According to the most recent Cyber Security Breaches Survey published by the UK’s Office for National Statistics, just 51% of all businesses have attempted to identify the cyber security risks faced by their organization. Admittedly, larger companies are much better prepared (94% have completed some discovery projects), but there are still plenty who have not.

A failure to understand current security shortfalls means that businesses are effectively choosing to leave themselves unprotected as the sheer volume of cyberattacks increases year-on-year.

Given the mainstream media coverage devoted to cyber security incidents, it seems strange that so many are unprepared. But the cause may be more obvious than expected – inappropriate delegation. 

If it has a plug, it belongs to IT

IT pros frequently joke about corporate attitudes to technology – if it has a plug, the IT department has to look after it. Or in the age of the Cloud, if it requires a password, IT is responsible - even when another business unit made the service purchase. This attitude may be quite cynical, but there are similar observations to be made about the role of the CIO.

All too often data security is regarded as a technical challenge – so it is left to the CIO/CTO to take care of everything. When considered in relation to PCI DSS and the upcoming General Data Protection Regulation (GDPR), it becomes clear that data security is as much cultural and strategic as it is technical – information must be handled appropriately at all times, and all levels of the organization. 

Modern cybercrime techniques typically contain elements of social engineering alongside technical attacks. Protecting against these attacks involves people, processes and technology - which is why security is now a cultural and strategic issue that needs to be recognised at C-suite level, not simply delegated to the IT department.

A useful opportunity to re-evaluate data security

Plenty of attention has been devoted to the penalties for the GDPR (General Data Protection Regulation) breaches; fines of €20m or 4% of global turnover are enough to get anyone’s attention. But the reality is that PCI DSS non-compliance already comes with its own stiff penalties.

Mastercard imposes retrospective fines of up to $25,000 per day for non-compliance for instance. Some providers also levy fines for data breaches that expose sensitive authentication (SAD) or PAN data, billed per cardholder.

There is also the less-than-trivial damage caused to your business’ reputation in the event of a data breach. Ponemon Research calculate the financial damage of a cyber security incident to be anywhere between 17% and 31% of annual gross revenue. It also takes almost a year to restore customer trust.

With five months remaining before GDPR comes into force, businesses should already be completing data security audits.

Everyone has a part to play

Any business that has already achieved compliance with a data security standard, like PCI DSS or ISO 27001, understands – and upholds – their responsibilities to protect sensitive data belonging to customers. Indeed, these disciplines are very much in keeping with the principles that underpin the GDPR, giving those organisations a head-start on their preparations for the May 25th compliance deadline 

Obviously the CIO/CTO can define and develop the technical solutions and safeguards required to keep data safe, they will need the full support of the rest of the board to enact cultural change at every level of the business. The eye-watering fines attached to GDPR and PCI DSS compliance breaches should be enough to secure the CFO’s commitment for instance.

Invite and expert

It may be that some boards remain resistant to calls for company-wide change coming from the CIO. If this is the case, recruiting a third party like Advantio to help assess technical and process-level provisions could pay dividends.

Often advice from third party experts is more readily accepted – even if it exactly mirrors that provided by your own in-house team. The investment in professional services won’t be wasted either – it may be that an independent audit identifies issues and blindspots that could be missed by people too close to your day-to-day operations.

Ultimately, technology is only part of the cyber security challenge. The whole C-suite must work together to change the status quo and build a security-aware organization that is committed to protecting customer payment data at every touchpoint.

Talk to us about our services and how we can keep your organization secure.  

Marco Borza

Written by Marco Borza

I am the Founder of Advantio.
Technology has been my passion since I was a kid; when I first heard the handshake of an old 300bps modem I realised security would be key in an interconnected world. Since then it has become my passion and primary focus.
The reason why I've started my own business is to make IT Security simple.

Certifications: CISSP / CCSA (Checkpoint) / ITIL Foundations / ACSA (ArcSight)/ Linux+/ PCI-QSA / PA-QSA