry needs to get into people’s heads and look at the psychology of how they act to influence behavioural changes.”


Safety at work


Cybercriminals will always look for the easiest route into organisations and it is often through the people who work for them.

“An employer cannot stop someone who is working remotely from accessing a public Wi-Fi connection but they can train staff to be more careful, and put in place more robust security.”

Durbin cites the example of one company that introduced a cyber security awareness programme focused on how people behave when they are away from work.

“It made employees think about how they keep their children safe online or protect their online banking,” he says. “Changing their thinking made them talk more positively about cyber security in the workplace and appreciate that this is not just an IT issue.”

The ISF warns organisations that with new types of devices entering the workplace on a daily basis, they will only withstand unexpected and high impact security breaches if they are prepared for the unknown.

“New security attacks will affect reputation and shareholder value so businesses need to manage risks in ways outside those usually handled by the information security function.” 

Emerging threats


Overall Durbin expects to see more severe cyber security risks appear this year and he advises companies to prepare for the worst but hope for the best.

He wants every organisation to be cyber resilient and have a plan of action for when the worst does happen.

For example, could the business continue to function if there was a major data breach and would the directors be able to reassure its customers and its shareholders? Or would there be long-term damage to the brand?

Businesses must identify which data is mission-critical and recognise which of their information assets are the most valuable and would cause a major commercial impact if compromised.

“Far too often organisations do consider the value of these assets but then fail to understand the extent to which they are exposed to global security threats.”

Durbin says the Internet of Things (IOT), which involves connecting devices around the home and workplace to the internet, is one of the biggest threats. This is because many devices were not designed with security in mind and protection has had to be added as a retro step.


General Data Protection Regulation (GDPR)


Business owners must remain aware of not only cyber security threats but also changes in regulations that affect how they protect their customer and supplier data.

The European Union’s General Data Protection Regulation (EU GDPR) will come into effect in May 2018 and apply to UK businesses even after the country exits the EU.

Any business which holds data on EU citizens or trades with member states will have to comply with the GDPR.

The regulation forces organisations to keep data safe and demonstrate how and why they control or process personal information. This means maintaining records on where data is kept. A business could face large fines if it is found to be responsible for a data breach.

“Many organisations store their data in the Cloud and the challenge for them will be to show where the information is and that it is adequately protected,” says Durbin. “The potential fines for companies of all sizes could be significant. GDPR is getting directors of companies more interested in cyber security, but they need to be willing to invest sufficiently in processes to protect data.”

When it comes to protecting big data, Durbin says organisations must become stricter when deciding which data is business critical and ignore information they do not need to collect.

The Information Commissioner’s Office (ICO) has reassured organisations that if they keep HR records, customer lists or contact details within the terms of the Data Protection Act they should not fall foul of meeting GDPR requirements.

If organisations are to be cyber resilient it is critical they ensure that all their data is protected and well managed, because the financial consequences and potential damage to the brand from any breach could be substantial.

"Cyber resilience is crucial for everyone, whether at home or at work. For organisations it is important they learn from past breaches so they can build better defences and better responses,” he says.

Learn more

Founded in 1989, the Information Security Forum (ISF) is an independent, not-for-profit association of leading organisations from around the world. It is dedicated to investigating, clarifying and resolving key issues in cyber, information security and risk management and developing best practice methodologies, processes and solutions that meet the business needs of its Members.
ISF Members benefit from harnessing and sharing in-depth knowledge and practical experience drawn from within their organisations and developed through an extensive research and work program. ISF provides Members and non-Members with the opportunity to purchase short-term, professional support activities to supplement the implementation of ISF tools, research and methodologies.