Lack of user guidance leads to network gaps.
There is not enough guidance on how to adhere to regulations, and too many businesses are left to determine their own compliance.
Speaking at the UK Cyber Week conference in London, Luke Griffiths, information security consultant at Secarma, said the Data Protection Act “essentially just says implement appropriate technical and organisational measures, and then you need to do the rest and figure it all out for yourself.”
Griffiths said this is why security is so often misaligned, when we should be aligning information security management systems to a standard, “and if we don’t do that there will be gaps, and certain areas will undermine others and this will lead to conflict.”
In being better defined, Griffiths said this means defining policies, processes and practises so they are repeatable, and allow users to gain metrics and audit and compare results from. “Most of all, it is adaptive, so it can continually improve,” he said.
“If you do not conform to a management system and you’re doing the continual improvement yourself, you will end up finding these gaps in the future - and it becomes even more important to have closed them way earlier.”
He recommended users take steps to formalise their management system, use an external auditor to come in and “help you make sense of it.”
Griffiths also told the audience to take supply chain security more seriously, as he said “we want to be demanding more from ourselves, but even more from our suppliers.” This is because there is very little recourse in the event of a partner experiencing an incident, and users can face legal issues if there is a lack of a duty of care between parties.
He said: “Do your own due diligence and only onboard suppliers that meet your due diligence requirements. If they don’t [meet your requirements], you need to go to a contract and come up with warranties and conditions that allow you to take action, even if they fail in their information security obligations.”
Written by
Dan Raywood
Senior Editor
SC Media UK
Dan Raywood is a B2B journalist with more than 20 years of experience, including covering cybersecurity for the past 16 years. He has extensively covered topics from Advanced Persistent Threats and nation-state hackers to major data breaches and regulatory changes.
He has spoken at events including 44CON, Infosecurity Europe, RANT Conference, BSides Scotland, Steelcon and ESET Security Days.
Outside work, Dan enjoys supporting Tottenham Hotspur, managing mischievous cats, and sampling craft beers.