The true cost of a data breach (Part Two)

By Mike Jones | March 28, 2012 | Leave a Comment 

Mike Jones

Last week’s Cost of a Data Breach Study update had one particular statistic that stuck with me and to which I keep being drawn to when discussing it with others. In the UK study, they discovered that where an organisation that suffered a breach had a Chief Information Security Officer (CISO) or someone with the equivalent level of responsibility in place, the cost per record dropped by an average of £18. I think the key word in the previous sentence is “responsibility” for a few reasons.

Firstly, we have the increasing amount of fines and penalties that can be applied to the individuals involved in failing to deliver against expectations. These have gone beyond the original highly regulated industries and out into the broader business context. With the coming updates to EU legislation, it’s likely to get more attention in the boardrooms of Briton, not less.

Secondly, and contrary to popular thinking, stopping data loss and protection of the key information assets an organisation has goes way beyond using scanners to prevent credit card details being emailed out. Primarily, it’s not a technical problem, it’s a people-process-technology challenge.

In the past, I have heard references to people-process-technology being like a three-legged stool of which you can’t remove any without falling off! This can be considered a fair comparison but, for me, the ‘people’ part of this stool is the most critical starting point. People have negotiation skills. People have perspective. People drive change.

When it comes to the role of technology in stopping data loss I view it like an exoskeleton to the people involved. That may sound a little sci-fi but what they need to be able to do is say “this stuff is important, please tell me how it’s being used, where it’s going and who uses it”. Technology enables them to reach into network pipes with gigabits of data pumping through them. Technology enables them to piece together a process involving four employees and an outside contractor. Technology enables them to see the HR director does not like using the VPN from his second home in the Cotswolds.

The reason I view it as an exoskeleton is that the knowledge of what’s important comes from the people involved, as does the appropriate response and the negotiation to get from where they are today, to a more secure future-state.

The relentless growth in information and systems shows we’re not moving towards a state where data loss won’t happen anymore. However, this report shows that if you put someone in charge with responsibility and authority to make change happen when it does occur, the impact to an organisation’s bottom-line is significantly reduced. I’m happy to predict the gap between those that take it seriously and those that stick their head in the sand will only get larger in the coming years.

 

The Well-Meaning Insider – Who, Why and How

By admin | January 27, 2011 | 1 Comment 

admin

At a time when many organizations are being bombarded on every side, they sometimes forget about the inside. Because so much has been said about the dangers imposed by malicious outsiders and insiders intent on wreaking havoc and reaping money, the non-malicious insider threat remains somewhat unspoken.

I recently wrote a whitepaper outlining the threat posed by well-meaning insiders. See it here.

The well-meaning insider represents a weak link in the security posture of many organizations and few seem to realize the critical role they play in keeping information safe.  A survey of office employees in North America and Europe, for example, found that 78 percent think that their IT department solely holds the responsibility for information confidentiality. To be able to fully protect against threats resulting from such misconceptions, companies must identify who constitutes a risk, as well as why and how they might be a threat. Not all insider risk profiles constitute the same type of threat, so security has to be tailored to their particular characteristics.

Well-meaning insiders fall in to the following categories:

  • The underminers take the path of least resistance and ignore the spirit of security to make their working lives easier.  Creating easy passwords is an example of this. Sharing passwords is another common problem.
  • The overly-ambitious employees knowingly take risks to purposefully bypass bureaucratic security processes in order to be more effective in achieving what they think are organizational goals.  Encryption, for example, might be overlooked because the employee thinks it’s too cumbersome.
  • The socially engineered are those employees, usually in low paid positions at the public facing end of the organization, who are prone to being duped by malicious outsiders into sharing sensitive information or even giving out access codes to systems.
  • The data-leakers are the growing cadre of ‘whistleblowers’ who, for various ethical or unethical reasons, leak to the public via social network technology, such as wiki-leaks, information they feel that the public should be informed about.
  • The data spillers are employees who have legitimate access to information or databases, but are prone to spill data because of (sometimes routine) organizational practices not checked by lax IT policies. Data spillers may:

- Accidentallydiscloseinformation by losing a laptop or smartphone, else a CD-Rom or USB drive.  While such incidents (often unreported) represent a statistical outlier, they do garner much attention—both from other organizations and media outlets.
- Take data out of the secure environment to use out of the office and not deleting it.
- Leave data on discarded computers.
- Not carefully manage data shared with third parties.
- Send unsecured data through public delivery systems.
- Not review and update access inventories or email distribution lists

Resolving these problems can happen through increased IT intervention and employee education. In both cases, the goal is to preserve both human and technological resources. For instance, demonizing these insiders and treating them as willfully malicious will not improve situations. It will either cause a loss of talent or a loss of good relations. Training and educating as well as establishing a culture of security through improved and automated IT will reduce risk and maintain effectiveness.

The well-meaning insider is a different type of problem to the malicious outsider. Both can result in data loss and information breaches, but the motivations and relationships to the company vary widely. Because the industry has focused on outsider threats, many companies are unprepared and even unaware of who may be causing the loss of sensitive information. This issue can be addressed. To get more information on the who, how and why of the well-meaning insider – along with recommendations on how to deal with them effectively – read the whitepaper, Organization Security and the Insider Threat: Malicious, Negligent and Well-Meaning Insiders.

About the Author

David S. Wall (BA, MA, M Phil, PhD, FRSA, AcSS) is Professor of Criminology at Durham University where he conducts research and teaches in the fields of cybercrime, policing and intellectual property crime. He has published a wide range of articles and books on these subjects which include amongst others: Cybercrime: the Transformation of Crime in the Information Age (Polity, 2007).

Symantec helps the House of Lords tackle cyber warfare

By Greg Day, EMEA Security CTO for Symantec | March 19, 2010 | Leave a Comment 

Greg Day, EMEA Security CTO for Symantec

cyberwarfareYesterday the House of Lords released its report examining how to protect Europe against large-scale cyber-attacks. The publication of the report follows a committee meeting on the topic last year in which Symantec’s Director of Government Relations EMEA & APJ, Ilias Chantzos, was one of two cyber security experts invited to give evidence.

The report’s findings have been welcomed by Symantec, in particular the recommendation for an EU-wide approach to address cyber related issues that don’t just affect the UK. Ensuring industry and government are collaborating to address the issues will be crucial to success of such an initiative.

Commenting on the need for public and private cooperation to tackle cyber warfare, Ilias Chantzos said, “One of the biggest problems with supposed acts of cyber warfare is where and when to use the term. It is very difficult to determine the origin of an internet-based attack, and almost impossible to pinpoint either the identity or motivation of its perpetrators: whether they’re a criminal, an activist or a government agent.

“For security agencies, following the trail of evidence left by alleged cyber warfare operations is made doubly complex by the fact that this evidence typically crosses international jurisdictions. Tackling this requires international co-operation, but the current levels of co-operation between nation states are often not able to police cybercrime, much less track covert activities.”

“Another problem is that government no longer controls most of the critical infrastructure; much of it is under the control of the private sector. It is in the interest of industry and government to better cooperate to tackle these issues.”

The full recommendations from the House of Lords report can be viewed here.

Dominic Cook

The ICO Gets Some Teeth?

By Guy Bunker | November 13, 2009 | 1 Comment 

Guy Bunker

Up until now, the ICO has only really been able to levy a slap on the wrist and a “must do better” to those who lose people’s data. This looks to change next year, with the ability to fine the company £500,000 – which is no small chunk of change. However… is this really enough? The maximum was set to be less than 10% of a small company’s turnover – but if this is the maximum, then surely the value set for a breach can be less? So, why not set it either a lot higher, or as a percentage of revenue?

If we really want to stop data breaches, then the fines need to be such that attitudes towards data security actually change – before the breach occurs, not afterwards. Without this, the ICO’s teeth are not that scary.

The other interesting point here is that the fine can also be levied on those companies who keep the information longer than they should, accidently delete it and store it outside the EU (where the data protection legislation is not suitably strong).

So… time to revisit that data protection policy, especially if you are looking towards cloud services to deliver your next level of IT.

Guy Bunker

Businesses unclear on how to handle cloud computing

By abigail_lovell | June 25, 2009 | Leave a Comment 

abigail_lovell

What was most interesting from the Security of the Future event which Symantec ran yesterday was that businesses are unclear on how to handle cloud technology. The event brought together security and privacy experts from across Europe at a roundtable discussion to debate the benefits of cloud computing to businesses worldwide, its potential global impact and resulting responsibilities and the next steps in the cloud race.

Looking at both the opportunities and challenges associated with cloud computing that were aired, it is clear that prevention and protection against cyber threats are key and there is a need to match solutions to a new and ever morphing cyber environment. However, while cloud computing is clearly the biggest buzzword this year, the panel all agreed that confusion around how to handle the technology reigns – different definitions and dueling perceptions of cloud computing are muddling expectations about its benefits.

The confusion extends to companies not understanding what data they hold, what is private or otherwise, and as a result there is concern about how to protect it. Before companies jump onto the bandwagon, it is imperative that they are familiar and comfortable with the term cloud computing – and how they can adopt and implement it in line with business objectives. The discussion also highlighted that the uncertain economic climate has two disparate effects on business leaders: businesses who realise the cost benefit of cloud computing are being spurred on, while many other leaders turn a blind eye to the potential business benefits of cloud computing. They seem to be unwilling to switch from internally owned and managed IT systems to cloud computing technologies due to fears of security threats and loss of control over company systems and data.

Another big challenge in the world of the cloud is changing business plans, according to those attending the event. As business plans change and evolve, so will companies’ cloud computing requirements. On the other hand, as cloud computing is delivered by service providers, any change in their business plans will have an impact on how the cloud is delivered and offered to businesses. It is important to note that cloud computing is a global opportunity – and therefore a global issue with global concerns and responsibility.

UK businesses should therefore recognise that issues and challenges associated with the cloud needs to be addressed from a global, and not just a UK or European, perspective. Legislation will therefore be driven from a global point of view. While it is clear we have some homework to do as far as cloud computing is concerned, there is not getting away from the fact that it is here to stay and grow. Having said this, much still needs to be invented and done before the sky will become truly cloudy.

The panel was chaired by Ilias Chantzos, Director Government Relations, Symantec and panel members included; Dr. Guy Bunker, Security Consultant; John Carr, Secretary, UK Children’s Charities’ Coalition on Internet Safety; Dave Evans, Senior Data Protection Practice Manager Information Commissioner’s Office, UK; Steve Purser, Head of Technical department, ENISA and Kimon Zorbas, Vice President, Interactive Advertising Bureau, Europe.

You can see some of the preliminary discussion which was filmed live on the new Symantec Fast Response TV hosted on this blog site.

Abigail Lovell

Lost Data – Pay Compensation?!?!

By Guy Bunker | August 22, 2008 | 7 Comments 

Guy Bunker

It was on the news today that a memory stick was lost with the details of 130,000 criminals. OK, so we should be used to this by now – the twist in this story was the thought of compensation. What? Firstly, the information has been lost – not compromised (i.e. used), at least it hasn’t yet. Secondly, what about the 25m who’s details were compromised in one go last year? Or the other 4m since then? What about them? What about the 45m TJX customers, or the ones from the other high profile cases – where the data was maliciously stolen (and in some cases used for fraud)? The answer is that there is already process in place for dealing with them. Legislation such as the data breach notification laws (disclosure laws) begin to define what is required – and it’s not to pay out random sums of money. Notification, measures to check credit ratings for 12-24 months and additional customer support all help – and it’s not cheap for the company. I’m not condoning data loss, far from it, there should be no excuse – but let’s not go over the top here.

We don’t want to move to an even more ridiculously litigious society (there was a story of someone delivering letters slipping over on a drive and sueing the owners). With data loss there does need to be some compensation if the data is used (but this tends to come from the banks / credit card companies at present – by default), there is also the need to check credit ratings – to watch if the information is used. But we don’t want to pay out – just for the heck of it.

This also brings up another couple of interesting points… In the US people regularly receive disclosure notices for lost data, but if your data is actuall used, who’s fault actually is it? Was it one from last week, or one from last year – was it one that hasn’t been disclosed yet – because the company doesn’t know they have been breached? Furthermore the long term effects of data loss are unknown at present – if the records of a child are compromised (name, address, NI number – the usual stuff), then at age 16 they can apply for a credit card, or rather a cyber-criminal could… of course, some would have moved by then and the incorrect data might be picked up… but it might not. What happens in this case – where fraudulent actions can take place more than a decade after the data loss occurred.

Perhaps it is time for banks and credit card companies to offer ‘free’ credit rating checks as part of their service - all the time? It’s also time for companies to stop thinking ‘it won’t happen to us’ and make the changes so they don’t become front page news – and perhaps subject to a massive compensation claim.

Watching Me… Watching You…

By Guy Bunker | July 7, 2008 | Leave a Comment 

Guy Bunker

A-Ha. So, Google has been ordered to hand over details of everyone who has ever watched a YouTube video - and in the UK, that’s more than 11 million people in April alone – to a company who says they are infringing copyright with some of the clips. All-in-all, 12+ terabytes of data – which is a massive amount of data to be trawled through. There are a number of concerning point here… firstly, we are back to trying to decide whether an IP address is actually ‘a person’. For some YouTube viewers, they log in, so you can be relatively sure that they are who they say they are (providing that no-one else uses the machine, etc, etc), for everyone else, if you go through a DHCP server – then you cannot be sure, or rather they cannot be sure.

More worryingly is the fact that, yet again, the information that was collected for one purpose, has now been taken to be used for something different. So, while I might be ‘happy’ (and I use the inverted commas cynically) to have my IP address logged for Google to use – I am certainly not ‘happy’ that they can give the information to someone else. Perhaps they could anonymize it – to prevent any comeback? Something would have been better than nothing! As it is, this seems wrong – and will start to set a dangerous precedent for those companies who collect the information having to hand it out to others – who will then be able to do whatever they want with it. Even if this time, they decide not to go after individuals, who’s to say they won’t in three months? Perhaps three years?

Technology & Regulations: Which Leads, Which Lags?

By Guy Bunker | April 29, 2008 | Leave a Comment 

Guy Bunker

One great question I was asked during my talk at the Affärsvärlden Bank & Finans Outlook 2008 Conference, was whether the technology to help with compliance and governance was ahead of the regulations or behind.

This is a tough one to answer, primarily because the regulations are always changing. However, from 30,000 feet, the story is the same, you need to be able to prove that you say what you do, and that you do all you can to {protect customer data | ensure that systems are secure | prevent fraud | etc}. To this ends, the technology is there to help with compliance and you can automate a lot of it. Patch management of systems, followed by auditing which ones are up-to-date and which are not can be tedious in the extreme if you don’t have the technology to help. Not to mention the management and monitoring of updates to applications, endpoint protection and password strength checks, the list is (almost) endless. Technology helps and the other big benefit is that you can get a view onto your IT infrastructure and its compliance at any time – not just when the auditors are knocking on the door.

So, if you are looking at compliance, or are just getting into IT governance, look around at the tools available to make it as painless as possible.