IT or Data Security Compliance to legal requirements should be viewed as an absolute minimum for organisations today.
Adhering to recent GDPR and other legislation is a good start as this may assist your organisation in avoiding potential heavy fines or penalties, but is ticking boxes really enough?
The wording used in the legislation can often be quite vague and provide for a fair amount of leeway in interpretation when fines and penalties are applied, it makes good business sense to ensure applied security measures exceed legal requirements.
As a society we are entering the fourth Industrial Revolution, the Information Age. (Technologies that include Hardware, Software and Biology and emphasises advances in communication and connectivity.)
Organisations today are collecting and storing an enormous amount of data. Much of this data is provided either implicitly or explicitly by customers, staff and other external third parties and may be personal or confidential in nature. This data needs to be protected from theft and corruption by cyber criminals!
Cyber Criminals are persistent and innovative the techniques they use are forever evolving and changing, they will always remain ahead of slow-moving legislation that’s designed to stop them. It’s imperative to have your IT Security assessed on an ongoing basis. Cyber Security is not a once off activity.
It is the social responsibility of companies to go beyond minimum legal requirements to ensure that the data they collect, and store is beyond legally secure, but is as secure as can be. We need to set a higher standard of internal compliance. Cyber criminals don’t care about legal minimum requirements.
The question we need to ask is not “Are we compliant?”, we need to ask, “Are we Secure, is our data safe as can be from the latest threats?” This question causes us to pause for a moment and reflect on another question “What are the latest threats?” we cannot defend against the unknown.
What Types Of Privacy Data Does The GDPR Protect?
- Basic identity information such as name, address and ID numbers
- Web data such as location, IP address, cookie data and RFID tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
Information Security Is NOT An IT Responsibility:
Information and data security are separate issues from your day to day IT issues. Think of your data as a library, the librarian is responsible for the tracking, sorting and storing of data, but you wouldn’t expect the Librarian to be the security guard too.
To truly understand your current data security vulnerabilities, you will need the services of an independent Cyber Security Specialist. Even if you do have an internal CSO an independent neutral third set of eyes is always a good idea.
Why Is IT Security Compliance Important?
A data breach or hack may not only have immediate financial implications, but could also result in further repercussions for the business from which your organisation may never recover.
Any breach or loss of data must now be reported to the Data Commissioner within 72 hours of the event, the news of the breach may reach the public domain leading to loss of reputation and future business based on the findings of the RSA report below.
An alarming statistic for companies that deal with consumer data is the 62% of the respondents to the RSA report who say they would blame the company for their lost data in the event of a breach, not the hacker. This is a clear message from your customers, if we give you our information, we expect YOU to keep it safe.
The report also shows that consumers will not easily forgive a company once a breach exposing their personal data occurs. 72% of US respondents said they would boycott a company that appeared to disregard the protection of their data. Can your organisation afford to lose 72% of its customers?
Fifty percent of all respondents said they would be more likely to shop at a company that could prove it takes data protection seriously. Going above and beyond the legally required minimum compliance is a powerful marketing message that your organisation can leverage.
According to the report, 41% of the respondents said they intentionally falsify data when signing up for services online. Security concerns, a wish to avoid unwanted marketing, or the risk of having their data resold were among their top concerns. We need to be open and honest in our dealings with clients in terms of what information we collect, why we need it, what we do with it and how we keep it safe.