July 7, 2017 Cyber security awareness
How cyber–secure is your business?
If online security is something which you have traditionally assumed is covered by your IT department or contractor then you may need to think again. Cyber security is as much your responsibility as a director as any other form of risk management or oversight. And it’s no good thinking that ‘it won’t happen to me’. As recent headlines have shown hackers are increasing their expertise and breaking through into businesses which were previously considered to be impregnable.
And if you thought that the cost of being hacked would simply be in terms of replicating data and contacting customers then think again. In June 2017 the Information Commissioner’s Office (ICO) issued a fine of £60,000 to Boomerang Video in respect of a security breach in December 2014. The data records of more than 26,000 customers were obtained thanks to a combination of a simple code being left on the login page and one line of data containing an easily identified password based on the company’s name.
In making its determination the ICO found in particular that the company:
- failed to carry out regular penetration testing on its website. Had it done so it should have detected the error almost as soon as the website had been put into use
- failed to ensure that its website password was sufficiently complex
- failed to keep the decryption key secure from the chance of hacking
As a result of the hack the ICO also found that the nature of the data breach was likely to cause customer distress as well as exposing customers to potential fraud. Whilst the ICO commissioner investigating the case did not consider that the company deliberately contravened the data protection act, they did consider that the company should have been aware of the problems had there been a hack and therefore should have taken reasonable steps to secure the data.
Directors have a duty to exercise reasonable care, skill and diligence. Whilst they may take advice from internal and external experts, at the end of the day it is their responsibility to ensure that risks are appraised and appropriate actions taken. Sometimes this means asking the ‘what if’ questions such as what if our website is hacked or what if customer data is lost. It also means not taking responses, particularly they are glib, at face value. Technology is moving fast and what may have been secure even a year ago may now be an open book. How cyber secure is your business? If you haven’t checked recently then it may not be secure at all.