Skip to main content
Facilitate Magazine: Informing Workplace and Facilities Management Professionals - return to the homepage Facilitate magazine logo
  • Search
  • Visit Facilitate Magazine on Facebook
  • Visit Facilitate Magazine on LinkedIn
  • Visit @Facilitate_Mag on Twitter
Visit the website of the Institute of Workplace and Facilities Management Logo of the Institute of Workplace and Facilities Management

Main navigation

  • Home
  • News
    • Comment
    • People
    • Reports
    • Research
  • Features
    • Analysis
    • Features
    • Round Tables
    • Webinars
  • Outsourcing
    • Contract Finder
    • Contracts
    • FM Business Models
    • Interviews
    • Mergers & Acquisitions
    • Opinion
    • Procurement
    • Trends
  • Know-How
    • Explainers
    • Legal Updates
    • White Papers
  • Jobs
  • Topics
    • Workplace Services
      • Hospitality
      • Catering
      • Cleaning
      • Front of House
      • Grounds Maintenance
      • Helpdesk
      • Mailroom
      • Manned Guarding / Security
      • Pest Control
      • Washroom Services
      • Disaster Recovery
      • Specialist Services
    • Professional Performance
      • Behavioural Change
      • Continual Professional Development
      • Education
      • Management
      • Recruitment
      • Training
    • Workplace Performance
      • Benchmarking
      • Health & Wellbeing
      • Operational Readiness
      • Procurement
      • Security
      • Workplace User Experience
      • Workplace Culture
    • Compliance
      • Health & Safety
      • Risk & Business Continuity
      • Standards
      • Statutory Compliance
    • Building Services
      • Architecture & Construction
      • Asset Management
      • Building Controls
      • Building Fabric
      • Drinking Water
      • Fire Protection
      • HVAC
      • Landscaping
      • Mechanical & Electrical
      • Building Security
      • Water, Drainage & Plumbing
    • Technology
      • Building Information Modelling
      • CAFM
      • Data & Networks
      • Document Management
      • Information Management
      • Internet of Things (IoT)
      • Software & Systems
    • Energy management
      • Energy Management Systems
      • Electricity
      • Gas
      • Solar
      • Wind
    • Sustainability
      • Environmental Quality
      • Social Value
      • Waste Management
      • Recycling
    • Workspace Design
      • Agile Working
      • Fit-Out & Refurbishment
      • Inclusive Access
      • Lighting
      • Office Interiors
      • Signage
      • Space Planning
      • Storage
      • Vehicle Management / Parking
      • Washroom
    • Sectors
      • Corporate Office
      • Education
      • Healthcare
      • Manufacturing
      • International
      • Retail
      • Sports & Leisure
      • Regions
  • Buyers' Guide
Quick links:
  • Home
  • Topics
Know How
Legal Updates
Building Services
Compliance

EU cyber security strategy

Open-access content Wednesday 23rd April 2014 — updated 1.53pm, Tuesday 5th May 2020

Government figures estimate the cost of cyber crime to the UK economy at £27 billion a year. To address this, the EU has set a deadline of mid-2016 for each member state to develop a national cyber strategy.


23 April 2014 

In February 2013 the European Commission published a cyber security strategy to design and enforce a harmonious standard of network and information security across the European Union. 


Its prime feature was a draft directive that sets mandatory cyberspace policies on public authorities and operators of critical infrastructure in the fields of energy, transport, banking, stock exchanges and health.

The expected deadline for implementation of the directive is spring/summer 2016, by which time member states must have developed a national cyber security strategy and a corresponding suite of sanctions enforced by a chosen regulator. 

The principal aim of the directive is two-fold. The first is to ensure that appropriate technical and organisational measures are taken to manage cyber security risks and minimise the impact of related incidents. The second is to facilitate co-operation and information sharing between authorities and the private sector. 

Technical reforms to consider are that businesses must ensure they have adequate controls in place to mitigate the risks of cyber incidents. And national authorities will have the power to request that companies undergo a security audit and share the results with them.


Steps to prepare for the directive 
Implementing controls to guarantee compliance will be costly. So any cyber security initiative should address its main vulnerability - the human factor. Seventy-eight per cent of data breaches suffered by organisations are because of employee behaviour, which limits technological safeguards in their ability to offer a viable defence. 

1. Enforce a mobile device management (MDM) policy: Having a strong virtual private network (VPN) will only protect your data if you are able to retain some kind of control over the devices that connect to it. The trend towards bring-your-own-device (BYOD) means that issuing employees with centrally administered phones is no longer a fail-safe option of managing devices on your network. Seventy-four per cent of respondents to a survey by US security company Fortinet said they brought their own devices to work irrespective of company policy. For best practice:

  • Maintain an inventory of all devices used by employees and the applications installed on them;
  • Invest in MDM products so you can perform a remote wipe on mobile devices; and
  • Administer a strict policy over the level of encryption and inactivity timeouts on personal devices. 

 

2. Educate your employees: FMs must make sure that employees stay abreast of cyber threats by informing them about:

  • How to keep their machines clean - workers must be aware of what they can and can't install on their personal and work devices;
  • Maintain physical control over their machines - employees should be trained on where not to use and leave their machines, how to minimise the risk of theft or loss and to routinely back up important information; and
  • Report suspicious incidents - training sessions should teach employees how to recognise suspicious occurrences on their device and report any loss, theft or virus to the IT team. Training sessions should be face-to-face events to help to establish a communication channel between employees and IT officers and give staff a chance to ask questions.  

 

3. Co-operation and information sharing:

  • Businesses must report incidents that have a "significant impact on the security of the core services", to regulators;
  • National regulators are now required to closely co-operate with the commission to circulate early warnings of risks; and 
  • Regulators also have a discretionary duty to inform the public of an incident if it determines that disclosure is in the public interest. 

 

4. Implement a breach notification and response plan. Businesses should strategise over how they would respond to an incident in a way that minimises costs and satisfies regulators and stakeholders. To do this you need to consider:

  • Categorising your data according to its nature and rank its level of sensitivity;
  • Developing response objectives for each category to be achieved in an assigned amount of time; and
  • Allocating responsibility to a predetermined team of internal or external experts across all business functions - i.e audit, legal, risk - and specify when the issue needs to be escalated.

 

5. Form a strategic communications plan: Although IT policies typically focus on the technical side of a breach, often the most destructive implications are the loss of investor confidence and consumer trust that follows. The level of transparency and dialogue that the directive mandates must be met in your response plan with a comprehensive crisis communications protocol. 

  • Assess your in-house capabilities and identify areas where external assistance is needed. Open a dialogue with your preferred provider so you can deploy a comprehensive response strategy within the shortest possible time.

 

The directive still holds an uncertain future, but what we can see from the proposals is a regulatory push for companies to embrace a cyber-conscious culture. 

UK cyber crime victims are losing about £3 million each a year, which suggests that although initial outlay to safeguard your business may be significant, the cost of ignoring the threat will certainly prove to be far greater.  

Andrew Durant is a senior managing director at FTI Consulting, Forensic and Litigation Consulting


Also filed in:
Topics
Know How
Content
Legal Updates
Building Services
Compliance

You might also like...

Share
  • Twitter
  • Facebook
  • Linked in
  • Mail
  • Print

Today's top reads

 

Latest Jobs

Project Leader (Maternity Cover One Year Contract)

Cambridge
Circa £50,000 Pro Rata + Benefits & Opportunities
Reference
56378

Maintenance Supervisor

Surrey
Up to £43,000 + Excellent Package & Opportunities
Reference
56376

Regional Facilities Manager

South West England
Circa £40,000 + Benefits & Opportunities
Reference
56375
See all jobs »

 

 

Sign up to our newsletter

News, jobs and updates

Sign up

Subscribe to print

Sign up to receive our bi-monthly magazine

Subscribe
Facilitate magazine cover, June 2020
​
FOLLOW US
@Facilitate_Mag
Facilitate Magazine
Facilitate Magazine
CONTACT US
Contact us
Tel: 020 7880 6200
​

IWFM

About IWFM
Become a member
Qualifications
Events

Information

Privacy Policy
Terms & Conditions
Cookie Policy
Think Green

Get in touch

Contact us
Advertise with us
Subscribe to Facilitate Magazine
Write for Facilitate Magazine

General

IWFM Jobs
Help

© 2022 • www.facilitatemagazine.com and Facilitate Magazine are published by Redactive Media Group. All rights reserved. Reproduction of any part is not allowed without written permission.

Redactive Media Group Ltd, 71-75 Shelton Street, London WC2H 9JQ