Falanx Group Ltd (LON:FLX) Chief Executive Officer Stuart Bladen caught up with DirectorsTalk for an exclusive interview to discuss the NIS Directive, Cyber Essentials, GDPR & what this means for your typical company
Q1: Stuart, this morning I wanted to talk to you about the government’s latest move as this week it has announced the consultation on security of network and information systems. What’s it all about and how is it different from anything else like Cyber Essentials and GDPR that we keep hearing about?
A1: What’s up is that the government, not just here but across Europe and around the world, have taken a three-prong approach to cyber security and they are business risk, people’s rights and protecting the nation. This week’s announcement is about protecting the nation and the national economy and it’s called NIS Directive.
Q2: What’s the difference, why three? Can you take us through the three approaches without getting too technical?
A2: First, business risk. The government is telling companies to implement good practice in cyber, indeed the government is actually saying if you haven’t done the basics, we won’t do business with you and you should not have unprotected business with someone else either. So, that’s the Cyber Essentials programme, the absolute basics. For many companies, they need more, depending on your business risk, higher standards are needed so for example Cyber Essentials Plus, more for card payments and if you need more ISO quality standards. So, that’s the business risk angle, the more risk you have, the more you need to do and the more you should expect your suppliers to do.
The second angle is about people’s rights in the digital world. So, if you hold somebody’s data, you are obliged to protect it, to use it properly, even to delete when asked and that’s the General Data Protection Regulation (GDPR). It arrives next May 2018 and if you don’t implement it, there are big fines, the current maximum fine in the UK is £500,000, under GDPR this becomes £17 million or 4% of your global turnover, if that’s higher.
The third angle is about the government protecting the national infrastructure and economy and that’s what’s been announced this week, first as a consultation and then implemented by November 2018. The NIS Directive means that the UK has to identify and protection essential services, parts of our nation, if you like, that are critical to daily life and this includes what you’d expect; electricity, transport, water, energy, health, emergency services and our main financial banking and economic systems. Again, the proposed fines are up to £17 million or 4% of turnover, if higher.
Q3: Why are these new measures needed on national assets and the economy now, surely, we’ve always needed to do this?
A3: You’re right Giles, there is already a critical national infrastructure programme in the UK but the NIS Directive extends this further into the digital world requiring us to protect the information systems and networks that all these critical areas rely on.
It is a really really big issue, a couple of years ago, way before I joined Falanx Group, I actually wrote a paper on this and it’s called The Crisis Megatrend, you can find it on my LinkedIn profile and I’ll tweet out a link later. In essence, it’s very simple, the world is dependent on computer systems and computer systems have a habit of failing or being attacked and when they do, business just stops.
Now, it didn’t used to be this way. Whether it’s banks locking out their customers, now it’s their online customers not their physical ones of course, but most bank customers are now online, airline flights stopping for a day because the reservation system’s down, global stock markets with computer trading and flash crashes and of course, the international supply systems. In fact, we have twice as many crises as 20 years ago and they are almost all related to our reliance on computers.
So, Giles, please understand, I’m not saying computers are a bad thing, they’re a very good thing, but we are now so reliant on them that we must take stronger steps to protect them. That, for me, is what the new NIS Directive is all about.
Q4: I get that Stuart but it is all a bit grand, what does this mean to your typical company, your typical IT Manager, what do they need to do? Do they need to do anything at all?
A4: Yes, they do actually. If you do business online, if you take payments on credit cards, if you supply government or big business, if you sell to the health service, water or electricity companies, if you record customer data, if you’re in sales or are public-facing, and let’s face it most of us fall into one of those categories, this is a real wake-up call because a £17 million fine could cripple your business. All your clients and customers are now going to have to ask how you comply, how you comply with Cyber Essentials, with GDPR and in many cases with this new NIS Directive so it is now a time for every manager to ask some questions.
I’ll be honest, I end up almost every meeting that I have, not just clients but investors, partners, suppliers, by asking them how they comply, well I would wouldn’t I, I have to, and most tell me that they think someone somewhere else is accountable but they don’t know themselves. 9 times out of 10, they can’t actually name who but of course they assure it’s all ok in their firm and I actually find that pretty frightening because what we do know is that 69% of UK firms, more than two thirds of UK firms, have no real preparations.
So, the basics for every manager is to know who is accountable for data protection and information security, to ask for cyber awareness training for you and your team, to ask what standards you company meets, are they the right standards for the level of risk that you have. In many cases, if you buy in your IT service, ask if it includes cyber because most of the time the answer is no so let me say that again, most of the time cyber is extra, it is not included as standard. Do you have cyber insurance? Who checks your cyber? Most businesses should now have an independent view, just like a financial audit and ask when your systems were last tested by an ethical hacker and how they were updated. Remember, these are questions that all managers should know the answers to, not just the IT department.
If all that is still too much, just remember this very one simplest thing, google ‘Cyber Essentials’ and that will get you started with basic, free, independent advice. Please do feel free to call me, I’ll be pleased to email you the pointers, ping me on LinkedIn or email at firstname.lastname@example.org and I’ll send you a quick summary, no strings.
Falanx Group Ltd (LON:FLX) provides cyber defense and intelligence services. The Company’s segments include Intelligence, Resilience, Cyber and Other. Its business divisions include Falanx Cyber Defence and Falanx Intelligence.