Alan Calder on IT Governance, information security & ISO 27001

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

A recently published study into Global 2000 IT-spending intentions identified that 39% of corporations are spendng more on information security this year, with 37% planning to increase spending in 2012.

With cyber security identified as a key strategic threat facing organisations worldwide, sensible CIOs and CISOs will now be spending at least 13% of their IT budget directly on information security. There is a growing body of evidence that points to increased expenditure having a direct impact on reducing frequency and impace of cyber crime. In particular, the 2010 Cyber Security Watch Survey found that there was, on average a 10% reduction in the losses from cybercrime resulting from significantly increasing spend on cyber security. As individual cyber incidents can cost $3 million or more, a 10% reduction can be seriously worth having!

In fact, adopting and applying cyber security standards for managing information security and business resilience can pay off massively – depending on whether you adopt a self-help approach or bring in outside consultants, a best practice ISO27001 Information Security Management System can cost as little as £3.5k to £10k to implement and more than pay for itself in reduced financial damages in almost  no time!

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?

“‘IT departments make the mistake of ignoring social media at one extreme or banning it at the other, when what they really need is a risk based strategy’, says Gartner research director Julie Short.”

She is of course correct. I’ve been arguing, since the appearance of Instant Messenger as a killer social media application, that it’s a mistake for IT departments to simply lock down or prohibit the use of new media and communications channels in the enterprise.

There are three reasons for this.

The first is that stopping people using applications which they already know will make communication quicker, easier, more dynamic and more effective makes IT departments appear Luddite - which is not exactly in line with what one might expect from that part of the business which is in charge of technology-based competitiveness.

The second is that good people will mostly tend to go and work for organisations that use technologies that they know about, rather than being forced to operate with outdated tools. And those organisations that limit themselves to recruiting from amongst the less ambitious will tend, over time, to destroyed by those who are more future-orientated.

The third, of course, is that we live and work in a fast-moving Internet world; organisations that prohibit or over-control use of social media technologies are cutting themselves out of competition and, eventually, out of business.

I recognise that there are risks – to the confidentiality, integrity and availability of information – in the unbridled use of new social media within an enterprise. A risk-based strategy involves identifying specific risks, adopting appropriate policies, selecting and enforcing relevant controls, and reviewing and monitoring activity. We made all of these tools available in our Social Media Governance Toolkit, on the basis that what most organisations want today is to deploy the controls and get on with exploiting the social media channel, rather than having to re-invent the social media policy wheel.

Gartner says that “IT & business leaders must face the fact that social colloboration is already a reality.” I agree. As a company, we have been working with social media in its varying, evolving forms for a number of years. This blog, for instance, has been in existence for five or six years – it’s never been a blog-a-day blog, but I’ve been writing about issues in and around information security and IT Governance irregularly for a long time. We published a Web 2.0 Best Practice Report in July 2008 and coined the phrase ‘Threat 2.0′ to describe the combination of threats to confidentiality, integrity and availability of date posed by the explosion in social media.

As a company, we’ve been producing the IT Governance blog for a couple of years, have a twitter feed (which we’ve just made the default way of ensuring that everyone inside the company is able to stay on top of our own news and developments), an IT Governance on Facebook page and a large number of topic-related IT Governance LinkedIn groups, all sitting under a single IT Governance profile.

We’ve grappled with social media for many years, from the early excitement of each of the ‘next big things’ through to the period of mainstream adoption, where issues like employee accountability, corporate resilience, privacy, compliance, confidentiality, data integrity and archiving are being taken increasingly seriously by business, IT and compliance leaders in organisations large and small across the world.

Our Social Media Governance Toolkit was developed out of a combination of our own experience, research and identification of existing good practice across the Internet. It continues to be informed by both internal and external feedback from actual use and we continue to make upgrades available to customers who have already purchased their own copy.  For instance, we will shortly be sending out a LinkedIn Group Policy template, reflecting our own experience with the need to ensure that LinkedIn Groups continue to be useful forums for exchanging information in a reasonably informal (but unspammed) environment.

We hope, as increasing numbers of organisations deploy our Social Media Governance Toolkit (or similar policies and practices), that we will between us keep the ‘free interchange’ aspect of the Internet working effectively.

There were, according to the most recently published ISO certification survey, nearly 13,000 organisations worldwide certified to ISO27001 by the end of 2009. This is an increase of about 40% over the number certified the year before and reflects what I have said on many occasions – the number of certificates will go up exponentlally as more and more organisations work their way through their initial PDCA cycles, often lasting a year or more, prior to their first successful certification audit.

And, as organisations turn to their supply chains and partners, looking for equivalent approaches to information security management, so the pressure for compliance mounts on every organisation that has confidential, valuable or personal information to look after. 

Cyber risks, which emerge from the UK’s recently published National Defence Strategy  as the most critical risk facing the UK economy over the next five years, are best defended against by deploying ISO27001 – which is why the standard is increasingly known as the ‘Cyber Security Standard’. The fact that ISO27001 is also international best practice for meeting a wide range of information, computer and data security regulations and laws makes its ever more rapid adoption inevitable.

The UK’s National Security Strategy (published 18 Oct 2010) identifies that, for the next five years, the four highest priorty risks faced by the UK are those arising from

• International terrorism;
• cyber attack;
• international military crises; and
• major accidents or natural hazards.

The reality, of course, is that international terrorists have an identifiable cyber capability, and any international military crisis is also likely to have an important element of cyber threat. And, as the information on which we depend to respond to almost any major national accident is stored in electronic information systems, you might argue that cyber risk is the most important risk facing the UK today. 

Cybersecurity standards

Cybersecurity standards are an important element in building a strong, resilient information and communications infrastructure. ISO27001 is the most significant international best practice standard available to any organisation that wants an intelligently organized and structured framework for tackling its own cyber risks. ISO27001, as a specification for an ISMS, is clear and precise; it also lists 133 key security controls that should be at the heart of any organisation’s approach to securing its information assets.

Many organisations, though, think it makes sense to implement ISO27001 without ever seeking external certification. The increased focus, at a national level, on responding appropriately to cyber risks undermines this approach – increasingly, organisations will want to know that their supply chain is resilient against cyber attack. Supplier audits can consume a lot of time, and an accredited ISO27001 certificate is clear evidence that an organisation has taken proper security steps and has obtained independent verification that these steps are in line with recognised international best practice.

The UK’s Financial Services Authority (FSA) this week fined Royal Bank of Scotland Group £5.6m for ‘failing to have adequate [IT] systems and controls in place to prevent breaches of UK financial sanctions’. The Australian IT News quite rightly identifies this as a massive failure in IT governance – which, of course, it is.

IT governance is defined as “a framework for the leadership, organizational structures and business processes, standards and compliance to these standards, which ensure that the organization’s IT supports and enables the achievement of its strategies and objectives.“ (IT Governance: a Pocket Guide)

“RBSG’s automated screening failed to screen the majority of trade finance SWIFT messages generated in the international trade transactions that it carried out,” said the FSA; it could have gone on to say something like: ‘RBSG’s Board of Directors evidently does not have in place any formal process for ensuring that it’s IT infrastructure supports and enables its compliance to UK laws and regulations or the achievement of its strategies and objectives,’ but it didn’t. That, nevertheless, appears to be the case.

It always seems to me a pity that organisations have to be pushed, by substantial fines, to do things that have significant business benefits – but there we are!