Preventing data breaches
Considering the deluge of articles on data protection, breach and ownership that are drowning our inboxes and news pages, it is understandable to be a little numb to postulations on what this could mean for our future online activities and identities. But a survey of 4000 consumers in the UK, Germany and France by the Institute of Commercial Management revealed that only 12% of consumers believe organisations do enough to protect their data and 76% would "likely" leave a business or service provider if it committed a breach of their personal data. Sobering stats indeed.
The Data Breaches Investigation Report (DBIR) 2012 revealed that out of 855 recorded incidents, 174 million records were lost; the second-largest data loss total since the inaugural report in 2004. Predictably, organised criminals took the lion’s share of the blame being responsible for 98% of data breaches. Casting a mirror on tensions in contemporary society and protest movements, 58% of all data theft was attributed to activists groups (this contributing heavily towards the previous stat). Breaches involving internal employees at 4% were down 13% over 2010. Incidents involving hacking and malware were both up considerably last year - 81% of incidents involved hacking, while malware was involved in 69% of incidents. Physical attacks such as ATM card “skimming” were down 19% at 10%, no doubt due to increased public awareness and of banks stepping up their security and surveillance procedures.
Perhaps most disquieting were the commonality stats; 96% of the aforementioned attacks were not considered significantly difficult or skilled, and 85% of breaches took weeks or more to discover and were almost always (92%) discovered by a third party. The new EU data privacy directive (which is due after two years of implementation) proposes that organisations will have just 24 hours to report a data breach to authorities and affected parties after it has been committed. This proposal has been met with some ridicule from the IT industry, citing the impossibility of implementation, and they have a good point. But this disparity in reality and expectations should be sending alarm bells off in the heads of IT managers; not merely inciting scepticism at ‘yet another misguided EU directive’. That only a tenth of UK firms feel ready for the new EU directive, should be a carrion call to end denial that such breaches will only happen to others, never us. It is vital that companies of all sizes work harder to mitigate data breaches or, quite simply, they will just keep on happening.
Data breaches aren’t the exclusive preserve of customer data (credit card details, address etc). Medical records, intellectual property, trade secrets and corporate data are also very much on hackers’ menus.
The DBIR report states that 97% of data breaches are avoidable using simple to intermediate controls. Modern businesses must manage ever-burgeoning data stores and the proposed directive should prove handy to aggregate privacy standards, assign internal responsibilities and the like.
The hacker’s preferred means of entry are default password violations, system vulnerabilities (bugs, weak passwords, default configurations) and SQL injections (malicious code attacks). Compliance controls, web and messaging security systems and core systems protection measures should be used interdependently to effectively prevent attacks. Though be aware, if an attack comes from an internal source, security infrastructures such as Microsoft’s UAC (User Account Control) will be significantly weakened. It is all about protecting your data at source and strengthening access controls and authentication systems
Some guidelines for helping to prevent data breaches *
- Fully and comprehensively identify your company’s ‘critical data’ (personal details, credit card data) and scope all locations that need protecting both in a physical and networked sense – you can’t protect what you don’t know about. Evaluate the threats you consider to be present to your organisation both human and technical; who could be targeting you and why? Where does your business fit into the supply chain?
- Build a unified information security policy which covers all compliance requirements for your organisation, including disaster recovery and breach response strategies. Don’t focus on separate compliance projects when the recommended security measures could benefit all critical data in your company.
- Compliance can lead to complacency. Just because your company has been recertified as compliant, doesn’t mean that you can put your feet up – the threats are still out there.
- The new EU data directive states that companies with more than 250 employees should have a dedicated staff member to deal with data issues. Train all relevant staff on company security policy, data protection and breaches, and protocol for phishing attacks.
- Get rid of any unnecessary data clogging up your systems.
- Enforce unified data protection policies across servers, networks and endpoints throughout your organisation and monitor and mine event logs.
- Set up event management processes and security alerts. Aim to utilise behaviour-based detection systems, rather than solely signature-based.
- Set up automated, regular checks on technical controls such as password settings, server and firewall configurations and system updates.
- Consider blocking high risk sites, such as certain social media sites
- Ensure all third party vendors are also adhering to these guidelines.
The Information Commissioners Office (ICO) offers free advice to businesses on how to deal with data breaches, though some areas of both the public and private sector are being slow on the uptake. Sadly, this inertia is at the expense of many. Between 22 March 2011 and 17 February 2012, 467 data breaches were reported by government and other public sector bodies, the majority of which were documents emailed to incorrect recipients. Such mistakes are costly, and I don’t need to tell you who foots that bill. Midlothian Council was fined £140,000 after repeatedly disclosing the personal data of children and their carers to the wrong parties. The ICO fears that due to lax breach prevention measures in place, there could be many breaches as yet undiscovered.
Under the proposed EU data directive, companies that commit transgressions can be stung for 10% of their turnover and the ICO, while recognising that the public sector handles more sensitive data than the private and thus is more prone to societally problematic data breaches, states they will impose fines on whoever commits the breach. Judging by recent cases such as Lush Cosmetics such robust deterrents could prove a worthy motivator. The horse has already bolted in regards to the exposure of high-profile data breaches, gaping systemic holes and the unfortunate effect on the public; but we seem to be resting in some state of torpor where we are reluctant to even get that stable door fixed for the future.
You can read more about the politics of data ownership here
*This list is by no means exhaustive. When re-evaluating your procedures it is vital that you consider PPI DSS and similar advice. Every IT system has its own set of challenges!