Imagine this. You’re the Chief Information Officer for a well-known SME with big ambitions. You have a small team of superb, highly qualified network administrators who have built and manage networks and systems for your staff and customers that are tighter than an eggshell around the yolk. But you still get a security breach. How did it happen? Maybe it was a burglary – your premises are insecure. Or a trick – your staff are poorly trained and fell for it. Could it have been an insider – a disgruntled employee, a gleeful final act on their last day?
Was it caused by one of your suppliers – their own systems, staff and standards are not as good as yours, and the process of supplier selection and management did not iron out the wrinkles? Or perhaps it was simply waiting to happen – your data handling standards, policies and processes had blind spots. This isn’t a comprehensive list, and it isn’t intended to be. The purpose is to illustrate a key point: there are so many more factors that influence IT “security” in a connected world than just the “cyber” ones.
The likes of Sony (PlayStation), Experian/T-Mobile and, more recently announced, Talk Talk and Yahoo, know from bitter experience that although sometimes it is the tech that fails, cyber security is often breached by non-technical, mundane means.
Seeing the bigger picture
The first task for an SME is to step back from the “cyber” and make sure the organisation understands the full scope of the issue. If you don’t fight the battle on all fronts, you’re particularly likely to lose on one of the fronts that you neglect. The next challenge for SMEs is to find a way of seeing the big picture. Almost all SMEs will need to look outside their own organisation for advice and guidance.
Currently there is not a well-defined market of specialist advisers, and this is partly because both “cyber” and “security” are multi-disciplinary areas where the various experts are still in the process of “linking arms” and seeing themselves as a distinct market. The areas of expertise include IT security, information management, insurance, regulatory and legal. It would be tempting (and all too easy) in the current market for SMEs to lock onto just one of these areas of expertise to try and manage cyber security risk. Input from a well-chosen specialist will always be worthwhile, but it is unlikely to provide a fully rounded solution.
SMEs can play a crucial role by generating demand for a “one stop shop” service. In the meantime, the solution is probably to carefully select a small network of internal and external advisers and peers to help you paint the big picture, and you get them either to work as a team or make one-at-a-time contributions. You probably won’t achieve a complete inoculation. The end in view is more like a comprehensive healthcare plan that sets out to achieve prevention, but swings into action to provide the right measures at the right time if something gets through the defences.
Crucially, it needs to be a plan that supports stakeholders (such as data subjects under data protection law) and satisfies them – and the ever-stricter regulators – that the SME is focused on minimising the risks for data subjects, not the SME.
Why have experts not fully “linked arms” for SMEs before now? There is probably a combination of factors at work. Some questions immediately come to light if an SME suffers a cyber security breach. Is the breach recognised for what it is – a violation of law with a victim who suffers loss (of privacy, information, IP, competitive advantage or money)?
Do the victims detect the breach or have any way of checking or knowing, unless they’re told? Do regulators or law enforcers detect the breach if they are not notified? Did a large percentage of UK SMEs receive enforcement action last year? The answer to each of these questions is no, and the result is that cyber security risk still feels like it’s contingent risk. It gets rationalised: there are higher priorities for this year’s budgets; these are risks that normally crystallise on somebody else; the majority of customers don’t complain; the off-shore parent company doesn’t understand the risk – the list goes on. The net, however, is closing in.
Under new EU data protection laws, self-reporting of data security breaches will be mandatory (currently, the official position is that it is voluntary, although in practice there are a number of factors to consider and in many circumstances self-reporting is a good plan). The UK Information Commissioner would like UK law to align with the EU, even after Brexit. Also, in a pincer movement, users and regulators are starting to find the links between undetected or unreported SME cyber breaches and “bad stuff happening to ordinary people”. The net result is that ignoring cyber security risk and breaches is increasingly not an option. The major risk resulting from a security breach has always been damage to reputation and goodwill.
Except for industries where security is key (banking, for instance) the risk can often be contained with a well-managed and swift response to breaches. The headline-grabbing risk is regulatory penalties, currently up to £500,000 in the UK but shortly to rise to a maximum of 4% of global turnover or €20 million (£17 million) under EU law from May 2018.
In practice the real cost at the moment is in management time spent picking up the pieces. Compensation claims by data subjects are rare in the UK but could be a stalking tiger as the law develops and consumers become more aware of data and security risks. Under the new EU laws, which the UK may well align with, contractors will have direct legal duties and liabilities to data subjects for the first time.
Innovation through regulation
Looking to the medium-term future, with regulators currently looking closely at RegTech, I do wonder if the IT and data equivalents of road traffic cameras and speed cameras is far away. It sounds far-fetched until you consider that SMEs in some sectors already have that kind of monitoring in place. Insurers, for example, have for a long time had systems that can determine whether staff should have consulted the electronic records that they accessed during the working day, and successfully catch staff “having a look” at records without cause.
Under current UK law “having a look” is a criminal offence, and constitutes a cyber-security breach. Do your staff know that, and do your systems monitor and enforce the red line effectively? Do your SME’s systems have this kind of monitoring lawfully built into them? If you want a server to stay up night and day, you will naturally put in place monitoring of its vital signs, plus failover provision. In many sectors and organisations, however, there may not yet be buy-in for effective monitoring on non-IT cyber security risks.
As SMEs get a stronger grip on the sector-specific requirements for effective cyber security, like insurers, they will develop specific monitoring measures (plus structured procedures and reporting that must swing into action when a line is crossed), while also dealing constructively not punitively with human error.
As an IT and data lawyer I sit in just one of the relevant pools of expertise referred to above. I suspect that a well-rounded and effective set of cyber security measures is within the grasp of most SMEs, and at a sensible budget. One of the single most effective things you can do is provide effective and regular training for staff, supported by updated and fleshed-out policies that set clear standards and boundaries. The aim is to build cyber security awareness into the culture of the SME.
A spotlight on cyber security doesn’t work. We want floodlights: 200 pairs of well-trained eyes. This requires some planning, because some of the popular training packages out there are generic and ineffective. Deploying practical, sector-specific and role-specific training for the SME’s staff can go a long way. I also think there may be an increasing role for insurance as SMEs and their insurers get to grips with the risk.
Like customer experience, user experience and information management, cyber security is one of those rare IT-rooted areas of practice that provide a clear opportunity for IT professionals to provide strategic leadership at the highest level within the SME, reaching well outside the boundaries of the conventional IT function. There’s every reason for you to grab the bull by the horns.
David Hall, Senior Associate, Mills & Reeve