Cyber security vs the regulator: do you know where you stand?


BeCyberSure explain the importance of building cyber security into every business and how regulators have a role to play in keeping data safe

Ask the boss of a small or medium sized business if they have considered cyber security, and their response would be similar to that given to the guy at the car rental agency who is trying to upsell collision damage waiver.

“That’s covered with my own insurance thanks”. Persist further and they might say “my IT department has cyber security covered”, even if they have no idea. In reality, rather like the customer who waives the extra insurance, they believe it won’t happen to them, or if it does, the cost of fixing things will be modest compared with the cost of protection. It also reflects a belief that doing nothing means the problem will somehow vanish, it won’t. The boss needs to realise that in doing nothing they are in fact increasing their risk, which they do not fully comprehend.

Cyber security responsibility

Importantly, governments have declared that cyber security is a Board, not an IT issue. To emphasise this, new rules and regulations will make the company liable for any breach of its data protection. The General Data Protection Regulation (GDPR) that comes into force in a little over a year’s time brings with it the threat of fines from the regulator of up to 4% of group global turnover if the company is deemed liable for a loss of data. To understand what this means, we could perhaps look at the Financial Services industry, where following the Global Financial Crisis in 2008 the regulatory regime was heavily intensified. If you take the situation seriously and demonstrate that you have made reasonable efforts to safeguard your systems and data then the regulators will work with you. Ignore them and the penalties from the regulator could make the actual inconvenience from a data breach the least of your problems.

What this means for the company

So what should the prudent boss be doing about this? Well, just as it is sensible to look after your health and have regular check ups, so it makes sense to have a cyber-health check for your company before these new regulations come in. You don’t need to break the bank and much of the threat can be contained by proper software, but to continue the analogy this is an ongoing health regime, it’s eating properly as well as exercising regularly, all year round, not just in the two weeks before the medical.  Nor is it just about software. Research shows that almost every data breach is because the human firewall was breached. Your people might be your greatest asset, but they are also your weakest link for a cyber attack.  State of the art defensive software is necessary but not sufficient, for you or the regulator. Reviewing the systems, training your staff, putting in place protocols to both prevent attacks where possible and mitigate the impact when they do occur are all now needed to survive and thrive in our increasingly interconnected world.


Think human, BEFORE you think cyber.

Think security, NOT compliance.


For more information visit


Please enter your comment!
Please enter your name here