Gary Hibberd

20200128

Have you noticed that whenever there is a data breach, or security incident, the head of the organisation will state “data protection is our main priority”, or “we take the security of your data very seriously”.

It’s almost as if the first page of their incident response plan says;

“Step 1 – Tell people what they want to hear.

Step 2 – Tell them you’re investigating it.

Step 3 – Tell them [insert words] is our primary concern.”

Giving us empty platitudes when a company has had a breach helps no one. This is like hitting someone with a car and then saying “the safety of pedestrians is my primary concern!”

You’re fooling no one, and quite frankly it’s insulting.

Data security is not your primary concern, unless you happen to be in the data security profession. If you’re a doctor, your primary concern is my health. If you’re a marketing company, your primary concern is getting my message out to the world. If you’re a lawyer, your primary concern is keeping me honest and out of prison(!)

Data security is fundamental

Don’t get me wrong; We want you to quickly respond to an incident, but we want you to be honest too. 

Unless your profession or business is a cybersecurity or data protection business, please stop saying it’s your main priority because it’s not. If we’re lucky, it may be the primary responsibility of someone in your business. You may have even written a policy telling everyone it’s their responsibility too.

But it’s still not your primary concern.

But it is mine. It is for the individuals whose data has just been lost/stolen/corrupted.

Data security may not be your primary concern, but it should be fundamental to everything you do. 

In the same way that pedestrian safety is not my primary concern when driving, it’s fundamental to how I drive – with care and attention to other travellers I may come into contact with.

What should we do?

Today is ‘Data Privacy Day’, an internationally recognised day for raising awareness around data protection and cybersecurity. It’s a great day to focus our attention on what data protection means to us.

If this day is news to you, then don’t worry because tomorrow could be your Data Privacy Day. Choose a date in the diary (make it soon), and get your business involved. 

Assign someone to be responsible for managing, reporting and keeping informed on matters related to cybersecurity and data protection. Notice I said ‘responsible for managing, reporting…’. Responsibility for data protection and cybersecurity rests with the owners and business leaders. It starts and ends there.

Again, for the avoidance of doubt, I’m not saying other people aren’t responsible for delivery of a secure business. But just as a mechanic is only responsible for car maintenance, I can’t expect them to take responsibility for my driving.

Set a budget for the next 6 months to improve how you protect data. This is NOT an IT budget, as your money might be better spent on physical security, or training of staff, or developing better systems. IT security is not data security (if you’re confused by this, then we need a longer chat).

Develop a Data Protection Awareness Programme which includes all your staff, so they understand what you expect of them. But don’t just put out a few posters and think “that’s it”. 

  • Train your developers (if you have them) to understand Privacy by Design and Default.
  • Train your finance team on how to spot Phishing emails
  • Train your facilities team the importance of secure destruction of physical media
  • Train your HR department on the importance of data retention and destruction
  • Train your IT department on immediate response to a data breach

And importantly; train the board on how to respond to a PR crisis.

If your training and awareness doesn’t cover these things, then you’re training no one and awareness is simply a word you throw at auditors when they come in once a year.

Finally

Data Privacy Day is an opportunity for us to start a new with our Data Privacy initiatives. Perhaps today you’ll create a Data Privacy Pledge and create meaningful goals that are honest and based on genuine desire to keep data secure.

Unless you’re a Data Protection or cybersecurity company like Cyberfort I know that data security is not your primary concern. So stop saying it is.

But that doesn’t get you off the hook. Take responsibility and get experts in to help you with this. It is THEIR primary concern, to help you stay secure.

Remember that we all have a fundamental right to Privacy, and this means giving access to our data to the right people, at the right time, for the right reasons. Is that too much to ask?

Some people think that Data Protection is difficult. But in the world that get’s confused and scared of GDPR, I ask you to remember that GDPR simply means…

Giving Data Proper Respect

What could be more important or simpler than that?

Other resources

Case studies

Our cyber consulting team works with clients from public sector bodies and global businesses to SMEs and start-ups. Read our success stories here. Learn more >

Video

See what our team have been discussing around current issues in regulation and data security, and recommended processes and policies that will benefit your business. Learn more >

Whitepapers

In our collection of whitepapers, Cyberfort’s cyber consulting experts explore issues from cyber threat intelligence to incident planning and data security. Read our whitepapers to help make informed decisions for the benefit of your business.Learn more >