Cyber security: Don't leave it to your tech team or you'll get breached, warns data protection chief

"If left solely to the technology teams, security will fail through lack of attention and investment," warns Information Commissioner.
Written by Danny Palmer, Senior Writer

A company can have the best technology team but if management don't take security seriously too then data will inevitably get lost or stolen, the Information Commissioner has warned.

Various past instances have already showed that this is the case, Elizabeth Denham told the audience during a keynote session at National Cyber Security Centre's CYBERUK conference in Manchester.

SEE: My stolen credit card details were used 4,500 miles away. I tried to find out how it happened (cover story PDF) (TechRepublic)

"Security is a boardroom-level issue. We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings," she said.

"If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world - but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen".

Denham pointed to a number of high profile organisations which would've been protected against damaging cyberattacks if they'd taken security more seriously.

"Had Talk Talk and Carphone Warehouse implemented rudimentary protections attackers would not have gained access to their systems. If NHS systems had been patched and up to date, they would have been protected from WannaCry," she said.

The Information Commissioner warned that organisations can't just install technology and hope for the best, that technology and the systems and data which need protection must constantly have its security reassessed.

Denham explained that while the Information Commissioner's Office understands attackers will engage in hacking and attempt to breach networks, organisations must take responsibility for security.

"We understand that there will be attempts to breach your systems. We fully accept that cyberattacks are a criminal act. But we also believe you need to take steps to protect yourself against the criminals," she said.

See also: Data storage and access policies: Here's what you need to think about

"The revelations of recent weeks involving Facebook, Cambridge Analytica and others have been a significant wake up call - the public is watching us, the public care about their data," said Denham.

The revelations of recent weeks as a "critically important moment for data protection," she said.

See also: What is GDPR? Everything you need to know about the new general data protection regulations

The European Union's incoming GDPR legislation bolsters data protection legislation across Europe with a new set of rules designed for the modern age. Those organisations which are found to have mishandled or misused data, or misled users on their true intentions for data for could potentially face hefty penalties.

"The law requires you to be transparent and tell them what you're going to do with their data and then you have to stick to what you said," Denham said.

"This is really the strengthened part of the law: you have to be prepared to account to consumers, to citizens and to the regulator for what you have done. That's a significant shift in the law".

"Tell it all, tell it fast and tell the truth. If you work with us, you'll find the ICO is a reasonable and proactive regulator," she added.


Editorial standards