In a world where the number of websites, e-mails and electronic files increases on a daily basis it has never been more important to protect your business against threats to cyber security. For that reason the government has published advice for businesses on how to manage such threats. The government is trying to get the message across that cyber security is not just an issue for the IT team. It is a strategic risk that needs to be managed at board level.

The guidance consists of: a high-level briefing aimed at senior executives and suggesting questions that should be asked in relation to security; a document which explains the risks inherent in business interaction with the internet and how to approach the management of those risks, as well as several case studies showing how particular kinds of security breach might be avoided; and a detailed set of advice sheets that set out a ten-step approach to security, covering matters such as the use of policies governing remote working, staff training, contingency planning, and access to removable media that might introduce malware to systems.

If the draft General Data Protection Regulation published by the European Commission in January 2012 comes into force it will be more important than ever for businesses to think seriously about cyber security. Under the Regulation companies would be required to notify regulators and any individuals concerned with certain information about any personal data breach “without delay and, where feasible, not later than 24 hours after having become aware of it”. Regulators would have the power to fine businesses up to 2% of their annual global turnover for failing to notify breaches or for other serious breaches of the Regulation.

In any event, existing data protection laws contained in the Data Protection Act 1998 (Act) mean that if personal data is exposed as a result of a security breach, a fine could be levied by the Information Commissioner’s Office, the regulatory body responsible for enforcing the Act. Claims could also be brought by the data subjects whose data has been breached. Therefore, even if the draft Regulation does not become law, if you are running a business you need to manage cyber security effectively to ensure that you minimise the risks that your business is exposed to. The guidance published by the government will assist you with this.

You can view the guidance in full at http://www.bis.gov.uk/policies/business-sectors/cyber-security/downloads.