The compliance landscape within the UK can be confusing.
GDPR, ISO27001, Cyber Essentials and PCI are just a small selection of the compliance regimes pertaining to data security, which one should you chose?
The additional overhead and burden on an organisations process and procedures, coupled with the financial impact, is enough to put many organisations off embarking on any compliance journey. Also, and lest we forget, achieving compliance does not mean your organisation is secure, so why bother!
Cast your mind back to 2007 and the breaking news that two CDs had been left on public transport containing 25 million Child Benefit claimants’ details. The first of several high-profile data breaches focusing not just government, but all organisations, on the importance of data security and the need to achieve compliance. Fast forward 5 years to 2012 and after many more high profile breaches, the Information Commissions Office [ICO] announces sweeping powers and huge fines [originally €600k] up to €10m or 2% of turnover rising to €20m or 4% turnover, for organisations who ignore data security and compliance and go on to suffer a data breach.
The fine imposed on Facebook for the Cambridge Analytics scandal in 2008 was £500,000 and dwarfed by the £183m fine imposed on British Airways for ‘poor security standards’ leading to the compromise of over 500,000 customer's details, demonstrating the increased focus on the importance of data security. The ICO certainly has teeth; something that should focus the minds of any board of directors.
The UK government have done lots to promote IT security and compliance in recent years. The National Cyber Security Centre (NCSC) 10-Steps to Cyber Security was first published in 2012 and is followed by many organisations including the majority of the FTSE350 companies. Formal certification in the form of Cyber Essentials and Cyber Essentials Plus was launched in 2014 and soon become the baseline for organisations wishing to trade with any public sector organisation.
Whilst NCSC’s 10-Step to Cyber Security, Cyber Essentials and Cyber Essentials plus focus on the organisations IT systems, processes and procedures, more detailed compliance standards such as ISO 27001 focus not just on the internal IT systems, buildings, people and processes, but also on the services that are re-sold. Originally launched in 2005 as BS7799 but adopted and re-launched in 2007 as ISO27001 and has now become the baseline for any IT service provider.
Ok, so beside the threat of huge and potentially crippling fines, why should organisations bother, after all compliant does not necessarily mean secure!
Compliance requires standards to be followed, processes to be in place, measured and evidenced on a regular basis. This in turn drives behaviour and ultimately creates a culture that adds significant value in the overall security posture of the organisation. Surly this is the real reason for compliance.