Public sector executive pay should be linked to cybersecurity
James Wickes of Cloudview believes regulators need to take steps to sharpen senior managers’ focus on cybersecurity
Cybersecurity is constantly in the headlines for all the wrong reasons.
Earlier this month, we heard that all 200 UK NHS Trusts that have been assessed so far failed to meet the standards of the government-backed Cyber Essentials Plus scheme. Some of them even failed on patching, which was the vulnerability that led to the WannaCry ransomware attack. They clearly haven’t learned the lessons from an event which caused massive disruption across the health service, with operations postponed and appointments cancelled.
You would think that, if public sector organisations can’t even manage basic security hygiene such as patching, there would be consequences for those running them. However, while the forthcoming GDPR is bringing in new requirements for the protection of personal data, the large fines (€20m or 4% of global revenue) for a privacy breach will apply to the organisations concerned and will not affect their leaders.
After the TalkTalk cyberattack, its then chief executive Dido Harding may have had her cash bonus halved, from £432,000 to £220,000, but she was still paid a total of £2.81M in 2015, despite the personal and financial details of tens of thousands of customers disappearing into the ether. The attack cost TalkTalk £60m and 101,000 customers.
- NAO says preventable WannaCry damage shows DoH and NHS must ‘get their act together’
- The ten key questions – and nine answers – facing the public sector on GDPR
- MPs call for more investigatory powers for ICO
The public sector holds even more personal information, from our tax details to our medical records. However, public sector leaders will simply blame a lack of resources for not being able to implement effective security standards, and the problem will become a political football rather than a security issue. Meanwhile, nothing will change, and both our data and the services we rely on will remain at risk.
There have been some suggestions that penalties for a cyber breach should apply to executives too. After investigating the massive cyberattack on TalkTalk, the select committee on Media, Culture and Sport recommended that a portion of CEO compensation should be linked to effective cybersecurity. This would have implications for anyone who leads an enterprise and has legal responsibility for its behaviour – be it private or public, big or small.
They then made another recommendation which has even more serious implications, saying: “We concur with the ICO that, whilst the implementation of the EU GDPR will help focus attention on data protection, it would be useful to have a full range of sanctions, including custodial sentences.”
So, if these recommendations were to become law, executives could lose money if they were judged not to have ensured the necessary cybersecurity – and could even go to jail.
Despite this, 18 months later we have seen no sign of these recommendations becoming law, and security breaches continue to occur with alarming regularity.
In my view hitting public sector executives hard in their pocket may be the only way to make them take cybersecurity seriously. Their job is all about balancing risk and reward. For whatever reason, they appear to be choosing not to take the risk of a cyberattack seriously, and are focusing their attention and budgets on other issues.
In the private sector, at least customers can vote with their feet and take their business elsewhere, potentially affecting an organisation’s bottom line. However, where public sector services are concerned we have no choice. Each service, from council tax to health, is a monopoly. So, we have to rely on regulators to protect us.
It is about time that they woke up and hit those running our public services in the only place they will feel it – their pockets.
A recent study finds that the pandemic has boosted budgets – but legacy tech remains a big barrier to progress
Plan includes establishment of national AI alliance
Memo from top brass preps officials for world in which government is more data-driven and less risk-averse
Newly published information-sharing register reveals programme took place last autumn
Higher Education institutions are some of the most consistently targeted organisations for cyberattacks. CrowdStrike explores the importance of the right cybersecurity measures.
SolarWinds explains how public sector organisations can make the most of their hybrid IT investments - delivering services that are both innovative and reliable
There are many reasons to keep your Oracle workloads running on local servers. But there are even more reasons to move them to the cloud as part of a wider digital transition strategy. Six Degrees...
Adyen explores how streamlining a payment process can create efficiencies throughout an organisation