A company can have the best technology team but if management don't take security seriously too then data will inevitably get lost or stolen, the Information Commissioner has warned.
Various past instances have already showed that this is the case, Elizabeth Denham told the audience during a keynote session at National Cyber Security Centre's CYBERUK conference in Manchester.
"Security is a boardroom-level issue. We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings," she said.
"If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world - but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen".
Denham pointed to a number of high profile organisations which would've been protected against damaging cyberattacks if they'd taken security more seriously.
"Had Talk Talk and Carphone Warehouse implemented rudimentary protections attackers would not have gained access to their systems. If NHS systems had been patched and up to date, they would have been protected from WannaCry," she said.
The Information Commissioner warned that organisations can't just install technology and hope for the best, that technology and the systems and data which need protection must constantly have its security reassessed.
Denham explained that while the Information Commissioner's Office understands attackers will engage in hacking and attempt to breach networks, organisations must take responsibility for security.
"We understand that there will be attempts to breach your systems. We fully accept that cyberattacks are a criminal act. But we also believe you need to take steps to protect yourself against the criminals," she said.
"The revelations of recent weeks involving Facebook, Cambridge Analytica and others have been a significant wake up call - the public is watching us, the public care about their data," said Denham.
The revelations of recent weeks as a "critically important moment for data protection," she said.
The European Union's incoming GDPR legislation bolsters data protection legislation across Europe with a new set of rules designed for the modern age. Those organisations which are found to have mishandled or misused data, or misled users on their true intentions for data for could potentially face hefty penalties.
"The law requires you to be transparent and tell them what you're going to do with their data and then you have to stick to what you said," Denham said.
"This is really the strengthened part of the law: you have to be prepared to account to consumers, to citizens and to the regulator for what you have done. That's a significant shift in the law".
"Tell it all, tell it fast and tell the truth. If you work with us, you'll find the ICO is a reasonable and proactive regulator," she added.
READ MORE ON CYBER SECURITY
- Yahoo users can sue over data breaches, judge rules
- Facebook, Cambridge Analytica and data mining: What you need to know [CNET]
- Under Armour says 150 million MyFitnessPal accounts hit by data breach
- Cambridge Analytica's Facebook game in politics was just the beginning, the enterprise was next [TechRepublic]
- Facebook's mea culpa tour, Cambridge Analytica and GDPR: The data game is changing before our eyes