House of Commons Culture, Media and Sport Select Committee report on Cyber Security and all that jazz
Email came through from ITSPA this morning regarding the House of Commons Culture, Media and Sport Select Committee report on Cyber Security: Protection of Personal Data Online Contents
In general, the report focused on the need for increased consumer awareness of cyber security breaches and recommended that the Information Commissioner’s Office (ICO) should have a robust system of escalating fines to sanction those who fail to report, prepare for, or learn from data breaches. It also stated that Government need to urgently address the huge amount of data that will be created by the Investigatory Powers Bill and how this will be secured from data breaches.
I’ve listed the key recommendations together with my own comments below:
- Companies should report their cyber security and data protection strategies to the ICO
This is somewhat naive. How many companies are there in the UK? The ICO would be swamped and in anycase to have the resources to do anything with the information.
- The ICO should have additional powers of non-consensual audit, notably for health, local government and potentially for other sectors
More red tape and you have to question the efficacy of this. I can understand auditing the public sector but private industry???
- The Government should initiate a public awareness-raising campaign on cyber security
- Waste of time though. For a campaign to be effective it would have to be prolonged, permanent even, and cost a fortune.
- It should be easier for victims of a data breach to claim compensation
Seems like a good idea if likely to be somewhat complicated and difficult to do.
- All relevant companies should provide well-publicised guidance to customers on how they will contact customers and how to make contact to verify that communications from the company are genuine
What makes a company relevant? In principle this sounds sensible but it is red tape.
- All telecommunications companies should take steps to ensure that compliance with data protection rules and Cyber Essentials are key criteria when selecting third party suppliers
The more I think about this is its interference in private industry.
- Cyber security should sit with someone able to take full day-to-day responsibility and who can be fully sanctioned if the company has not taken sufficient steps to protect itself from a cyber-attack
- To ensure this issue receives sufficient CEO attention before a crisis strikes, a portion of CEO compensation should be linked to effective cyber security
- The vulnerability of the massive new data pools that will be created by the Investigatory Powers Bill needs to be urgently addressed by Government
I’ve been saying this for years but all you will get is lip service.
There you go. The UK approach to cybersecurity. I’m not saying it isn’t an important subject and that we all need to be cyber secure. I’m not sure that more rolls of red tape is the way to do it.
My thanks to the ITSPA secretariat for their contributions to this post (which is most of the post apart from my comments)