[BreachExchange] Prevention is better than cure for cyber security

Audrey McNeil audrey at riskbasedsecurity.com
Tue Apr 11 19:47:12 EDT 2017


https://www.financialdirector.co.uk/2017/04/10/prevention-
is-better-than-cure-for-cyber-security/

In recent months, there has been an unprecedented focus on digital security
and cyber-crime that’s largely been fuelled by regular reports of high
profile incidents.

Household names such as TalkTalk, Tesco and Yahoo! have been hit in very
public incidents and suffered reputational and financial damage. In each of
these cases, customer information was accessed by an unwanted third party.

No organisation, regardless of market cap, is immune from hacks.

The business world continues to see ever-spiralling costs associated with
cyber crime, and while the best estimates are that cyber-attacks cost UK
businesses £30billion a year, a recent US incident reportedly amounted to
$100million in losses.

With over 220 billion emails sent worldwide every day, the risks associated
with unwanted third party interception of sensitive data can be
extraordinarily high. Whilst significant financial penalties can be
imposed, huge reputational damage is likely to have a greater impact on
businesses.

Legal Responsibilities

Companies, business directors and individuals can be held financially
responsible for failing to take adequate measures to prevent data loss.

The Information Commissioners Office (ICO) is empowered to impose fines of
up to £500,000 per incident in the event of contravention of the Data
Protection Act (DPA), which would have a notable impact on any organisation.

However, the quantum of this penalty may fade into insignificance when the
General Data Protection Regulation (GDPR) is introduced in May 2018. The
British government has already confirmed that Brexit will not affect the
introduction of this ‘far reaching’ legislation.

The new law will allow the government to impose fines of up to 4% of an
organisation’s global business revenue if it is deemed to be in breach of
its data security requirements. Should another household name find itself
in the line of fire, the value of the fine could be astronomical.

Sensitive Information

The ICO has provided some clarity over the information firms should seek to
protect in order to ensure consumers are not exposed to fraud or identity
theft risk. However, the differentiation between information that is deemed
‘sensitive’ and information that is considered to be in the public domain
is not always commonly understood.

For accountants, information deemed ‘sensitive’ includes bank details and
any identifiable financial data. However, in dealing with an individual’s
or company’s financial affairs, great care must be taken not to indirectly
expose other ‘sensitive’ topics, such as physical or mental health, medical
details, political opinions, religion, trade union membership, or racial
and ethnic origin. The transfer and storage of this information is
occurring on a daily basis within the professional services sectors.

Certain personal data does not necessarily need to be treated in the same
manner, including name, address, date of birth, and phone number, but is
still information that a client expects to be managed in a responsible
manner.

In a world of online transactions and tax return submissions, breaches of
the Data Protection Act are happening much more regularly than might be
expected, as individuals and businesses continue to send emails containing
‘sensitive’ consumer information without adequately protecting it.

HMRC are amongst the most popular targets for fraudsters trying to lure
people into sharing information and consequentially they have published
precautionary words of warning on this subject:

“HMRC will never send notifications of a tax rebate/refund by email, or ask
you to disclose personal or payment information by email. Do not visit the
website contained within the email or disclose any personal or payment
information.”

Taking action

The UK seems determined to continue its Bletchley Park code breaker
heritage as a leader in cyber, evidenced in Chancellor Hammond’s recent
announcement that £1.9billion worth of funds will be allocated to the
National Cyber Crime Centre, which will be opened by the Queen.

Despite this large scale national investment, much of the burden remains
with companies and individuals to organise their own security and processes.

Because of this, it is important that the whole company understands the
risks and policies that should be adhered to. Every individual that uses
email, whether personal or whilst at work, faces the same security risks.

The senior leadership teams within companies must understand that in acting
to protect the business they are also protecting themselves – the recent
Yahoo! hacking saw CEO Marissa Mayers’ bonus docked and head lawyer Ron
Bell sacked.

Securing email communication is a good place to start, and applications
exist that seamlessly integrate with the most popular email clients and
devices, employing encryption to ensure that such messages cannot be
intercepted by fraudsters.

Encryption utilises sophisticated mathematics and keys to render
information almost unreadable in the absence of the correct key or keys. By
way of example, typical military grade technology scrambles such
information to such an extent that if every atom on earth were a computer,
each capable of trying ten billion keys a second, it would take about 2.84
billion years to reach the right key.

As well as investing in suitable technology, security awareness programs
will continue to play an important part in helping individuals understand
the challenges associated with an increasingly online world.

These programs must ensure that individuals are comfortable that they are
transacting and sharing information securely, and that they are familiar
with the tell-tale signs when communication is not from the party they are
pretending to be.

Protecting our cyber health requires the same attention as that associated
with our physical health – prevention remains better than cure.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20170411/2096939f/attachment.html>


More information about the BreachExchange mailing list