This morning, I went to a seminar organized by the Belgian Data Protection Authority during which the new “Belgian Cyber Security Guide” was introduced.
The guide is an initiative from the ICC Belgium, the Federation of Enterprises in Belgium, B-CCentre (Belgian Cybercrime Centre of Excellence for Training, Research & Education), Isaca, E&Y and Microsoft, with the support of the EU Commission.
The President of the Federation of Enterprises in Belgium, who actually took the first step for the drafting of this guide, mentioned in his speech that the guide is such as the result of a demand from Belgian companies for a practical guide on cyber security.
The goal of the guide is to inform the boardroom and higher management about Cyber Security, its key risks and principles and must-do actions.
What struck me is that apparently – although data breaches are increasingly making it to the headlines in the media – a lot of companies – from Small and Medium Enterprises to multinationals – believe that they are not a possible target [of cyber attacks] or that they are sufficiently protected already and that “IT is taking care of this”. The fact that the President of the Federation of Enterprises in Belgium welcomes this guide so that Board room members and higher management can become aware – by taking a few hours to read this guide – of the issues and actions to be undertaken, is somewhat alarming. I am sure that in many (multinational) companies, these issues are discussed at a high level, and that actions are undertaken. However in this global economy there are apparently still many companies, with whom business is done every day (for example outsourcing), that do not adequately think about and undertake actions with respect to data security and, as noted during the seminar, your data security is only as strong as your weakest link.
To me, this confirms that data security in general, and the protection of personal data in particular, is something that starts with creating awareness, not only at the level of the employees dealing with personal data and company (intellectual) property, but also at a higher level. Board members and managers should be aware of the risks of (personal) data loss, resulting in loss of profit, loss of knowledge and image, so that adequate actions can be undertaken and monitored. The new President of the EU Commission has made it clear that it is the intention of the new Commission to finalize the work on the new EU data protection regulation by the end of 2015, which means that in addition to these existing risks, companies will become subject to heavy fines when they do not comply with their data protection obligations.
The English version of the guide can be downloaded at: https://www.b-ccentre.be/becybersecure.