We notice you are currently visiting the UK site. Would you like to visit our main site instead?

a hand behind with a lock illustration with circuit board and network lines with a cityscape in the background

Who is responsible for cybersecurity and privacy?

#KingstonCognate introduces Bill Mew

Photo of Bill Mew

Bill Mew is a key opinion leader, digital ethics campaigner and entrepreneur. As a key opinion leader, Bill focuses on striking the right balance between ‘meaningful protection’, where he has been ranked as the top global influencer for data privacy, and ‘the maximization of economic and social value’, where he is also one of the top influencers for everything from cybersecurity, and digital transformation to govtech and smarter cities. He also appears weekly on TV/Radio (BBC, RT, etc) as an expert on these topics - more broadcast airtime than any other technologist in the UK.

As an entrepreneur, Bill is the founder and CEO of CrisisTeam.co.uk, where he works with an elite team of experts in incident response, cyber law, reputation management and social influence to help clients minimize the impact of cyber-attacks.

We are ALL responsible - collectively and individually

In many organisations there is a prevailing attitude that cybersecurity is something that only a CISO does, or that privacy is something that only the compliance department does. Unless there is more collective responsibility for both cybersecurity and privacy, our data will not be secure and if things go wrong, we’ll all be held liable - both collectively and individually.

In such organisations, senior management is still failing to take cybersecurity and data privacy seriously. All too often they believe that these are tasks that can be delegated to the CISO or DPO (Data Protection Officer) and forgotten about. If senior management continues to see things this way, then it is hardly surprising when this kind of attitude permeates down through organisations and staff at all levels who also fail to take these issues seriously.

3 things organisations should think about:

a hand pulling one domino piece stopping falling ones from collapsing the rest

1. If your procurement manager opts for unencrypted devices

If the decision to procure unencrypted USB drives, SSDs or IOT devices is based purely on price, without considering whether they are secure or have hardware encryption, then those unencrypted devices create a cyber vulnerability. This puts the whole organisation at risk of a data breach.

2. If staff reuse passwords or take shortcuts to bypass security measures

If staff fail to follow basic cybersecurity rules and are careless with passwords or email attachments, they are putting the security of the entire organisation at risk. Cyber criminals actively target weak or known passwords and use phishing tactics to compromise security of their victims. These are some of the most common attack vectors for cyber incidents.

3. If a CMO takes the odd chance with the use of private data

GDPR stipulates that personal data can only be collected with consent for a stated purpose. If you harvest or share data illegally then you are putting everyone at risk of major fines and litigation.

close up view of team hands put together

Who is responsible if these things happen? Organisations are and SO are we!

We all need to take cybersecurity and data privacy seriously

If you see that your organisation is using unencrypted USB drives, SSDs or unsecure IoT devices, you need to speak out. If you notice your colleagues failing in their cyber hygiene, you need to speak out. If you witness a member of the marketing department using customer data inappropriately, you need to speak out.

Change of culture is key

If we are to change attitudes and make people take cybersecurity and data privacy seriously in an organisation’s top to bottom, then we need to change the cultural mindset.

There are plenty of incentives for organisations to do so. There is clear evidence that customers will happily do business with organisations that they think will take care of their data and are more reluctant to do business with those that do not. Retaining customer trust and avoiding any kind of cybersecurity incident that can undermine such trust should be top of mind for us all.

close up view of wooden blocks with the word FINE and a gavel

In addition, there are plenty of deterrents to make organisations take data protection seriously. For starters, GDPR stipulates a maximum fine of €20 million or 4% of annual global turnover – whichever is greater – for EACH incident. The cost of fixing an incident can run into millions and if it’s a ransomware attack, the cyber criminals could be demanding a multi-million-euro ransom on top of this. You could also face litigation from the people whose data was compromised.

As if such sanctions on an organisation were not enough, there are also emerging sanctions on individuals as well. A recent case in the US has set a new precedent for a cyber incident case when board members and a CISO were individually named as defendants. A report by analyst firm Gartner has predicted that CEOs could soon be personally liable for cyber-attacks.

As citizens and as customers, we want organisations to protect our data, and when we are responsible for the data of others the standards need to be just as high. We should be concerned - both collectively and individually - that we could all be held liable. But we should be equally motivated to focus on data protection as it is the right thing to do.


Ask an Expert

Kingston can offer you an independent opinion on whether the configuration you’re currently using, or planning to use is right for your organisation.

Self-encrypted SSDs

We offer advice on what benefits SSDs will bring to your specific storage environment and which SSD is most suitable for your mobile workforce to ensure you are working securely on the go.

Ask an SSD Expert

Encrypted USB Drives

We offer advice on what benefits using Encrypted USB will bring to your organisation & which drive is best suited to your business needs.

Ask a USB Expert

Related Articles