Box ticking is it enough?
Posted on 2nd July 2019 at 15:00
The Most Asked Question
As GDPR/Cyber Compliance Specialists this is the most common question we are asked…
What can we do to protect our business from Cyber Crime?
Even though we are always happy to help and offer appropriate advice, this is what may happen:-
We ask about your business (if we don’t already know).
We ask about the technology you currently use.
We ask about the steps you currently take to protect yourself, security software (virus software), backups etc.
We ponder the answers for a minute or two, consider what would be appropriate.
We offer possible options and suggest a visit which would assist in providing the best solution.
The response may be something like this:-
"Really that seems a little expensive, we will leave it for now and they then go on their way...."
Now this is obviously taking the extreme, however it demonstrates the principle concisely that most people assume that the cost of protection should be the main consideration, when it should actually be the value the protection offers, which are two very different strategies.
It’s tick box time?
Let’s demonstrate…
"Let’s say we watch a documentary on brain surgery, we have an idea of what is involved in the process, how an individual will have their operation and the possible outcomes, however we should never consider grabbing a few tools and having a bash at brain surgery with our best friend who has been complaining of headaches."
Sadly after our conversation, it’s very common to think that the expertise a GDPR/Cyber Compliance Specialist is easy to replicate and we don’t need them, we can use Google to search for appropriate solutions to tick our boxes and complete the steps we think are required.
The problem with going it alone and just ticking your boxes are as follows:-
You will have no idea that the tools you select will offer appropriate protection for your business.
Whether in the result of an incident you will be able to recover your business and continue to trade.
You may have already compromised your systems in using a search engine to complete the tick box exercise by visiting compromised websites.
GDPR Appropriate Measures
On the 25th of May 2018 GDPR (General Data Protection Regulation) was enforced, GDPR is the new regulation for data protection which has been adopted in Europe, the new rules change the way we as individuals and business must protect the data that we hold and take “Appropriate Technical & Organisational Measures” to protect it.
GDPR enforces our legal obligation to take these appropriate measures within our organisations to ensure the data we hold is protected.
GDPR in simple terms isn’t asking for us to do anything new, however the major difference is the consequences for not taking the appropriate measures and to be found wanting in our data protection policy, both of which will be costly and therefore not recommended.
The consequences in continuing with this rather limited response to a Cyber Attack and Data Protection are severe, you will have missed one MAJOR step in understanding the data you have that needs to be protected, then and only then can you take appropriate measures to actually comply with GDPR.
The Costly Truth
Option A
By reviewing your requirements, we understand your needs recommending solutions thus allowing you to spend a comparatively little amount of money in implementing appropriate measures to protect your business, in the long term the costs will be minimised, understood and managed.
Option B
You do not understand your business requirements, you purchase inappropriate solutions and take unplanned steps you will initially benefit by saving money.
However should you suffer an attack and it is very likely that you will, the costs to rectify the incident are likely to be high and will consist of some or all of the following:-
Possible fines and litigation from regulatory bodies.
Loss of reputation.
Loss of customers due to the attack.
Possible fines and litigation from your customers.
You will have to implement the appropriate measures you should have in the first place.
You may actually cease to trade.
Our Advice
We are sure you will agree that Option A is a far better solution for your business and will in the long term be a far less expensive solution and will help you ensure you are following a comprehensive GDPR/Cyber Compliance Journey.
Tagged as: Accountability, Appropriate Measures, Cyber Awareness Training, GDPR, GDPR compliance, Ransomware
Share this post:
