The presentation provides senior executives and board members with an overview of digital risk and GDPR. It describes the issues and seeks to provide answers, whilst highlighting the need for a joined-up strategy around digital risk management.
How to Get Started in Social Media for Art League City
Boards' Eye View of Digital Risk & GDPR v2
1. Boards’ Eye view
of Digital Risk &
GDPR
Graham Mann
Managing Director & Co-founder
CyberSpace Defence Ltd.
International House, 24 Holborn Viaduct, London
EC1A 2BN
g.mann@cyberspacedefence.com
Mobile 07714210433
2. Why care about digital risk?
It makes good business sense
It demonstrates customer focus
It safeguards a key asset – data
It underpins the business
It secures IP and corporate secrets
Increased governance = decreased fines
3. Drivers for digital risk
Increasing importance of data and its relative worth
Impact of personal data loss on people’s lives
Action to address data risk at the governmental level –
compliance [GDPR in Europe]
Exponential increase in cyber attacks
Ever-increasing fines for non-compliance with local
governance
Lack of an holistic approach to security within many
organisations
4. The need for a digital
strategy
A plan or in the digital world a roadmap for the application
of information and technology.
This will inevitably include data and thereby have
implications for data risk management.
Critical to all businesses in this connected age
Underpins business agility
Enables good data governance by providing advanced
notice of new data requirements or new processing
requirements.
5. Digital ‘Risk’ Strategy
Supports the Digital Strategy
Digital risk is an organisation-wide responsibility
Digital risk needs a clear goal and a plan
It supports good governance [GDPR]
Vital for boards to manage digital risk
This is essentially about managing your data
Who’s responsible?
What’s the relative importance?
Where it resides
Who should have, and who has access?
6. Data can no longer be an
afterthought
Organisations are expected to protect data by design and
default.
In this context, by design means that whenever business
practices, IT processes or physical infrastructures are
conceptualised, maintaining privacy, and data security
must be integrated at the outset.
Requirement for data impact risk assessments to be
made.
7. Basic Questions
You’ll need to be able to answer some basic questions
about your data:
What data is being processed?
Why?
By whom?
For what purpose?
Who is it being shared with?
Can it be justified under GDPR or other governance
models?
Is there a data classification process?
8. Digital Assets – Data
Management
GDPR
Classification of data
Storage, Encryption, Back-up and Removal
Data retention policy
Where is the data?
Access rights – who has access to the data and under
what conditions?
Data leaks –what’s the plan?
9. Risk Appetite
Digital Risk spend v likelihood, impact & cost of a breach.
Based on what data?
GDPR changes established views
It’s now about proving you did all you could to protect personally identifiable data.
The tide has changed in favour of the individual
Breach detection has been brought into sharp focus
Data must be a key part of the ‘risk management
framework’.
10. Risk Appetite (cont’d)
Critical to have an external review of Digital Risk to cross-
compare against the internal
Parameters to the digital risk decision
Current security position
Reasonable expectation of security
Data strategy and plans
External factors – types of attacks, sectors targeted,
Need for business agility
Investment [in security] need
Governance
12. Roles & Responsibilities
Board responsibilities
Senior management responsibilities
Data Protection Officer (GDPR requirement in some circumstances)
IT Team responsibilities
Security Team responsibilities (if you have one)
Employee responsibilities
Executive Risk Committee [digital and physical]
Security Working Groups
Auditors [internal if you have one]
Communication between key groups
PR, Legal, Finance, Security, IT, HR…..
Breach plan and procedures
13. The Board
Must set the agenda on data governance and digital risk
Need to determine which committees will have
responsibility for reviewing the detail and implementation
of data protection measures.
Company Secretary has an instrumental role
Reporting to the Board on all matters pertaining to
GDPR, data governance and breaches.
14. The Human Element
Education, education. education
Social networking activity by employees
Social engineering (Phishing)
Pre-employment security checks
Recruitment of cyber security professionals
Outsourced Services
Open environment for reporting potential data breach
issues
Communications
16. Governance, Standards &
Certifications
It makes life easier adopting a standard like ISO 27001/2,
Cyber Essentials, NIST, etc.
If you haven’t already, you are strongly advised to adhere
to a certification/standard
A standard will provide structure to the cyber security
protecting your digital assets
You will almost certainly need to comply with GDPR -
General Data Protection Regulation
Compliance relating to personal data
17. GDPR – in a nutshell
Covers personal identifiable data on European subjects
held and/or processed by you or a body authorised by
you.
Fines are potentially eyewatering.
If you suffer a breach you need to notify the authorities
within 72 hours
You need to be able to demonstrate compliance, so
processes and record keeping are essential
You’re jointly responsible for your service provider
breaches
Personal data: If you don’t need it, don’t keep it
18. Personal Data
Individuals have the right under GDPR to:
access their own data, or
request rectification or
erasure of data; and
the right to request a restriction to processing or
to ask for data to be handed over for use by another processor.
Are you geared up for this?
Do you know your rights and responsibilities?
19. Risk Landscape (Cyber
attacks and threats)
Despite more money being spent on cyber security - $$$
A plethora of very clever cyber security solutions
A huge base of highly-qualified cyber security
professionals
……the risk landscape is worse than ever:
why?
20. Well, Here’s Why…
the readily available and cheap attack tool-kits
the chronic lack of cyber security professionals
the high rewards to the hackers and criminals;
the insatiable drive for business agility;
the sheer number of cyber security solutions;
the complexity of our networks;
the explosion in the Internet of Things
…and an ever-increasing connected world.
21. The issue is compounded
by..
Sector-based implications and associated risk levels
Antiquated network/security architecture
Supply chain risk implications (soft underbelly)
Lack of sufficient digital risk due diligence in M&A
No data-centric approach
Too much reliance on IT, security people and a technical
solution
Organisations require a top-down approach to digital risk
23. Plan for an attack
Response
Fall-out
Communication (Internal and external)
Defences
Identification
Forensics
Strategy
...and if all fails insurance
24. Supportive Technology
Technology isn’t the entire solution
Established suppliers v start-up technology
Technology v Services
Tendering issues
Inclusive digital risk awareness/training programme
Continuous assessments
Acceptance that humans are the weakest link whatever
technology you put in place
25. An inclusive approach
Interaction between physical & digital risk [security]
Convergence of digital & physical security
Corporate structure – does it support the digital risk
strategy?
Digital Risk permeates every part of business and any
plan must be inclusive to succeed.
That means everyone
26. Fiduciary responsibility
Can’t emphasise enough the boards’ role
Need for a digital strategy and a digital risk strategy
Protect your digital assets
Sector comparisons
Justification process
Formula for allocations
Return on investment
Governance
27. Digital Risk Reporting
Essential at various levels throughout the organisation
Needs to be applicable to the subject matter
Should enable issues to be easily identified [drill down]
Linked to compliance/governance
Must be relevant to the audience it’s addressing [simple
traffic lights]
Jargon buster
Accurate and truthful
28. Public Trust
Get your marketing people engaged
GDPR is an opportunity to communicate with all you
stakeholders.
Be seen to embrace GDPR
Winning public trust is worth the effort.
29. In conclusion
Re-evaluate your approach, your structure and your
systems in relation to digital assets/risk
Digital risk must be a focal point of the business –
develop a strategy
It affects everyone and must encompass everyone
Digital risk is fluid and needs constant review
Recognise your defences are fragile - plan for an attack
Embrace the changes that GDPR will bring