• International Workplace
  • 23 May 2017

Cyber security: a people problem?

The global ransomware attack on thousands of private and public sector organisations across dozens of countries on Friday 12 May has been called the ‘largest ransomware attack observed in history’, causing hundreds of NHS operations to be cancelled, patients turned away from A&E at hospitals across the UK, and the safety of patients’ personal information to be put under threat.

As the NHS gradually gets on top of the disruption, questions are being raised as to who, or what, is responsible and what could have prevented this.

There are steps that all types of organisation can take to ensure cyber safety and, therefore, adhere to data protection laws. The National Cyber Security Centre recommends:

  1. Keep your organisation's security software patches up to date.
  2. Use proper antivirus software services.
  3. Most importantly for ransomware, back up the data that matters to you, because you can't be held to ransom for data you hold somewhere else.

When storing personal information, employers need to ensure that not only is the management system secure, but that people are using it properly. Many people believe that cyber security is a people, rather than a systems, problem. underlines the importance of the human factor in cyber security, in that cyber attacks still rely heavily on human interaction. “Social engineering is a common component of attacks using various techniques to trick people into clicking on malicious links and attachments,” it says.

“While people have long been seen as the weakest link in IT security through lack of risk awareness and good security practice, the people problem also includes the skills shortage at a technical level, as well as the risk from senior business stakeholders making poor critical decisions around strategy and budgets.”

Employers need to ensure that staff are trained properly, and be aware that there are many upcoming changes to the laws relating to data protection. These new laws will change how we collect, store and use data. For some, much work will be required, for example, a need to check consent notices to ensure they are compliant or putting in place data breach notification procedures where the new mandatory rules apply to them. For many, the new rules, which are fast approaching, will come as a surprise.

Primarily the changes will come from the Digital Economy Bill, the General Data Protection Regulation (GDPR), and the proposal of the new Privacy and Electronic Communications Regulations (PECR). More information is available in our recent blog.

Meanwhile, BSI, the business standards company, has updated its standard for data protection. BS 10012:2017 Data protection – specification for a personal information management system was developed to provide best practice guidance for leaders responsible for the management of personal information.

The revised standard specifies requirements for an organisation to adopt a personal information management system (PIMS). PIMS provides a framework for maintaining and improving compliance with data protection requirements. The standard is also intended to provide clear guidance for internal and external assessors on assessing compliance with data protection requirements.

The Standard is applicable for organisations of all sizes and sectors. Changes from the 2009 version of BS 10012 include a new definition of personal and sensitive data, restrictions on profiling using personal data, and new administrative requirements for data privacy officers.