Public sector executive pay should be linked to cybersecurity
James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity
Cybersecurity is constantly in the headlines for all the wrong reasons.
Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.
You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.
After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether. The attack cost TalkTalk £60m and 101,000 customers.
- NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
- The ten key questions – and nine answers – facing the public sector on GDPR
- MPs call for more investigatory powers for ICO
The public sector holds even more personal information, from our tax details to our medical records. However, public sector leaders will simply blame a lack of resources for not being able to implement effective security standards, and the problem will become a political football rather than a security issue. Meanwhile, nothing will change, and both our data and the services we rely on will remain at risk.
There have been some suggestions that penalties for a cyber breach should apply to executives too. After investigating the massive cyberattack on TalkTalk, the select committee on Media, Culture and Sport recommended that a portion of CEO compensation should be linked to effective cybersecurity. This would have implications for anyone who leads an enterprise and has legal responsibility for its behaviour – be it private or public, big or small.
They then made another recommendation which has even more serious implications, saying: “We concur with the ICO that, whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.”
So, if these recommendations were to become law, executives could lose money if they were judged not to have ensured the necessary cybersecurity – and could even go to jail.
Despite this, 18 months later we have seen no sign of these recommendations becoming law, and security breaches continue to occur with alarming regularity.
In my view hitting public sector executives hard in their pocket may be the only way to make them take cybersecurity seriously. Their job is all about balancing risk and reward. For whatever reason, they appear to be choosing not to take the risk of a cyberattack seriously, and are focusing their attention and budgets on other issues.
In the private sector, at least customers can vote with their feet and take their business elsewhere, potentially affecting an organisation’s bottom line. However, where public sector services are concerned we have no choice. Each service, from council tax to health, is a monopoly. So, we have to rely on regulators to protect us.
It is about time that they woke up and hit those running our public services in the only place they will feel it – their pockets.
With the Online Safety Bill now published, former police superintendent Iain Donnelly writes for PublicTechnology on the challenges that need to be overcome in order to ensure the law’s...
Data watchdog says all investigations conducted by her office of live systems have found illegality
Cabinet secretary Simon Case writes says reform plan will help make government more innovative
PACAC claims that government has not made a convincing case for introducing a certification scheme domestically
PublicTechnology talks to Salesforce about why police forces need to adopt new omnichannel capabilities, offer the public channel choice and the benefits of doing so
It’s been one of the most challenging years for healthcare providers, but Salesforce sees lasting change from accelerated digital transformation
Cloud-based applications can provide ways for agencies and departments to innovate and operate in new ways, as the past year has highlighted they must, writes Oracle