Last week’s poll was based on proposals to fine companies and organisations up to £17m – or four per cent of global turnover – if they fail to take measures to prevent cyber-attacks that could result in major disruption to essential services.
Partly in response to the ransomware attack on the NHS, and aimed at bringing the European Union’s Network and Systems Infrastructure directive into UK law by May 2018, the Department of Culture, Media & Sport (DCMS) has stated that the system of fines, which is currently the subject of a consultation to which affected organisation are encouraged to contribute, will remain in place following Brexit and may also cover protection against systems failures such as those which affected British Airways earlier this year, which were blamed on a power outage.
More information on the proposals can be found here and the consultation documents are here.
Of the 227 responses, a total of 69 per cent took the view that fines would not be effective and that companies would remain vulnerable (37 per cent), followed by 32 per cent who thought assistance would be more helpful than fines.
A fifth of respondents agreed that the proposed fines would reinforce the value of data, whilst five per cent agreed that fines are a good idea, but that the proposed ceiling of £17m is too heavy. The remaining six per cent failed to find a fit with their opinion, opting for ‘none of the above’.
In the debate that followed in Comments, Steve said: “All business nowadays is moving exclusively online, which means we have no choice but to pass over our personal information. Therefore, protection of our data is out of our hands and it’s foolish to think otherwise. No law is going to protect us – it’s just a matter of when we are compromised, rather than if.”
“In general security is last on the list for almost every project,” added Timothy Murphy. “There is always a pretence and measures are taken for show but it is only the very serious, very big online players who actually design security in properly. This is because every company you can think of is trying to develop a product that’s far too complicated for the amount of people they have working on it.”
What do you think? Keep the debate going using Comments below.
So come the first case we will have years long wrangling over whether the measures were sufficient that were in place.
To put it simply. Imagine a good old fashioned metal safe. I put ‘stuff’ in my safe and one day need to get it out but the lock breaks. I go to the safe company who having made the safe know a way to get my stuff out. It will damage the safe but I still get my stuff. I say the ‘stuff’ is worth more to me than the safe, go ahead.
Moral: no matter how strong the safe someone will always be able to get in in case it breaks.
See where I’m driving at!
Companies should be forced to only store data that is essential to their business or the service they offer.
All the other trawled information for marketing purposes should be removed from the servers and so the internet, it is usually a combination of the small pieces of information that complete the data puzzle and cause the big damage.
All business nowadays is moving exclusively online, which means we have no choice but to pass over our personal information. Therefore, protection of our data is out of our hands and it’s foolish to think otherwise. No law is going to protect us – it’s just a matter of when we are compromised rather than if.
Also, now that the spies (UK, US and others) have full access to our data and are able to harvest huge amounts from our ISPs. Who is going to ensure that they and third party organisations protect our data ? If it is released, through design or incompetence, who is responsible ?
This new act is only window dressing and wont provide much, if any, protection from the biggest threat which is government incompetence and misuse.
In general security is last on the list for almost every project. There is always a pretence and measures are taken for show but it is only the very serious, very big online players who actually design security in properly. This is because every company you can think of is trying to develop a product that’s far too complicated for the amount of people they have working on it. There is never enough time and it’s hard enough to get even the main features to work let alone some rubbishy nonsense about security. Lots of projects fail even before security might beome an issue. So basically no manager wants people spending real time to design things properly.
Hence security is an afterthought when a project has gone into use – at which time the projects resources tend to be cut. The design often intrinsically makes secure behaviour impossible and a redesign requires impossibly too much time.
In a product which is actually making millions of dollars the story is different but I think there is a lot more danger from the many more marginal uses.
The worst possible situation is software designed by consultants – the mistakes are made and the people who made them and understand the code are gone very quickly. When maintenance is done it’s by people who don’t know all the hidden faults.
So fines like this will kill off jobs for lots of people as they will make programming even more uneconomic.
I didn’t explain properly that despite these problems the whole world of software that you use started off being insecure and the internet was bootstrapped on lots of quite insecure stuff. If you make the cost of failure very high you will prevent innovation which is far worse than the security disasters that seem so dramatic. Especially you will penalise small companies because the big firms will absorb the penalties – and that kills off innovation if you care about it.
Can anyone imagine any lawyer (who can barely understand quill pens and parchment written laws without a row, always at someone else’s cost!) even understanding modern cyber-crime and its ramifications, let alone being able to create, let alone ‘police’ laws to tackle the issues raised in this aspect of our affairs. What a farce. Though I believe this time they have really shot themselves in the foot! because they will merely demonstrate their inability to contribute to the ascent of man. How like lawyers to believe that passing a law and proposing a penalty for breaking such, somehow makes sure that such will not happen. Its farcical, and even more so now. Bring on the first case and I will personally show the recipients how to tie the B******s up in their own silly knots!
Isn’t there a quotation from one of the ‘good books’ assuring us that there is one individual “from whom no secret is hid?” (hidden?) Presumably – as I gather is already the case- if all our e-mails, snap-chats (not sure what those are, will have to ask my granddaughter) blogs, posts, searches, on-line internet of things…you get the idea… are already compromised what is there for us to worry about? Many years ago, I did attend the RMC, Sandhurst to describe one of my Uni teaching scenarios. [We called it the crash project: students in groups were given a topic at 0900, they stopped whatever else they were doing, worked at their research for 3 hours and then had to present their findings verbally and continue their research and write such up by 0900 the next morning. The Army thought it might be valuable for young officers to try the same. I believe it was. My concern was that at least 30% of the cadets were from overseas: and whilst one supposedly hoped they were from ‘friendly’ countries, who knows….
“If I find out what you are doing, its quite simple to create an answer: but if I find out how you are thinking and have been trained to think (presumably young officers are?) I can think of the answer before you have posed the question….and Vice Versa. Makes yer fink, donit?