Out-Law / Your Daily Need-To-Know

Out-Law News 2 min. read

Necessary improvements to information governance must stem from the top of businesses, says senior police officer


Businesses can expect data breaches to increase in number until the issue of cyber security is treated more seriously by senior management, a senior police officer has warned.

Adrian Leppard, Commissioner for City of London Police, said that "a shift of approach in terms of governance" of business-held information is needed to combat what he said is the "growing problem" of crime against UK businesses by "more sophisticated international organised crime groups".

"[There has to be] the recognition that the whole organisation has to be involved – every department, every person and every process," Leppard said. "This cannot be converted into an action plan and a series of tick boxes and discharged or delegated to someone else’s responsibility. It will need resourcing and managing carefully and intrusively. The only way for this to be managed effectively is through a series of governance processes that start with the chief executive and involvement of the Board."

Leppard advised businesses to assess the risk attached with "every repository of information", including where there are "complex outsourced supply chains". He said it would take time and effort to go through this process and to also raise the awareness of staff about information governance issues. He recommended that businesses get their systems tested to make sure that information is being stored securely.

"Success in terms of cyber security is simply this. Your information is secure," Leppard said. "Whilst governance and compliance with known standards are an excellent means of achieving this, it is not in itself the answer. The only way you can be certain your information is secure, is by asking someone to try and steal it. The good news is that there are now Government accredited security testing schemes that can be accessed by private businesses."

"The necessary change in culture involves routine system penetration testing by third parties coupled with intrusive internal surveillance systems, monitoring technical infrastructure and, I’m afraid, monitoring people as well. This is why appropriate measures across what is an enterprise risk will naturally involve the whole organisation. Staff need to understand the change, but better informed will also be best placed to help to close down the risk. All of this is going to involve additional resource," the Commissioner added.

Leppard made the recommendations after reporting that hackers had broken into a customer database of a marketing company in Ireland and stolen details belonging to more than a million people. The data breach may have involved the bank details of up to 500,000 people being "tampered with", he said.

Leppard warned that society's growing use of the internet and the way in which data is stored electronically is "enabling the fraudulent access to personal information". He said there needs to be a "culture shift towards the management of information" that focuses on "people, their access and their approach to this information".

"We have to recognise that information is the commodity and we need to protect it, depending on its level of importance," Leppard said. "One the first challenges therefore is to properly map the information that your organisation holds, both in terms of how valuable it is to others, as well as your own business, and then also to risk assess how it is stored and accessed."

We are processing your request. \n Thank you for your patience. An error occurred. This could be due to inactivity on the page - please try again.