Posted on July 24, 2019 by Samantha Baidoo
In the final episode of Cyber Chat, Rob May discusses the scale of the cybersecurity problem and how important it is for organisations and individuals.
Managing the ongoing cybersecurity of your IT infrastructure should be a primary concern – whatever the shape or size of your organisation. Cybersecurity breaches are the number one threat in today’s business landscape. Incidents come in many forms: cyber attacks; laptops left on trains; malicious staff; or, even more simply, accidental data loss caused by human error. The human firewall is vital as a line of defence for any organisation and in this video Rob, author of The Human Firewall (available on Amazon) explains what the Human Firewall is.
Since the filming of this Cyber Chat episode the conclusion to the British Airways breach has been released (8th July 2019) .
BA are actually being fined £183 million which is only 1.5% of their global turnover for 2017 (this equates to £4 per annual passenger).
Cyber security is so important for any organisation and non-compliance is a costly business!
Cyber Chat – Episode 19 – Video Transcript
Hi, I’m Rob May. I’m MD of ramsac and welcome to cyber chat, so why does cyber security matter?
I think the thing that people need to be aware of is that as of May 25th, 2018, the law changed and GDPR became the new way in which we operate.
A big part of GDPR is cyber security. And lots of businesses have missed that, lots of businesses are focusing on the marketing side of it and the rights to hold people’s data. But most businesses will be more impacted more by cyber security under GDPR than they will by the mishandling of the right to be forgotten for example.
So, what’s happened since GDPR started?
I think it’s interesting to point out that in the build-up to GDPR, the poster child for data breaches was TalkTalk. People talked about the fact that TalkTalk could receive the largest fine ever. The Data Protection Act, the maximum fine was £500,000 TalkTalk were fine £400,000. But not only that, their CEO Dido Harding, lost her job. But the point was made that the fine under GDPR was going to be much, much greater than that. At 4% of global turnover. But not only that, Dido Harding might not just have lost a job she might have gone to prison. Now in the first sort of 6 months post GDPR there was 70 prosecutions. Most of those prosecutions are still under the Data Protection Act.
The very first one was the Bible Society in a few people raise their eyebrows at that, so the Bible Society, they got fined. Their data breach wasn’t an attack. It was a lost device. It was a member of staff who lost their device and that device had data on it. That triggered an audit from the ICO, it was found their database had default username and default password on it. And they got they got fine of £100,000.
Since then, we’ve had National Association of Head Teachers. That was an interesting one. Their fine was because somebody in the marketing team sent out an email and they put the entire distribution list in the CC field. Now we’ve all we see those emails, but somebody complained to the ICO that their email has been distributed and they received a fine of £50,000.
So, these are really simple things that we can do. But, do people in your team, the people in your business understand that this is an issue.
Uber had received a huge fine, so they were fine £900,000. Again still, under the Data Protection Act, of that 900 [thousand] 385 [thousand] of it came from the ICO in the UK. The rest came from Denmark. But the ICO made the point that, had this fine happened under GDPR the fine could have been £17, 000, 000 pounds. That’s huge.
The biggest one, though, that we’re all waiting on is British Airways. Because, the British Airways breach most definitely happened under the realm of the new GDPR law. And this was a huge cyberattack. It was the believed to be the same team who did the Ticketmaster breach, but it was a 15-day hack 380,000 people had their card details stolen there were 3 days of cancelled flights and it was huge!
I think the thing to be aware of is that in 2017, British Airways turnover was. £12.2 Billion. 4% of 12.2 billion is circa £500 Million, so a lot of the red top newspapers sort of came out and said “British Airways to face £500 Million fine”. I don’t believe that will be the case on the face of it.
British Airways have responded appropriately, they came out immediately, the CEO has made statements and so on. The only thing I’ve not seen comment on in any of any of the press coverage is DPIAs. So, under GDPR you have a requirement to do a data protection impact assessment, DPIA.
DPIA is looking at:
what could go wrong?
What would be the impact on client data?
And what are we doing to mitigate that now?
All of the things that you do to mitigate a breach also mitigates your potential fine. So, whilst on the face of it, what British Airways have done all looks to be good. The only thing on unaware of to date is DPIA.
You know, one of the reasons that cyber is so important to you is the cost of noncompliance is just massive compared to the cost of compliance.
So, you need to take it seriously.
I hope that’s useful and I look forward to talking to you again soon.