Last month saw security-minded dinner guests including security and compliance officers from major international conglomerates, financial organisations, high profile charities and educational institutions gather at an intimate location in London for a frank airing of their views on the cyber security world.
The private roundtable dinner, hosted by Information Age and security firm Trend Micro, was kicked off by Trend Micro CTO Raimund Genes, who wanted to delve into the issue of the upcoming EU regulations and how it will affect international enterprises.
The UK organisations at the table said they were ‘woefully underprepared’ and that it remains a ‘scary grey area’ for them – ‘it’s on our radar but we’re waiting for clear details to come out’ said the CISO of one major financial firm. ‘There’s not enough clear information about how to adopt it in full, whether it will be forced upon us, or how it will work.’
There was a general consensus among the dinner guests that the lack of clarity on the law reflects a lack of transparency from governments when it comes to cyber security.
‘It’s funny because they aren’t so clean themselves when it comes to keeping information on people,’ said one. ‘The government are saying they’re keen to improve cyber security, but at the same time they’re saying encryption is too strong over networks for counter terrorism. It’s clear they want us to be strong – but not too strong.’
It was also agreed that there is an alarming ignorance amongst politicians about cyber security. Genes referred to David Cameron’s statement on banning encryption technology in the wake of the Charlie Hebdo attacks in Paris as incredibly damaging to the UK tech sector- ‘it would put the UK back into the dark ages of IT. The UK is leading in key management and other technology- if this goes through and only in the UK, nobody would buy UK security products.’
The problem, said the IT chief of a UK educational institution, is that those in government are not involved in the practical everyday task of IT.
‘We’ve got incredible requirements imposed on us around how we manage data security that are completely impractical and totally out of proportion to the risk, because they’re not in the environment,’ he said.
The EU is proposing fines of up to 5% of global annual turnover for those that don’t comply with the new laws- something which could severely impact companies. But in the end, questioned the compliance head of a prominent payments firm, will governments be prepared to put companies out of business for data privacy?
‘They’re big scary targets,’ she admitted, ‘but will anyone actually be prosecuted? What’s the reality?’
In Germany, Genes said, nobody believed companies would be blacklisted by the German government, until the ‘no spy’ agreement came into effect and it happened.
‘As long as nobody enforces it, nothing will happen,’ he said. ‘Once it’s enforced, everybody will panic. Everyone’s just waiting for that big EU case.’
But as the CISO of a UK financial institution added, the laws are likely to scare some organisations more than others.
‘Banks get fined, and they just say ‘we’re going to pay for it’ and factor it into the balance sheets,’ he said.
In the end, the guests agreed, it’s not other companies but state sponsored attacks that should be the main concern for enterprises.
‘Meanwhile, people are becoming desensitised to data breaches and so the public will stop reacting to them,’ said one security expert. ‘Look at the breaches at Target or TK Maxx- people haven’t stopped going to either of those, it’s just the cost of going shopping nowadays. But in Europe it might shock people more. In the EU we assume these kinds of breaches only happen in the US- it happens just as much in Europe, it’s just we don’t hear about it.’