The UK Department for Business Innovation and Skills (BIS) has issued guidance for companies on how to address cyber risks.
The guidance follows recent developments in this area, namely Governments stepping up their own security policies and the European Commission considering risk management strategies.
Cyber attacks occur where individuals' or organisations' technology is attacked by a third party, resulting in damage to the website or technology or an interruption to the individual or company's business. Damage may and frequently does include the loss of personal data. Cyber attacks may also result in reputational damage to the organisation concerned, particularly where the breach results in the loss of personal data.
A further risk to individuals or businesses which have suffered a cyber attack is the potential exposure of an underlying failure to implement appropriate security measures. Implementing appropriate security measures to protect personal data is a requirement of the Data Protection Act 1998. A failure to do so could result in being fined by the Information Commissioner.
The BIS guidance aims to helps companies to develop information security strategies by posing pertinent questions to the board of directors. The guidance is broken into 3 parts:
- High level guidance which sets out 6 questions for the CEO and boards focusing on key strategic issues;
- More detailed guidance which points out the need to be aware that threat does not necessarily originate from cyber criminals but may come from employees of the company concerned and may include non technical attacks such as social engineering (where staff may be tricked into allowing access to otherwise secure systems by phone calls or emails). The detailed guidance recommends improving security in 10 key areas;
- The third part of the guidance contains more detailed advice in relation to the 10 security steps.
The aim of the guidance is to prevent incidents rather than to cure them and should be welcomed by companies trying to navigate their way through the minefield of Data Protection Regulation.