Why Data Security starts in the Boardroom, not the IT Department

Wayne Harris, Compliance Officer at ITCS shares his monthly IT security blog – this month, he talks about information security and the part the boardroom must play in the security of your data.

Who is responsible for Data Security?

When I ask the question ‘who is responsible for data security at your organisation?’, without a doubt, the number one response given is ‘the IT department’.

However, if you think about it, data isn’t only about computers. Yes, it is the IT department who manage where the electronic information is stored and secured, but information security is also about how people access data, how and who they share it with – and let’s not forget about those hard, printed copies, often carelessly left on a printer, or face up on a desk.

The C-Suite cannot dismiss this important responsibility as an ‘IT issue’.  Information security must be dealt with in the board room, and should be a regular item on the agenda.  It is only by top lead risk management that you can implement a robust information security management system.  After all, if your senior management don’t understand the importance of compliance, how can you expect your shop floor users to implement and adhere to the requirements?

A clear understanding of what is expected must be communicated throughout the organisation, and involves co-operation between the C-Suite, HR leaders, marketing and other heads of Department – as well as IT.

What should Leaders do?

As a minimum, we suggest that you include the following in the management meeting agenda at least quarterly:

  • Current Risk environment
  • Suitability of current technical prevention/detection solutions
  • Information Audit (Do you know what information you hold, and is the correct security applied to protect it?) – Annual agenda item.
  • Data backup and recovery (Is all of your data protected? Include testing schedule, and DR solution fitness for purpose)
  • Staff communication and training
  • Breach reporting (include near miss reporting and security reports).

What changes will GDPR  bring?

As many leaders are already aware, the requirements for data breach reporting are changing with the implementation of the new GDPR legislation.  Organisations will be required to self-report within 72 hours of the detection of a breach, or face additional financial penalties.

Along with the new rules comes an increase in potential penalties for a breach, which could reach a new upper limit of €20 million or 4% of annual global turnover – whichever is higher.  Board members cannot afford to assume that ‘the IT Department’ are managing the risk, and training key staff in secure data practices will be vital.

If you have been a victim of a cyber-attack, and the personal data you are responsible for is encrypted by one of the Ransomware variants, the Information Commissioner’s Office may take the view that you have not taken appropriate measures to keep it secure.  Even if you are able to recover your data, the ICO may still look at the circumstances of the case to determine whether or not there were appropriate measures in place to have prevented the attack from succeeding.

How are ITCS supporting customers through the changes?

ITCS have an experienced team of data security specialists who have worked with clients to help them secure their network infrastructure.   As well as providing GDPR advice, we are able to take clients through cyber accreditations and implement robust DR and BCP solutions, including data recovery and scenario testing – and we are offering clients a free security overview.

We are also offering a series of courses on IT Security and compliance with the new GDPR regulations – we are offering limited free places for existing ITCS clients, although paid places for non-clients are only £35.

Clients can book up to two free places online.  If you have any questions or concerns around computer security, please don’t hesitate to contact the ITCS support desk on 08456 444 200.

WebWhy Data Security starts in the Boardroom, not the IT Department