A company can have the best technology team but if management don’t take security seriously too then data will inevitably get lost or stolen, the Information Commissioner has warned.
Various past instances have already showed that this is the case, Elizabeth Denham told the audience during a keynote session at National Cyber Security Centre’s CYBERUK conference in Manchester.
“Security is a boardroom-level issue. We have seen too many major breaches where companies process data in a technical context, but security gets precious little airtime at board meetings,” she said.
“If left solely to the technology teams, security will fail through lack of attention and investment. These companies may have the best policies in the world – but if those policies are not enforced, and personal data sits on unpatched systems with unmanaged levels of employee access, then a breach is just waiting to happen”.
Denham pointed to a number of high profile organisations which would’ve been protected against damaging cyberattacks if they’d taken security more seriously.
“Had Talk Talk and Carphone Warehouse implemented rudimentary protections attackers would not have gained access to their systems. If NHS systems had been patched and up to date, they would have been protected from WannaCry,” she said.
The Information Commissioner warned that organisations can’t just install technology and hope for the best, that technology and the systems and data which need protection must constantly have its security reassessed.
Denham explained that while the Information Commissioner’s Office understands attackers will engage in hacking and attempt to breach networks, organisations must take responsibility for security.
“We understand that there will be attempts to breach your systems. We fully accept that cyberattacks are a criminal act. But we also believe you need to take steps to protect yourself against the criminals,” she said.
“The revelations of recent weeks involving Facebook, Cambridge Analytica and others have been a significant wake up call – the public is watching us, the public care about their data,” said Denham.
The revelations of recent weeks as a “critically important moment for data protection,” she said.