 |
Guest Blogger: Nick Prescot Senior Information Security Manager at ZeroDayLab |
Data breaches are the digital equivalent of car crashes –
they happen every day and they are not getting reported because they are so
common. That’s because it’s not news anymore, it’s become part of
daily life. Yet many of the companies that process the data of people,
businesses etc. across the world are still thinking it won’t happen to them
because someone in the IT department has said that it’s secure, and that’s
ok. It’s mainly because when the IT person speaks, the language is not in
the realm of saving money or making money, and that's the last thing that
someone in finance wants to hear.
I find it quite a repetitive stance from companies that I
engage with that data security is an IT department problem, including with the
IT security manager within the IT department. However, there isn’t a department
within a modern day business that doesn't use a system. An incident is
usually something to do with availability of a system, not a loss/breach of
data and yet the 2 conduits are treated the same.
For nearly 10 years some institutions have taken a much more
proactive approach, namely the payment card brands through PCI-DSS to ensure
that their data (i.e. the data on the payment card) is secure and transacted in
a secure manner. Whatever your thoughts on PCI DSS, it is actually a good
data security standard and demonstrates a good level of security for the
processing of the data. However, it’s nearly 10 years since its inception
and payment card breaches are still happening a lot.
However, when it comes to personally identifiable
information (PII) the same level of due care and attention is not given the
same level of treatment; personal data can have a much bigger impact on
people’s lives than the loss of payment data in the form of identity theft.
If you think about the Ashley Madison breach, yes it’s hilarious that
politicians and civil servants have put their preferences on there, but what
about people from countries where adultery/homosexuality can be a criminal
offence? What might be legal in one country in terms of storing and
processing of data and the particulars around that data, will result in a
criminal offence in another country.
The securing of that data isn’t just an IT problem, it’s a
problem that is spread across every facet of the modern business.
Anything that is associated with the company’s domain name whether it be Twitter or
the website needs to be part of the data security posture that any company
employees. What happened with payment data will happen with personal data
with the advent of new EU regulation in 2015. It’s not here yet but it
makes the processing of data much more of a business issue in terms of fines
and regulatory reporting.
Data security isn't an issue that’s going to go away soon,
or something that can be magically solved with a new shiny box that sits on top
of the server. It goes deeper than that; it’s the data that you process
about people, companies, markets etc. The currency of this data isn’t
necessarily tangible at first sight but in the wrong hands, this can have a
negative impact. In article written by Edward Lucas for the Times this week
(August 25th), he makes a very good point:
‘We need a wholesale and urgent cultural change in our
attitude to online safety. The decisions we face are difficult, involving
trade-offs between freedom and security, of the kind we already make in
real-life matters, such as road safety and public health.’
The author of this article has put his point in a far more succinct manner than
myself, but the key point is this; we live in a digital age and information is
the tradable and valuable currency that makes a lot of money for the likes of
Google etc. but in the wrong hands, makes lots of money for the hacker in the
case of Ashley Madison, reputational harm for the end user.
The key aspect for underlining a business strategy to
determine how much time, energy and effort is needed to spend on beefing up
your security is to understand the value of your data – not from a PCI and/or a
regulatory point of view but the perceived damage to your business.
All too often, companies are ‘woo-ed and coo-ed’ by vendors
that promise a one-stop solution that prevents a certain problem from
occurring. It does to an extent but there is also a people and process
angle to the security posture as well. You need to have a person
responsible and accountable for that new box, to make sure that the lights are
on, that it’s kept up to date and patched. Then you need to have a process so
that if the main person is on holiday or decides to move onto pastures new, the
configurations of the box are the same.
Data breaches happen because there is a lack of technical
and business security controls in place, or there is a culture of complacency
because a breach hasn't yet happened. I know from 1st hand experience of
the culture placed within a business it has and hasn't been breached, and sadly
the middle ground is not often seen (i.e. they haven’t been breached but are in
the mode of thinking that they have been).
As the Ashley Madison website bizarrely states, ‘make a
plan, have an affair’; and until companies such as these have a solid and
robust plan to secure the data they are holding from a privacy and security
perspective personal infidelities will continue to be disclosed in ways never
meant to happen.
'Nick Prescot is currently a Senior Information Security Manager at ZeroDayLab ltd. and is responsible for Governance, Risk and Compliance (GRC) and Incident Response (IR) consultancy and advisory services at ZeroDayLab. Nick aims to assist companies whom are looking to improve the cyber resilience and posture in the ever ongoing battle against the emerging and continuing cyber threats. By taking a detailed and holistic view of client's policy and governance infrastructure entwined with incorporating information assets within corporate risk registers, Nick is able to provide a clear strategy to client in order that their infosec operations and processes are aligned to industry practice.
Nick is also a seasoned incident response manager and when there is a security and/or availability incident, Nick is able to ensure that the incident is remediated as soon as possible and deploy the specialist response assets can remediate the incident. Nick also assists with the crisis management and media elements so that all parties are correctly informed as part of the resolution efforts.'