Intrusion Detection System
Much of having a strong information security plan is depending on having the tools to detect breaches in the first place. Without the technical tools in place to realise you’re under attack, your business continuity planning and risk prevention might as well be pointless. Just to give you an example of the headaches this will cause in the future if not addressed: under the GDPR you’re obligated to put into place a comprehensive personal data breach notification system (to both the Information Commissioners Office and affected victims of personal data theft). However, this requirement can only be fulfilled if you have the means to detect that a breach has happened if the first place. The fines we’ve seen so far indicate that not being aware of breaches is actually a far bigger compliance hazard then the steps you need to take afterwards.
Proper Delegation of Duties
This is a key one. Often cyber-security and data protection is seen as a passive background task that can be done automatically as long as everyone doesn’t do anything stupid. That’s. Not. Right. In 2018 it requires a pro-active approach with awareness of upcoming potential threats as well as compliance requirements from everyone (see the next section). Every department in your organisation needs a person in charge of specific processes such as handing data subject access requests, making sure your anti-virus/malware is kept up to date, making sure privacy by design is implemented to encourage data minimisation etc.
These are all key pillars of a pro-active and successful security strategy for both cyber and information in general.
A Dedicated Compliance Team
Now, you might have a compliance officer who’s generally in charge of having to pro-actively influence the directors of your organisation. This isn’t enough in 2018. I would strongly recommend appointing a Data Protection Officer in charge of maintaining records of data processing. Also ideal would be a chief information security officer who’s in charge of establishing and maintaining the enterprise vision, strategy, and programme to ensure
information assets and technologies are adequately protected. A dedicated Risk Officer who is responsible for assessing and mitigating significant competitive, regulatory, and technological threats to a firm’s capital and earnings would also be a big plus. The most important thing though is to change the general culture of your organisation to put privacy and security at the forefront. That means direct involvement from the board-level downwards.