Utility Week - authoritative, impartial and essential reading for senior people within utilities, regulators and government
Issue link: https://fhpublishing.uberflip.com/i/531972
22 | 26TH JUNE - 2ND JULY 2015 | UTILITY WEEK Operations & Assets Market view S ecurity compromises are becoming an inevitable reality for organisations. Over recent months we have seen the number of these attacks continue to rise. From the Sony cyber hacking attack late in 2014 to the more recent Costa Coffee club breach, it is not only clear that the threat landscape has changed, but also certain that it will go on changing. While an organisation can protect itself and its customers by reducing the opportu- nities for an attacker, it must also invest to ensure its business is resilient. This means balancing the controls that protect, with measures to detect, contain and recover from an incident. The utility sector faces a two-fold prob- lem. Companies are concerned not only with the consequences of industrial control or data acquisition systems being compro- mised, but also with the fact that the secu- rity of business data is an increasingly vital issue. Over the past few years this industry has suffered a huge loss in public trust – for two reasons specifically. First, price and a lack of radical competition in the market- place are emotive issues for consumers. Sec- ond, consumers place significant personal information with their utility suppliers and if that supplier is hit by a data breach, a con- sumer's service, in addition to their personal information, could be at risk. Because of this, it is no surprise that, according to research from Fujitsu, nearly one-third (32 per cent) of consumers said that they have "little or no" confidence in utility companies to manage their data securely, while one in ten feel that their data is used by utilities to extract more money from them. In addition, only 6 per cent of consumers strongly believe their utility company gives them a better service by using their personal data. These results do not paint a good pic- ture for utility companies. The challenge for utility companies – and other businesses too – is to become more resilient and better manage the costs that would result from a breach. Cyber insurance cover is not new, but is a topic that continues to maintain importance in the news agenda. It is a valuable tool to transfer risk as part of a company's risk management controls, par- ticularly in situations where there is a legal or a regulatory requirement for data breach notification, because it is expensive to notify customers of a data breach. The recent research from Fujitsu also found 80 per cent of IT decision-makers believe more stringent data protection laws are needed in this data-driven world, while nearly two-thirds (61 per cent) welcome larger fines for data protection negligence. It is interesting to note that more strin- gent laws, such as the forthcoming EU Data Protection regulation, which will impose new breach notification requirements and increased fines, are helping to fuel the mar- ket for cyber insurance in the UK. It is important however, to remember that cyber insurance is only one tool and, like all insurance, the cost is based on risk. For insurance to be affordable, a company has to demonstrate that it understands and man- ages the risks it faces. In doing so it applies exactly the same principles that have always underpinned good information security. Risk can be reduced substantially by attending to the basics of cyber hygiene, as outlined in guidance such as the govern- ment's "Ten Steps to Cyber Security". Basics such as ensuring systems are patched and protected with good passwords. To start to get a deeper understanding of risk, a com- pany needs to know four things: • what information it has, where it is held and what it is worth; • what the most important systems are that run the company business; • who will be affected, and how, if that information is compromised; • who the enemy is, what are they doing and what is their motivation. Not all organisations need to cover every- thing and from this basic understanding of risk a company can identify priorities. By following with clear and appropriate policies and robust controls that support the use of applications, portable media and devices – especially within businesses that allow people to use their own devices for work purposes – organisations can ensure data is appropriately protected. Beyond this, organisations need to bring security into the culture of their organisation to make sure everyone is playing their part. In today's world, all businesses are at risk of a data breach. It has never been more important to do everything you can to keep personal data safe. Maintaining the trust of customers has never been more important in a market where competition is getting fiercer and the customer experience is paramount. So protect your customers but also be pre- pared so that you know what you will do to maintain that trust should the worst happen. John Alcock, head of security strategy and assurance services in UK & Ireland, Fujitsu Playing it safe A robust cyber security policy will make your systems harder to compromise and ensure you have the funds and processes in place to minimise the effects should an attack succeed, says John Alcock. Research from Fujitsu shows: 32% of consumers have "little or no" confidence in the ability of utilities to manage data securely 10% of consumers believe utilities use data to extract more money from them 6% of consumers believe utilities use data to improve customer service 80% of IT decision-makers believe more strin- gent data protection laws are needed 61% of IT decision-makers want larger fines for data protection negligence KEY NUMBERS