We have produced an article on information security governance that looks at the type of data breach, and the application of sensible information security governance that will reduce the risk of data breaches.
Data breaching. They try to make it sound vaguely erotic don’’t they?
I would prefer to call it sensationalism, many high profile cases of data breaches are actually where data is mislaid (the loss of 27 million child benefit records springs to mind), most of the time the data is never recovered, neither does it fall into the wrong hands, the most likely destination for data involved in a breach is to be found in a council incinerator as in the hands of the KGB.
Some of the recent data breaches involving Banking systems, PSN or voicemail hacking also have limited effect on the subjects apart from the fear that something bad will happen in the future.
A simple question to ask is â€œHow many of the people who have had their details stolen from VISA systems etc. have actually ended up out of pocket as a result of theft using details compromised in the breachâ€. A cynical view is that more people have died as a result of stress over the fear of potential identity theft / financial ruin. [Note: this is the actual way in which terrorism works â€“ the fear that something may happen as opposed to what will actually happen]
The phrase conjures up images of Colin Firth, striding purposefully through a crowd of swooning bonnets, his muscular thighs throbbing through his data breaches. Phwooar…
And yet, and yet. For some reason, it’’s still terribly hard to get people interested in security.
True, but in most cases that is driven by a lack of trust in the motives of the consultants and techies who tend to make it all sound like the world is falling in and the solutions to fix security problems are like something out of James Bond.
Everyone, from Sony to Citigroup, has been compromised recently. Sources say nine inÂ 10 companies will have been penetrated and had their assets sniffed by some intruding agent. It shouldn’’t be allowed!
But what can the IT security expert do?
First of all the IT security expert needs to be able to have the support of decision makers within the business â€“ see my earlier comments on trusting your security consultants / experts. Once the consultant / expert can gain the trust of the decision makers, then there are well defined security processes (they are also outlined as a series of international standards â€“ the ISO27000 series to be precise) that can be applied to start to understand what needs to be protected, how reactive and proactive security measures can be carried out (with realistic costs), and what will the residual risk be at the end of the process.
On a practical note, for data breaches the first task is to find out what has been lost or stolen, and what would be the impact on the company it the data ended up in the wrong hands, if it was corrupted, or if it was manipulated / stolen and the original system or data set could not be reinstated.
How do you make users aware of the types of breach?
That would depend on the type of data and whether the users are a. the actual data owners (for example if there was a financial loss, this would very rarely be relayed to the user, but if there was a potential for personal data loss, then users would have to be told to be aware of potential identity theft issues), b. whether they have an indirect relationship to the data or the consequences of the breach (i.e. employees of the company who may be financially or reputationally ruined as a consequence of the breach may need to be told about the issue to prepare for an investigation and its consequences), or c. whether they are potentially involved in the breach (for example if there was a public acknowledgement of a breach, the actual hackers etc. may be made put on their guard).
Typically users are rarely informed of a breach until the risks have been calculated and the mitigations and remeditation plans are underway.
How do you quantify the types of damage (loss of customers, loss of reputation, litigation over the breach, the inability to gain new customers, loss of shareholder value – I’’m sure you can think of more) to exemplify to the user the seriousness of a breach?
From a security perspective there are standardised ways of measuring the impact of a loss of confidentiality, integrity or availability of data. CESG (The Information security arm of GCHQ) have also published a standards set of impact tables that could be applied to non-government data breach scenarios.
The impacts can be as varied as loss of life to impact on public services such as libraries. Most individuals would tend to think of a loss of money as a major impact, but organisations actually now understand that a loss of reputation is usually more damaging than a financial loss. It seems strange that for many years we have heard cries of â€œdonâ€™t let this leak into the hands of the pressâ€ but many of the risk assessments that I carry out for organisations donâ€™t recognize loss of reputation as a major impact until it is pointed out in very large black and white lettersâ€¦..
What are the precautions that should be taken