The pandemic has delivered 7 years of transformation in the space of a year but just as companies are facing up to the financial debts from the past year, so we are able to quantify the compliance debts to be paid through analysis of the DCMS breaches survey from 2021.
I looked at last years study to see if the importance given to cyber security matched the operational reality (in short 80% importance stated by the board didn’t match the @38% of action). Will this year be any different?
Data has become a priority for business, but not for governance
Organisations are becoming more aware of the need to use data better with the quality of data coming to the fore. With 77% of organisations saying the cyber security was a high priority for them, would this increased awareness of data extend to governance?
Unfortunately not, with 40% of boards being updated annually or less you have to ask if that use of data is extending to managing cyber risks.
What is interesting, is that the recent analysis from the ICO on data breachesshows that 73% of data breaches are non-Cyber related and 25% of all non-Cyber do not relate to breaches of confidentiality (these are 19% of the total breaches reported to the ICO). There are real governance challenges related to data, and the greatest risk of breaches are not from technology, something borne out from the first penalty under the DPA 2018.
Perception doesn’t meet reality in actions taken either
The disconnect from last year in terms of perception and reality continues this year, with 34% of organisations conducting risk assessments (down from 37% last year) and 33% having security policies (down from 38% last year).
What impact did the pandemic have?
Undoubtedly, the pandemic moved focus away from normal governance.
Cyber security was a lower priority at the beginning because … from the other directors’ perspective, it’s their job to keep the business running at whatever cost. My role is to fight against that a little bit. It’s not at any cost. There still has to be a layer of security and we still need to be confident that whatever we do isn’t going to make us any more vulnerable. But it wasn’t the time to say, ‘I think we should start making things more secure’.
DCMS respondent
Given that the pandemic forced remote working en masse, you would assume that the low starting point in terms of remote working policies from last year (25%) would have been improved upon, yet it reduced slightly to 23%.
Basics are still lacking
The poor engagement with basic guidance from the National Cyber Security Centre (NCSC) and the Information Commisioner’s Office (ICO) running at circa 5% of organisations.
This will not be helped with the recent change to the NCSC 10 steps guidancewhich has created guidance that amounts to over 160 items to consider, up from the 18 areas the old 10 steps guidance had within it.
For clarity, I also do not view the current Cyber Essentials regime as the solution to gaps between the basics and the new corporate security requirements for medium and large organisations. This is primarily due to poor engagement with Cyber Essentials from the respondents to the DCMS survey (4%), and the complex language used in the delivery of assessing the requirements to reach certification to Cyber Essentials.
Using a baseline such as Cyber Essentials on its own has its limitations in that only the risks generally considered by the Cyber Essentials scheme will be covered by its recommended controls.
They have not been designed to manage all cyber security related risks that your organisation may face
NCSC
The move to Cloud has its risks
Cloud services have underpinned the digital transformation within the UK, with recent surveys showing that 91% of organisations in the UK were reliant on it, 55% of organisations changed their IT strategy to increased us of Cloud and 88% expected to use the Cloud more.
It’s therefore surprising to see that less organisations are assessing their supply chain (12% down from 15%) and slight more (15%) are looking at the vulnerabilities in their estate.
There is therefore a compliance debt to be paid as we emerge from the pandemic into the working environment, the question is how to do this?
Getting back to basics
The best way to address this debt is to start at the basics for cyber security and data protection as a benchmark, decide on the weaknesses to address and then map those to the wider requirements for cyber security and data protection within the organisation.
An example of this approach in anger is the guidance for internet first that I helped NHS Digital write. This recognises that the NHS Digital Data Security and Protection Toolkit (DSPT) hasn’t been widely communicated amongst the NHS supply chain (who are category 3 organisations in that kit), and therefore it’s better to start from a baseline which can be adopted and address at least 80% of the attacks being seen against UK plc from my experience.
This approach has been made more problematic by the removal of the old 10 steps guidance, but the current 10 steps guidance provides an answer. The current guidance maps to the board toolkit for cyber security, which in turn provides the old infographic.
What next?
So you have now benchmarked, but what next? I discussed this earlier this year, but to recap:
- Identify if/why you weren’t able to use your ISMS or BCMS to guide your actions during the pandemic and capture the actions to address the gaps.
- Identify all company data being uploaded to, and processed by, Cloud services.
- Consider what physical security and internet connectivity is available from the remote working environment and whether any further action is required to manage risks (i.e. how much do you rely on central systems in the office locations that aren’t there at the remote working location).
- Consider if changes are required to security policies.
- Consider what control you have over the data on personal devices and how much control you wish to have over the device (and what impact that might have on staff if you wipe the entire device).
- Ensure that you can extract the company data held within the Cloud services and you can obtain evidence that it has been deleted.
- Ensure that the company data held within the Cloud service isn’t used for anything other than your own purposes.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the GDPR 12 steps guidance for data protection.
- Assess the endpoints and remote working solutions (i.e. Cloud, VPN etc.) against the NCSC 10 steps guidance for cyber security.
- The above assessments will give you just over 30 areas to assess against, which you should be able to assess your gaps as they stand in your use of remote working today and create plan of action to address the gaps.
- Look to ensure that all endpoints you use for processing company data are supported for the latest security updates (i.e. not older than an iPhone 6s or iPad Air 2 and with iOS 14 installed for iOS devices, any Android device earlier that Android 8.0 – Oreo, and really any Windows device not running Windows 8 or above).
- Ensure that any endpoint not running iOS has anti-malware installed which updates daily).
- Ensure that all endpoints have the latest updates applied.
- Ensure that you follow NCSC password guidance.
- Ensure that you are using two factor authentication (sometimes called Multi-Factor Authentication) enforced on any Cloud service you are using.
What should I consider for the medium term?
Dependant on whether you intend your move to the Cloud to be permanent, the following guidance areas are very useful:
- GDS modern network guidance is very good for considering the risks to be considered from the use of Cloud services, even though some of it is specific to the public sector.
- The NCSC has great guidance on Cloud service security and end user device configuration.
- The NCSC and ICO have published GDPR security outcomes which define the security of processing under the applied GDPR, and this should be viewed as the next step after complying with the GDPR 12 step guidance.
Summary
There is a tendency to look beyond the governance and just implement more compliance, but the reality is that the technical landscape pre-pandemic will likely have changed beyond measure post-pandemic.
Organisations that look at the information they are processing, the lessons to be learned from failings in their compliance regime and reboot by checking against the basics will be the ones who will address their compliance debt soonest.
If you enjoyed this and want further reading, then look at my other articles.
The importance of a common framework
Looking beyond the hype of the BA fine