Wednesday, 7 September 2016

Why Data Breach Notifications are like car crashes


Guest Blogger: Nick Prescot Senior Information Security Manager at ZeroDayLab
I have not been very active at all on the blogging scene so far in 2016 since I thought that I would keep my powder and think of something different and interesting to write. So nine months into the year where I have been most busy and seem to be spending a fair amount of time in airport lounges and getting good at working out time zones.

One headline continuum that I have been noticing is the size and the depth of the breaches that seem to be happening; they are a daily occurrence, and they are the norm. We are not talking of 100,000’s of PII details missing but we are talking about millions and millions, and the problem is not going to go away.

They seem like car crash statistics; they are there, but they are becoming common news. It is a bit late to have a state of shock to say that, ‘OMG, hackers have taken all these personal clumps of data. What are we going to do about it and the hackers need to go to jail.’ We need to stop being surprised by PII details being hacked as a reason for getting a new box with green flashing lights to solve the problem; the root cause of the problem can be found closer to home than that...

Perhaps the first indicator on this is that the most popular password that is used in corporate environments is still ‘Password1.' Passwords are not going to be the first and the last line of defence not matter how trendy you make the password. On the one hand, there is a website http://correcthorsebatterystaple.net/ that gives you the chance to create a very ‘strong’ password and giving you the confidence that you are never, ever gonna get hacked.

On the flipside of this is the CESG Password Guidance (https://www.cesg.gov.uk/guidance/password-guidance-simplifying-your-approach) . In the introduction of the document, Ciaran Martin the Director General for Cyber Security states in quite explicit terms,

Worse still, the rules - even if followed - don't necessarily make your system more secure. Complex passwords do not usually frustrate attackers, yet they make daily life much harder for users. They create cost, cause delays, and may force users to adopt workarounds or non-secure alternatives that increase risk.’
So I think that we can take it that passwords that are 25 characters long and using all the &,$, £ signs look and sound cool, but the reality is that they are nothing better in safety terms of a cyber infrastructure than one might think.

So how do we make our internet lives safer when the main premise is that the password is the key to our cyber happiness? Well, like most things in law and tech, they are slow to start off with but when enough pace and momentum is given, there is a piece of new legislation. There are now lots of bits of legislation (Data Protection Act, the new EU GDPR, etc.) but the focus is to ensure that if you are a business processing the personal data (and payment card data) that you keep it as safe as possible. The same thing happened with cars in the post-war period and now cars are deemed quite safe in everyday driving; one only has to look at the car crashes in F1 in the 1970’s (Nikki Lauda being a case in point) and the way in which F1 cars can survive some quite big crashes.

In the corporate world, best practice in cyber safety/security starts with good governance and then understanding the risks that are out there…there is no point if you are an online publisher to have the same security as a retail bank because you are not going to be processing their money or personal data. Compliance is only a guide to the levels of resilience that you should have, because it’s how you prepare yourself for what you do before the data  breach/loss and after the breach/loss that counts and learning from the mistakes.

 Yes, the statistics are getting worse and more personal (think of a recent adult site where people were discussing adult things and that was leaked) but once the investigators come across the ‘accident’ scene, a lot of the time it’s down to do the lack of people's maturity behind the governance and security controls of their website/infrastructure. It does hark to the days when on the scene of a car crash, the cause of the accident was down to ‘driver error’ and not the technology. Technology does what it is supposed to and within the remits of the parameters in which it is supposed to operate; but it requires the pragmatic and risk-balanced approach of the human operator to get the basics right!

There are standards that are being mandated such as cyber essentials and cyber essentials plus that are being promoted as some form of 'cyber-MOT' but that will keep you 'in check' to a certain degree, but the main point is to adopt, promote and enhance a culture of good information governance...rather like the way your driving instructor told you how to drive.

No comments:

Post a comment