Our cyber security products span from our next gen SIEM used in the most secure government and critical infrastructure environments, to automated cyber risk reporting applications for commercial and government organisations of all sizes.
The new GDPR data breach notification requirement will, from May 2018, impose a need for businesses to advise the data protection authority (in the UK this is the ICO) when they have a notifiable privacy breach.
This means detecting and understanding what has happened and interpreting this, in order to report to the authority when such a situation occurs, then dealing with whatever regulatory steps are necessary. See The 72 hour GDPR challenge.
However, immediately following this notification to the authority is the more public facing part of this process – where the data subjects themselves get informed of the fact that their information has been lost, stolen or compromised (without “undue delay” to quote the Regulation). This might be achieved through an email or a letter, on your web page or through the media or via a different route. This process is undoubtedly necessary in the interests of transparency and openness as well as being required by the new regulation. But there is also the need to be aware of the potential negative effects that such communications could provoke.
On the one hand a notification gives the affected party a warning and information that there has been an issue with their data, advice as to what to do and reassurances from the company involved. On the other hand though, there are possible negative effects of having to deal with data breach notifications as outlined below.
In the cyber security industry, we are used to hearing about security breaches and data losses. That is mainly because it is in our interest to be aware of what is happening and to learn any valuable lessons. Although you may not be a customer of Talktalk, TKMax or Equifax, you are likely to have heard in the security industry media that they have had security breaches.
There are undoubtedly breaches that occur at present that are not reported, either through going unnoticed, or when they are handled quickly, quietly or automatically by the company concerned – for example the reissue of bank cards or the acceptance of risk where it is likely that the data hasn’t been compromised with malicious or fraudulent intent.
In the new world of GDPR data breach notification it is much more likely, if not certain, that a breach will be reported as there will be a legal mandate to do so and hence one can expect an increased number of breaches being advised to the public and data subjects.
So we may reach a point where an average member of the public will go from getting one notification a year, to one per month, or one per week – it will become routine rather than exceptional.
Certainly if one looks at the rise of cyber security attacks that are publicised and then add on those that aren’t currently noticed or reported, there will be more of these messages hitting the inboxes of affected customers.
One possible concern, is that this increased frequency leads to breach notifications being so common that the public develop apathy or view them as increasingly unimportant – to the point where they become the background noise of an online life.
This risk of data breaches that affect people becoming routine or mundane is likely to be made worse by the fact companies may notify more often than then they actually need to in order to “play it safe”.
If they feel the best way to minimise fines and/or deal with uncertainty around the amount of data stolen is to contact all possible data subjects “just in case” rather than those actually affected then the volume will increase further.
Imagine a data theft which involved current subscribers to a service which may also have affected past subscribers; or the criteria for notification was based on the assumption that sensitive data was stolen (on a field-by-field basis) when actually it may have just been names and email addresses. Would it be necessary to notify all current and past customers?
The company affected by the breach then notifies all the people who might have been affected by a data breach, when actually they might not have been affected or might not have been affected in any significant way. Hence these “cautionary” notifications add to the noise of actual, real, significant data loss reports.
As well as the volume of these data breach notifications increasing, we risk a “crying wolf effect”. If every 10 reports a person receives about their data being stolen only contains 1 real problem, the signal-to-noise ratio is pretty poor and apathy is likely to set in.
When usernames and/or passwords are compromised the account holder is normally advised (or compelled) to change their password. This often involves changing their password across multiple sites (where passwords are reused – see).
Changing a password may appear simple (and for some with weaker password generation approaches it will be) but if passwords are of a high quality it means devising a new random set of words or choosing another set of characters from the words of a song. Either way it is a hassle and often means making a change across multiple devices where a web site, social media account or app is used on a laptop, tablet and phone – re-entering the new password into all the places where it is used.
The same is true for the reissue of compromised credit cards – a nuisance both for the card issuer who has to cancel and reissue the physical cards, and also for all the affected card holders who have to cut up old cards, swap around their wallets and (inevitably) change the stored credit card details in any mobile wallets, shopping sites, app stores, music streaming services and also annual subscription renewals they have used them for.
Having to do this once a year is one thing, having to do it once a month or once a week is a frequency that, for many people, will become a problem.
If changing passwords, email addresses, bank cards, subscriber details etc. risks becoming overwhelming; then we should worry also about those data fields or characteristics that we cannot change in the event of a data breach.
Security questions are a good example. My mother’s maiden name is an immutable fact, and although one could select any word as the secret answer to this question (as a secondary password), most people use the actual value. The same goes for the first school, best friend’s name, pet’s details, town of birth etc.
There are also things that might become compromised but can’t be changed, a biometric or an aspect of someone’s life that needs to be accurate but is also fixed – like an address, date of birth, blood group, national insurance number.
In essence, when data is disclosed there will be parts of it that are disclosed forever. If someone reuses passwords across multiple accounts or creates new passwords by adding an additional incrementing digit, they are unlikely to choose different answers to the date-of-birth and mothers-maiden-name security questions.
The recent Equifax data breach is an example of this – the scale being so wide that:
“… every SSN in the United States – together with the accompanying name – must be presumed to be public knowledge, and thus should not be used to validate anyone’s identity, ever again”.
It is common to be offered identity theft insurance or credit monitoring when your data, account or personal details are leaked.
This has some value, at least as part of the organisation’s attempts to fix a bad situation. However, if a person has similar insurance from past breaches they may not need another policy (which could be from the same provider) due to a later breach somewhere else.
These insurance policies usually last a set period of time, typically a year. Hence, if breaches affecting personal data come along more frequently then the market for the provision of this becomes somewhat dysfunctional.
Breached Company A provides insurance to affected customers, breached Company B tries to do the same but finds some customers already have cover so do they overlap with new cover, or just extend it? Alternatively, do they provide a cash equivalent as compensation? For the recipients of these insurance policies – do they amass several similar policies with different benefits and subscription windows over time? Who do they claim from when a fraud occurs if their details have been exposed multiple times? Does having multiple policies in place mean that the insurers argue about whose liability it is?
There are some organisations you have to disclose data to – a tax office or vehicle registration authority for example. Maybe you live in a small town where there is only one doctor’s surgery, or your employer has a pension arrangement with a specific pension provider.
However, there are other areas where people have choice – banks, mortgage providers, online stores, news subscription services, insurers, airlines etc.
Whether people will start choosing providers based on past data security track records remains to be seen – if Company A develops a reputation for data breaches, then people may decide to choose Company B in preference to it. Buying choices are typically made based on price, value, brand reputation, choice of products, customer service etc. rather than quality of data security or the number of data breaches experienced.
A large company with millions of customers may have more publicised breaches than a small provider that isn’t as much of a target. This doesn’t mean the larger company’s security provisions are worse, just that their profile – as well as statistics, probability and newsworthiness – skew the numbers.
In a future where data breaches are being publicised more frequently, one wonders if there is competitive advantage in being “breach free”, or if the sad reality will be that most of the providers in a sector will have had breaches and hence customers have little effective choice between them based on their past data protection track record.
As a final point on competitive choice, there are service providers who provide value through either the community, devices, supporting services or purchase and account history they provide. For example:
So for those wanting to make choices based on data safety it is likely that real choice might not exist. Or there might not be a way to exercise choice except at the very first stage of a business relationship. Most service providers aim to be “sticky” – reducing churn and retaining (or locking in) customers – this won’t change in the post-GDPR world.
For citizens and data subjects, the data breach notification process could end up being a double-edged sword.
What seems clear is that the level of discussion about data breach notifications will increase until the volume grows to the point that it either becomes uninteresting and routine, or completely moot in a market differentiating sense. Security incident fatigue could become very real!
For companies, the only course of action seems to be to avoid being part of the noise and hubris by staying safe and keeping data secure, so that they can claim a patch of moral high ground in the mountain range of data protection that might end up being an increasingly lonely, but valuable, place to be.
If you need some reassurance around your level of risk, or if this blog post has convinced you that data breaches are more than ever something to avoid, the Huntsman Security GDPR Risk Tool is worth using to get some answers as to the possible size of the problem you might face. It is free to download from the link below.
<<< Part 2a: Australia’s Essential Eight: Beyond Endpoint Control <<< Part 2b: Activating UK NCSC & US NIST Guidelines: Beyond Endpoint Control Part 4: Systematic Measurement of Cyber Controls >>> As much as we invest into cyber security controls, external threats are inevitable. In a recent Notifiable Data Breaches Report from the Office of the […]Read more
Keen campers, scouts and even the Swiss Army know – that a good penknife is indispensable. This simple device has mitigated many a disaster at one point in time or another. Whether it’s to cut through a bit of string, tighten a screw or simply to solve the problem of no bottle opener in the […]Read more
Supply chain risk is an area of cyber security that demands the ongoing attention of every enterprise; because it can make the difference between being resilient or not. It’s no surprise that insurers warn that the vulnerability of supply chains is potentially a systemic risk that can quickly propagate across supply chain dominated industries. Organisations […]Read more
It took a “tripartite cyber assessment” by the Australian Prudential Regulation Authority (APRA) to identify that a sample of financial organisations had inadequate cyber security: poor security control management, a lack of business recovery planning and inadequate 3rd party risk assessment. Why were there gaps? Where is the failure? Clearly the common practice of unsubstantiated […]Read more
The discussion over data-driven vs qualitative cyber security assessment has been going for some time. Nowadays, it is at the top of the priority list for many security and senior executive teams. Managing cyber security has always been a noble ambition but without reliable measurement, the lack of actionable information makes evidence-based management decisions almost […]Read more
Attack Surface Management (ASM) characterises a business’s security risks as the monitoring and risk mitigation of a constantly changing and vulnerable “risk-surface”. Importantly, this attack surface extends to both internal and external assets and services. Some ASM solutions deliver clear visibility across both Internet facing and internal assets. Others do not. Instead, they assess external […]Read more
The UK Government has released its annual “Cyber Security Breaches Survey 2023”. It provides some valuable insights into how cyber security is currently being managed in the UK, by a range of organisations. It also speaks to how current competing economic priorities are impacting the effectiveness of some cyber security management efforts. The full report […]Read more
Solving the mismatch between cyber security reporting and directors’ requirements You are undoubtedly familiar with the headlines; you may have even become in part desensitised to them: ‘Cyber-attacks are increasingly damaging’, or ‘large amounts of personal data are most at risk’. The important take-away, however, is that modern day thieves can easily gain access to […]Read more
A system to address the untrustworthy security environment Zero trust approaches to security have been talked about for a while; but in recent times they have certainly gained more currency. As a model for protecting data and services, the simplicity of the concept is its biggest strength – assume, as a default position, there is […]Read more
The ongoing protection of Critical Infrastructure from cyber-attacks has implications for us all – whether it’s supporting our health, well-being or simply our way of life, there is good reason to reflect on the effectiveness your cyber security. Cyber security risks are nothing new and the vulnerability of critical infrastructure to them (and the heightened […]Read more
Read by directors, executives, and security professionals globally, operating in the most complex of security environments.