Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
As the title suggests, there are two communities who will very soon be forced to come to terms with data breach notifications as these are required by the EU GDPR that comes into force in May 2018.
These communities are:
The other party involved, the regulator or authority (in the UK this is the ICO), we will leave out of this post – if they aren’t ready for GDPR and the burden of data breach notifications when the new regulations come into effect in 2018 there will be very different problems to face up to.
The first area of challenge is detecting breaches that do occur – this sounds obvious; but the reality is that in lots and lots of cases one of two things happens:
Under GDPR it is pretty clear that with the mandated data breach notifications to regulators it is going to be more important to detect breaches much more quickly (to avoid seeming lax at detection) and being the first one to notice (on the basis that if someone else has to tell you, then you might also seem lax at detection).
Not all breaches have to be notified to the authority so in the very first instance you need to be able to ascertain if what you are looking at is minor or more serious, in which case the clock is ticking on your 72 hours to notify.
As an example you might have lost a memory stick – but what was on it? It could be 16Gb of sensitive customer healthcare data or a presentation to last year’s sales conference? In the first case there are problems looming – it is clearly a major loss of data. In the second case who cares? Certainly not the ICO.
Knowing whether the breach is likely to be notifiable (and how sure you are) and what the process of notification entails, is very useful to know early on – for example what systems are affected, what data sets were accessed (even if you don’t know what actual contents in terms of fields and numbers of rows).
This is really a matter of scaling down from “it could be anything and everything” to a much smaller “it is no more than this”. Assuming the worst is probably as bad as hoping for the best – the sooner you know the volume and contents of the breach the better.
Assuming you do have to tell the regulator or authority, it is going to be necessary to explain how the breach happened (which you are going to have to find out), why it happened (which you might not know), where the data has gone (is it in the wrong hands or just “lost”) and – this is likely to be the most important part – what you are doing about it.
You also have to tell the individuals affected. Knowing who was affected (see the “volume of data” problem above) means you know which customers or data subjects to inform; and knowing what data you have lost means you can decide what to say and do about it.
Finally there is the need to communicate with the press – here you need help from PR experts, but in the past we have seen that:
You have to engage with these channels whether you like it or not and speaking with the right language and tone is critical – so be positive, honest and helpful rather than resentful, evasive and unconcerned.
When an organisation tells you that your data has been exposed they will hopefully give you some instructions as to what to do and why. However you might not get a full picture of what part of your data has been exposed (see above). It will be even worse though if you find out from the news media or from friends on social media, as in that case there will be all sorts of stories, theories, advice and little of it will be based on facts.
This is likely to become more prevalent under GDPR as more breaches will be publicised whereas in the past they might have been “swept under the carpet”. While this is both a blessing and a curse it still means that there will be more spells of uncertainty while breaches are discussed and the correct action (or the company’s response) is debated.
If one assumes that as of today under the existing compliance regimes, there are breaches occurring that are going unnoticed and unreported then it seems clear that one effect of GDPR will be to actually increase the number of breaches we have to deal with as members of the public.
This could have several unintended consequences – for one thing changing passwords is a nuisance even now. If people use the same password across sites (not good advice, but very common) or have to change them often the frustration with this is going to grow. Possibly it will reach the point where passwords become even more trivial and ineffective – once you have run out of children’s names, dates of births, lines from songs, initials of famous quotes, words you can remember with numbers and punctuation etc. where do you go from there?
The same problem exists with credit cards and other forms of id; each time a credit card number and associated details are exposed it can be reissued. But this is a problem for the issuer and also for the card holder as it means a constant stream of new cards, new numbers and knock-on effects like stored card details in systems and retailer sites or any that are used for annual subscriptions then need updating.
A slightly heart-breaking outcome of this coming rise in the number of data breach notifications, is that good security should be a market differentiator and it might cease to be.
No one expects customers to choose a more expensive credit card on the basis of the issuer having great intrusion detection systems, firewalls or security analytics. However, if a retailer or bank has a good reputation for protecting information and being secure and trustworthy then (all other things being equal) that should count for something.
You can’t expect security to trump basic economics, but you would expect (as we have sometimes seen in the past) carelessness towards protecting data causes damage to competitive advantage, loss of customers and increased churn.
So what do consumers and citizens do when all the banks have suffered a public breach of one sort or another, when all the leading electronic retailers have been hit, or when an organisation they have no choice in dealing with like the tax office loses data…?
The consumer could quickly reach a point where they simply can’t choose a more secure organisation to do business with as all the providers in a given sector are perceived as being as bad as each other: unable to be trusted with with personal data, so just pick one and hope for the best.
It is unrealistic to not have a bank account because all the banks have at some point suffered a security breach; and shopping around for a new mortgage because your current lender lost your details may not be possible either. What real choice is there?
The reality is that GDPR is coming; from May 2018 it will be in force.
Some organisations will be ready, some won’t be ready but will want to be and others will wait until they see what the reality of post-GDPR security looks like before they even start shaping their new practices.
Likewise, for consumers, the awareness of this will be variable. Without having exposure to the raft of GDPR coverage in the security and privacy communities, it is highly likely that awareness at the data subject end is very low. In this case, the first mandatory breach notification someone receives could well be the first time they have heard about it.
This lack of readiness should scare us whether we work for businesses that hold personal data but aren’t ready to deal with breaches OR if we are system/service users or customers who lodge or enter our personal data into the systems any business operates.
The UK market has its own regulators, security standards and challenges. And while rulings from SEC in the US or the Australian Prudential Regulation Authority (APRA) in Australia don’t apply to UK companies, for the most part, the observations are undoubtedly relevant and the resulting advice instructive. It would be wrong to think UK financial […]Read more
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.