[BreachExchange] Avoiding the little mistakes that lead to huge data breaches
Destry Winant
destry at riskbasedsecurity.com
Mon Feb 4 07:34:05 EST 2019
https://www.itproportal.com/features/avoiding-the-little-mistakes-that-lead-to-huge-data-breaches/
When GDPR was finally put into motion earlier last year, and the reems
of emails associated with it from online retailers finally stopped,
many hoped that for EU citizens a new era of improved personal data
security was around the corner. The regulation was very much a
watershed moment in the overall debate that has been dominated by
increased worries around data misuse and breaches in recent years.
But even in the post GDPR era, data breaches have continued to
dominate the headlines. Most worryingly, these significant data
breaches are continuing to happen at major companies that boast huge
customer databases. GDPR is a positive regulatory action by
politicians to further secure personal data, but organisations now
must take practical steps to prevent the simple but common mistakes
that cause huge data breaches.
A period of data security dominating the headlines
In October last year, Heathrow Airport was fined £120,000 by the
Information Commissioner's Office (ICO) following a data breach that
left sensitive personal information exposed. The breach happened after
a member of Heathrow’s staff misplaced a USB stick containing folders
of personal data. On top of this, the USB was not encrypted, or
password protected. The ICO added that out of Heathrow’s 6,500 strong
workforce, only two per cent had been trained in any kind of data
protection. This breach could have easily been avoided by encrypting,
and then securing physically, a device that contained large amounts of
personal data. It is also highly questionable to have a process that
requires and allows the use of an external device to store and
transport personal data.
One of the most notorious data breaches of a British organisation in
recent memory, the NHS WannaCry attack, has something in common with
this one. They were both caused by mistakes and vulnerabilities that
could have easily been prevented. The NHS data breach happened after
innocent-looking phishing email attachments were opened, flooding
networks with malware that encrypted files containing sensitive
personal data of patients. This coupled with not updating NHS systems
to have the latest security patches is hard to comprehend and
certainly sub optimal.
The incident laid bare just how destructive a data breach can be and
ignited fierce debate around data and IT security amongst politicians
and in the media.
Despite the WannaCry breach, a recent Freedom of Information
requestrevealed that a quarter of NHS trusts in England and Wales are
still failing to give staff specialist cybersecurity training. On
average, trusts have just one member of staff with professional
security credentials per 2,628 employees. The fact that the NHS is
continuing to neglect cyber and data security is truly worrying to
see. Even after a data breach that crippled its entire network, the
NHS is still failing patients by not putting enough of an emphasis on
securing personal data.
Fresh approaches to data handling
The NHS and Heathrow breaches are both examples of breaches caused by
common mistakes that could have been avoided. However, the reason that
these organisations were targeted in the first place is because of the
vast amounts of data they store. Large databases essentially equate to
a large target for hackers who are increasingly seeing the value in
exploiting personal data. As our society increasingly becomes more
data centric, the risk of a breach happening to organisations, big or
small, shows no signs of lowering. The savviest of organisations will
move beyond traditional measures like investing in cybersecurity
training for their staff and re-evaluate entire overall approaches to
data handling.
To really put into perspective the sheer volume of personal data being
handled by a company today, let’s look at what happened to Uber last
year. The breach saw Uber pay out $100,000 (£79,000) to hackers to
make them delete data that had been stolen from the ride hailing app.
The incident affected a staggering 57 million people, made up of both
customers and drivers, and showcased what a breach of a modern digital
economy business looks like. For these organisations, where entire
business models are centred around amassing and applying personal
data, steps to enforce more secure data handling must surely be taken.
But what do these steps look like? Pub chain Wetherspoons raised
eyebrows when it made the decision to erase its entire customer email
database, thus ending all kinds of mailing list activities. This may
have been an unconventional move, but an understandable one given the
huge repercussions a data breach today can have. All organisations
going forward must evaluate the areas of data storage that can be cut
down in volume to reduce holding of personal data, and thus overall
risk.
Large companies can also take advantage of third-party vendors that
offer solutions to help in outsourcing and improving overall data
storage. There are platforms on the market that can assist in handling
both data orchestration and compliance. Some of these platforms can
work alongside already established legacy systems, potentially
mitigating not just the risk of keeping all data handling in-house,
but overall operational costs as well.
Shifting cultures
Awareness is growing amongst the general population around the
importance of securing personal data. Headline-grabbing scandals has
made data breaches a hot topic, and all eyes are on what individual
companies are doing to keep personal data more secure. For companies
to prevent falling victim to the next data breach headline in 2019,
reflections must be made on overall approaches to data handling and
internal cultures for the sake of not just customers, but also for the
sake of maintaining trust and loyalty.
There are practical changes organisations can make to improve overall
data security, but to really counter the risk of a data breach
happening, the correct internal culture needs to be set. It’s often
the simplest mistakes that cause data breaches, and ones that can be
prevented by those that have data security measures high on the
agenda. A collective company responsibility and awareness for data
security might have stopped the Heathrow employee leaving an important
USB lying around, or indeed having data on a USB drive or stopped NHS
employees from falling victim to classic email phishing scams that
opened the door for the WannaCry attacks. Not to mention basic
housekeeping in regard to keeping operating systems and virus scanning
software up to date.
Creating an internal culture with good data security awareness
requires management to clearly articulate security procedures to all
employees, and to emphasise how preventing data and security breaches
is a collective effort and one that requires all hands-on deck.
More information about the BreachExchange
mailing list