This blog has been created from our Webinar ‘How to protect your data and information; now and in the future’, which was hosted by Tim McGarr (Sector Lead, Digital) and Mike Edwards (Tutor). In order to watch the full webinar, you can register here.
DCMS’s (UK government’s Department for Digital, Culture, Media and Sport) most recent Cyber Security Breaches Survey, it’s clear that the threat organizations face is only getting worse. The survey this year suggested that just under half of businesses had a breach or an attack in the last 12 months.
The reality is probably a lot worse. “You don’t know what you don’t know”. Both in the fact that some organizations don’t have the right systems and procedures in place to identify breaches, and, for a lot of bad actors, being successful means not being found out. Even more worrying, a third of businesses said they’d had a cybersecurity incident at least once a week, and that has been increasing quite a lot over recent years.
These attacks or breaches can have a huge impact on organizations in terms of reputation, or loss of data and loss of money, and potentially fines as well. The survey suggests said that this cost is roughly £5,000 for large or medium organizations, but obviously, there’s a huge range in what those could be, and it’s very hard to explicitly calculate it.
One encouraging fact is that cybersecurity is becoming more high profile, and as a result, we are seeing more firms than ever employ someone to focus on their cybersecurity: 60% of small firms and 77% of medium sized ones. Additionally, 38% of firms have a written policy to deal with cybersecurity, higher than ever before, although still worryingly low.
How standards can help with cybersecurity
The standardization work around cybersecurity started over 30 years ago in the UK. BSI and our cybersecurity stakeholders continue to lead the way in the UK, working with 80 other countries and lots of international organizations to develop these standards to support the continual evolution of cybersecurity.
At the core of cybersecurity standardization is ISO/IEC 27001, which is a management system standard providing a framework for organizations of all size. Around 27001 are about 40 standards that go into much more depth around things like cybersecurity in the supply chain, or cloud computing.
There is a growing demand on how to manage cybersecurity risks from different sectors This includes industries, like for example, the construction sector, which has gone through a huge amount of digitisation in the last five or so years. Or new areas of technology that throw up entirely new challenges. Whilst cars have been around and pretty similar for 100 years, the rise of connected autonomous vehicles – and to a lesser extent, electric cars – has brought up a whole series of new challenges that the automobile manufacturers and their supply chains need a lot more help with.
Alongside cybersecurity, there is much greater focus around privacy, primarily this is due to legislation/regulation like GDPR, but also an increasing awareness of the importance of privacy. Broadly speaking, we can identify four key areas of privacy standards that are in progress or in use:
- Data protection and privacy holistically
- Data protection specifically, including Personally Identifiable Information
- ISO/IEC 29134 (Guidelines for privacy impact assessment) ISO/IEC 29184 (Online privacy notices and consent)
- ISO/IEC 29151 (Code of practice for personally identifiable information (PII) protection), ISO/IEC 27018 (Code of practice for protection of PII in public clouds acting as PII Processors) , ISO/IEC CD 27555.2 (Guidelines on PII deletion), ISO/IEC DE 27556
- Privacy techniques
- BS 10010 (Information classification, marking and handling) , ISO/IEC 20889 (Privacy enhancing data de-identification terminology and classification of techniques), ISO/IEC CD 27556 (Use-centric framework for the handling of PII based on privacy preferences), ISO/IEC WD 27559 (Privacy enhancing data de-identification framework)
- New areas
About our expert:
Tim McGarr
Tim McGarr has been working at BSI since 2009 and is the Sector Lead for the Digital area within Knowledge Solutions. Tim has responsibility for the direction and development of newer digital standards areas, including Cyber Security, Artificial Intelligence and Virtual/Augmented Reality.
