Government departments should be more worried about teenage bedroom hackers than state-sponsored cyber terrorists, the Information Commissioner has warned.
In a speech to the heads of the civil service and other public bodies, Elizabeth Denham said that most breaches are preventable and bosses should consider the reputational damage as well as financial losses.
But rather than panicking about rogue states such as Russia hacking into their systems, civil servants should plan to protect themselves against teenage boys who attack simply to show that they are able to, the regulator warned.
“We make a mistake if we throw up our hands and worry about state sponsored attacks – we know those are rare,” Ms Denham said.
“You should be worrying about the malicious kid in his bedroom who hacks in to your system because he can. Or the opportunistic thief who understands the value of the data you hold and knows how to get his hands on it. Because you left the door wide open.”
Her comments come amid rising concern about the impact of a state-sponsored attack on Britain’s public services, particularly from Russia. Boris Johnson, the Foreign Secretary, recently warned the Kremlin that Britain would react in kind to any cyber attack.
In reality many of the most high profile attacks have proven to come from much less powerful sources.
Kane Gamble, who is currently awaiting sentence, was just 15 when he gained access to the computers of America’s top spy chiefs, including the head of CIA, from his Leicestershire bedroom.
Ms Denham told the Association of Chief Executives and the Public Chairs’ Forum that despite complaints about resources in the public sector, cyber breaches such as the Wannacry attack on the NHS cost more in the long run.
The international ransomware attack disrupted more than a third of trusts in England and saw 6,900 NHS appointments cancelled.
Ms Denham said: “I ask you to consider the risks. Think of the true cost of a cyber breach, for example.
“It will cost you money but it will also cost you your reputation, trust, social licence. This is collateral damage.
“Yet most cyber breaches and attacks are preventable. The high profile attacks on TalkTalk and Carphone Warehouse would not have happened if they had put rudimentary protections in place. And if NHS systems had been patched and up to date, they would have been protected from Wannacry.”
The EU’s General Data Protection Regulation (GDPR), a framework with greater scope and much tougher punishments for those who fail to comply with new rules around the storage and handling of personal data, will replace the Data Protection Act in May.
Ms Denham said that the new regulations brings the legislation “in line with our 21st century world”.
“It gives greater control to people about how their data is used and it compels organisations to be transparent and account for their actions,” she said during the speech on Friday.
She added: “This is about restoring trust and confidence. Only one in five people in the UK trust organisations to look after their data. That’s not good enough.”
The Information Commissioner’s Office (ICO), which is responsible for punishing any breaches of the rules, will receive more reports of cyber security breaches and more complaints as people are more aware of their rights, she said.
“Sometimes when I speak to the private sector, I can sense the panic, but also the incentive to get it right. So many businesses feel like they are starting from scratch – it’s one of the reasons why we’ve set up helplines and targeted resources to help them prepare,” Ms Denham said.
“Sometimes when I speak to the public sector, I can sense complacency. Because you know data protection. It’s been part of the furniture for years. Now it’s time to redecorate.”
She encouraged bosses to take the opportunity to retrain their staff and to open up transparency and accountability on how personal information is used.
Source: The Telegraph
4th February 2018