The high price of data breaches

FEATURE

The high price of data breaches -ˆÊiœÜ]Ê*Àœ>VÌ

Si Kellow

̽ÃÊ>ʓˆÃiÀ>LiÊ>vÌiÀ˜œœ˜]Ê>˜`ÊޜÕÊëœÌÊ>ʘiÜÊi“>ˆÊˆ˜ÊޜÕÀʈ˜LœÝ°Ê/…iÊÃÕLiVÌÊ line is innocuous enough, but when you get into the content you realise that ̅iÀiʈÃÊ>ÊÈ}˜ˆvˆV>˜ÌÊ«ÀœLi“ÊqÊޜսÛiʍÕÃÌÊLii˜Êˆ˜vœÀ“i`ʜvÊ>Ê`>Ì>ÊLÀi>V…]Ê>˜`Ê you now have to deal with it. As the information security expert, you’ve already got a very short Christmas card list and it’s about to get shorter. Your first priority has to be making a start at gathering information to understand exactly what has occurred, how it has occurred, who has been affected and what the likely fallout is going to be. Management wants to know “has it got to be reported?”, while colleagues want to know who is getting the blame and if it has affected customers or members of the public – but are you going to tell them?

Risk owners If you’re in the public sector then you need to inform your senior information risk owner. Your board and executive team will more than likely face questions about the organisation’s ability to ‘look after’ information, and there will be worries about ‘public trust’. In the private sector things are a bit different – so if you’re listed, will a data breach affect share prices and shareholder confidence? If you’re privately owned, will it affect business in any way, or will it just lead to someone’s dismissal – maybe yours? In the UK, prior to 6 April 2010, the monetary penalties for data breaches weren’t particularly challenging – a level five fine (up to £5,000), or up to six months in prison. So was there really a need to tell people that something had happened? The statute said yes, but in reality the incentive to do so was

March 2013

miniscule – even if you got caught out, £5,000 was small change. But in November 2007 something happened that changed the entire ‘fessing up’ landscape. HM Revenue and Customs (HMRC) lost two CDs containing the child benefit database. From something that started out as simply the loss of a few CDs, the situation escalated into one that exposed the UK to a national security-level data breach that could have affected up to 25 million people. The information, containing details of every single recipient of child benefit nationwide, including their banking details, had been lost. Well, to be completely honest only a copy had been lost, so the actual data was still on HMRC’s systems, so was it no harm done? In reality, there was little choice but to come clean and the fallout affected every family in the UK with children. Beyond that, it also spawned the Cabinet Office Data Handling Review, and set the course for the Information Commissioner’s Office (ICO) to get tough.

Shifting the onus The changes that the ICO introduced raised the monetary penalties to a maximum of £500,000, and the criteria for reporting was made much more accessible (but with no changes to the potential for imprisonment). The onus most definitely shifted towards the organisation that had suffered the breach to report and understand the situation as

quickly as possible. After the child benefit incident, the public was very much more aware of the effect of data breaches and the real potential for identity fraud. But it was in the public sector that the effects reached farthest. The requirements of the Data Handling Review imposed that roles were mandated on company boards and within the organisations. The annual reports had to include information about governance and management boards and executive teams were more involved in the data management process than ever before. However, in the private sector it was still seen as the IT manager’s problem. For those who were working in the public sector at the time, the ones who embraced data governance and understood what was going on used the changes to their advantage. When incidents occurred, the desire was to investigate rapidly and ensure only a small inclusion in the Statement of Internal Control. Above all, the board wanted to ensure that there would be no questions about its ability to handle information.

“Looking through the ICO’s list of imposed monetary penalties and undertakings, the number of public sector bodies is consistently higher than in the private sector” Since the ICO monetary penalties were increased, the amount of public sector reporting has increased markedly. Unexpectedly, monetary penalties have not been used as much, with a preference to get chief executives to sign Computer Fraud & Security

17

FEATURE up to an undertaking. This could be viewed as being worse than a penalty, as it gives a timescale for the event to be tackled and if that isn’t met then a penalty can still be imposed. Looking through the ICO’s list of imposed monetary penalties and undertakings, the number of public sector bodies is consistently higher than in the private sector. Indeed, it was only in November 2012 that a significant penalty was affected against two directors of a non-public sector organisation (Tetrus Telecoms), and that was in relation to text messages being sent in vast quantities, so not a data breach directly. During my time in the public sector I had cause to report three breaches to the ICO, but none of them appear on any notifications from the ICO. This was because of protocols that had been put in place for the handling of data breaches. Emails from the ICO said, “no action to be taken, as your report and handling of the event are satisfactory”. The chief executives at the organisations concerned, while uncomfortable at having to state that breaches had occurred, were satisfied that their auditors had taken apart the events and ensured that all reasonable

controls were already in place, and that the events were genuine accidents.

The future What of the future? The good people in the European Parliament have woken up to the fact that the member states’ interpretations of the Data Protection Directive are not as coherent as they could be. Working its way through Europe at the moment is a significant update to the Directive, which is rumoured to include ‘cloud services’, but the biggest shakeup is a levelling of the playing field around monetary penalties. Although the exact percentages haven’t been finalised, amounts between 2% and 5% of annual global turnover have been mooted. Mandatory reporting within a shortened timescale will focus minds in the private sector. No longer is the reputational damage of a breach the main concern – the financial impact (and having to report that to shareholders/owners) is probably the most effective way of bringing breach reporting and breach management into the 21st Century. What does all of this mean to the humble Chief Information and Security

Officers (CISOs)? It means that we finally have a real and proper reason to review our information controls, and put in place mechanisms to ensure that breaches caused by terminal stupidity on our behalf are avoided. But to ensure this happens we need to ensure we have reviewed our data and layered in controls that are appropriate to the categorisation. We also need to consider all the angles, and implemented logging so that we have a clear understanding of what happens on systems. We must then put in place effective controls that ensure we aren’t exposing ourselves by failing to make our environments appropriately secure.

About the author Simon Kellow is CSO at Proact. He has been engaged on an interim senior management role within the public sector for nearly three years, and has striven to bring the policies and compliance in line with all Cabinet Office mandates. He also has senior security management experience in a financial environment. He specialises in being able to create and implement solutions that avoid any type of security breach.

Employee negligence: the most overlooked vulnerability

Bimal Parmar

ˆ“>Ê*>À“>À]Ê>Àœ˜ˆVà Over the past decade, cybercrime has become increasingly sophisticated, evolving from small-time opportunistic teenagers to a $388bn industry. To put the scale of today’s cyber-criminal activity into context, there are currently more than 270 million unique types of malware that have already been identified, with 60,000 new pieces created each day.1 However, while organisations recognise these growing threats, they are still often unaware of the simplest ways to combat them. For example, many fail to realise that employees can in fact be the biggest 18

Computer Fraud & Security

hole in an organisation’s security strategy. Cyber-criminals are increasingly focusing on communicating with, persuading and tricking individuals within an organisation to take action that will

essentially expose the network. As such, it is often the case that employees themselves are putting networks more at risk than the inadequacy of technical defences. Indeed, employee negligence is known to account for 36% of all data breaches.2 A major problem is that, while the growing risk of a data breach is relatively well known, many organisations appear March 2013