James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity
Cybersecurity is constantly in the headlines for all the wrong reasons.
Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.
You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.
After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether. The attack cost TalkTalk £60m and 101,000 customers.
- NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
- The ten key questions – and nine answers – facing the public sector on GDPR
- MPs call for more investigatory powers for ICO
The public sector holds even more personal information, from our tax details to our medical records. However, public sector leaders will simply blame a lack of resources for not being able to implement effective security standards, and the problem will become a political football rather than a security issue. Meanwhile, nothing will change, and both our data and the services we rely on will remain at risk.
There have been some suggestions that penalties for a cyber breach should apply to executives too. After investigating the massive cyberattack on TalkTalk, the select committee on Media, Culture and Sport recommended that a portion of CEO compensation should be linked to effective cybersecurity. This would have implications for anyone who leads an enterprise and has legal responsibility for its behaviour – be it private or public, big or small.
They then made another recommendation which has even more serious implications, saying: “We concur with the ICO that, whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.”
So, if these recommendations were to become law, executives could lose money if they were judged not to have ensured the necessary cybersecurity – and could even go to jail.
Despite this, 18 months later we have seen no sign of these recommendations becoming law, and security breaches continue to occur with alarming regularity.
In my view hitting public sector executives hard in their pocket may be the only way to make them take cybersecurity seriously. Their job is all about balancing risk and reward. For whatever reason, they appear to be choosing not to take the risk of a cyberattack seriously, and are focusing their attention and budgets on other issues.
In the private sector, at least customers can vote with their feet and take their business elsewhere, potentially affecting an organisation’s bottom line. However, where public sector services are concerned we have no choice. Each service, from council tax to health, is a monopoly. So, we have to rely on regulators to protect us.
It is about time that they woke up and hit those running our public services in the only place they will feel it – their pockets.