How to reduce data breach and cyber security risk

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.out-law.com/en/articles/2014/february/how-to-reduce-data-breach-and-cyber-security-risk/

The increase in the volume of data that businesses now store; the growing
use of mobile devices, and the trend of users connecting their own devices
to corporate networks are factors making data breaches more likely. And
proposed changes to EU law mean that organisations will no longer be able
to keep breaches a secret.

Government research has found that 87% of all UK SMEs and 93% of firms with
more than 250 staff had experienced at least one security breach in 2012.
This means that nobody can escape data breaches. What will increasingly
matter is how well prepared you are and how you deal with them.

Many organisations still try to hide the fact that breaches exist and
manage them behind closed doors, but changes to EU law mean that this
option is about to be removed. EU governmental bodies are wrangling over a
General Data Protection Regulation that is likely to force many more
organisations to report publicly on many more data breaches.

This means that keeping a breach a secret will no longer be an option, and
it means that organisations will have to be clearer than ever about how
they deal with them. Organisations might not welcome the development, but
evidence shows that those with detailed data breach and cyber security
plans are the ones that deal best with the fallout from a breach.

Those plans must become a priority for the boards of organisations of any
significant size. Those at the very top of organisations need to recognise
the real risks facing their businesses and take steps now to minimise those
risks by preparing more fully for breaches.

What causes the risk?

Cyber security and data breaches happen when people get access to data and
systems that they shouldn't. It might be customer data; credit card
details; medical information or even just a list of email addresses - any
large amount of data in the wrong hands can cause significant damage.

This can happen when people hack into systems, but it is more likely to be
opportunistic or due to negligent employees. A lost or stolen laptop, phone
or memory stick or a carelessly unsecured IT network can lead to
significant breaches. System failures, third party faults, hacking attacks,
insider or rival theft can also result in personal data, confidential or
commercially sensitive information, such as businesses' trade secrets,
being compromised.

The fall out can be huge. Reports by companies such as Huawei, Verizon
andMarsh, as well as the Bank of England have warned about the scale and
potential cost of data breaches, whilst a global security report by
Trustwave even identified the industries most susceptible to being
compromised - the retail sector was especially attractive to hackers due to
the ability to make money from selling stolen payment card data, it said.

According to Symantec, businesses are experiencing increasing costs as a
result of data breaches. In 2011 the average cost of data breaches to an
organisation was £1.75 million. Last year that figure rose 15% to £2.04m.

So costs can be significant, and they may include regulatory penalties. A
recent case ruled on by the Information Commissioner's Office (ICO)
highlighted that businesses with some security measures in place may still
fall foul of UK data protection rules. The ICO fined Jala Transport Limited
£5,000 when a hard drive containing customer data was stolen. The fine was
smaller than it otherwise would have been because the company self-reported
the breach.

The fact that access to the hard drive was password-protected was not
enough for the company to be said to have met its obligations with regards
data security. The company should have used further encryption methods to
secure the information stored, the ICO said. The Sony case - where the
company was fined £250,000 after its PlayStation Network was hacked -
showed, though, that organisations of different sizes and resources will be
held to different security standards.

An emerging source of risk is the prospect of 'collective redress', where a
collection of people bring group proceedings against an organisation.
Proposed changes to UK consumer protection legislation would, if
introduced, enable a larger range of consumer groups to bring claims on
behalf of individuals.

The draft General Data Protection Regulation would, if introduced, also
provide a right of redress for individuals against businesses where they
believe their privacy rights have been impinged on.

If security or data breaches were the subject of collective redress actions
then this could increase the cost and complexity of the risk arising from
those breaches; moving another step closer to US style class actions.

Why doesn't every organisation have a plan?

Despite these repeated warnings many executives still don't take cyber and
data breach risks seriously enough. They underestimate how frequently such
incidents arise, typically assuming that it will not happen to their
business.

When incidents do happen it is common for them to sweep them under the
carpet to preserve the organisation's reputation and consumers' trust.

They are entitled not to disclose breaches in a lot of cases. While UK data
protection law says that organisations must take "appropriate technical and
organisational measures" to prevent the "unauthorised or unlawful
processing of personal data and against accidental loss or destruction of,
or damage to, personal data", it does not force them to go public when
there is a breach.

This is likely to change soon, though. EU law has already placed an
obligation to disclose data breaches on telecoms companies, and a new
Network and Information Security Directive would require public
administrators and 'market operators', such as banks and energy companies,
to notify designated regulators of "significant" cyber security incidents
that they experience and in some cases to report them to the public.

The General Data Protection Regulation in its current draft would create an
obligation for all businesses to report breaches to regulators and affected
consumers in certain circumstances.

Regulators could levy fines of up to the higher of EURO 100 million or 5% of
businesses' annual global turnover for non-compliance.

Making a plan

Businesses may feel frustrated at the new laws proposed, but if they have
the effect of forcing organisations to plan for information disasters, then
that is a positive effect. Symantec said that businesses can save on costs
associated with such incidents if they establish and implement a "formal
incident response plan". Having a plan for how to deal with incidents is a
major factor in reducing risk and lowering the eventual cost of the breach.

A good starting point would be to implement the Government-backed 10 steps
to cyber security (20-page / 3.12MB PDF). The steps include developing a
"mobile working policy" for staff, ensuring devices contain security
features that "protect data both in transit & at rest", engage in cyber
attack testing and limiting who can access key information.

Businesses should also monitor for the finalising of the new organisational
standard on cyber security that the Government is creating. It has said
that none of the ISO27000-series of standards quite fit its requirements,
but it plans to base the new standard on that suite of existing guidelines.

Businesses are, generally, not protecting themselves properly against their
exposure to costs associated with a data breach. They need a comprehensive
plan to turn to should the worst happen, but this is something many
companies lack. The plan should including having access to a network of
experts that can help address the variety of issues that arise following a
data breach - from communicating with consumers, running forensic IT
examinations, and providing credit monitoring services.

Should the worst happen, businesses should be prepared to consider
self-reporting incidents to the ICO. Self-reporting does not guarantee that
businesses will avoid fines over data breaches - something an Upper
Information Rights Tribunal recently confirmed - but the ICO is on record
as saying that it is minded to treat businesses that self-report data
breaches more favourably than those that don't when determining what level
of penalty to levy, or even whether to impose a fine at all.

In the insurance market, a growing range of products are being made
available to businesses to insure themselves against data and security
risk. Products may offer insurance against data breach costs, damage done
by hackers, and other cyber liabilities, such as the cost of regulator
penalties, where insurable, and litigation initiated by consumers affected.

The market for cyber insurance products has been more active in the US than
in Europe. There, regulators such as the Securities and Exchange Commission
require disclosure of some incidents, whilst adoption of the policies was
also triggered by the publicity generated by the data breach experienced by
discount clothes retailer TJX, where credit card information was stolen
from more than 45 million customers.

However, the price of those policies, and difficulties in interpreting what
precisely they provide cover for, mean that many organisations do not
currently purchase them. They will not fit every organisation's needs, but
many insurers offering data breach and cyber liability products also
provide policyholders with access to the network of experts they would
otherwise need to individually seek out and contract with for help in the
management of incidents.

Board-level engagement and sponsorship of cyber security initiatives is
critical, as is securing a budget for it.

To achieve this, data protection officers, privacy counsels, CIOs, CTOs or
others that may be responsible for ensuring regulatory compliance and
systems security should consider producing a two-page document ready to
present to the board summarising the risks their business faces, the
current plans and processes in place to deal with them and an outline about
what future procedures and processes are required to address the threats
and mitigate the risk.

Businesses cannot afford to delay or be complacent, particularly as
forthcoming changes in regulation threaten to expose those that are
unprepared and the age of big data, cloud computing and the internet of
things drives consumer-focused response by industry.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!