Alan Calder on IT Governance, information security & ISO 27001

While the UK cyber security strategy, published last week, is full of good stuff, it is lacking in one key area: compulsion. My view on this was quite widely reported last week: if UK organisations won’t take adequate action to protect personal data, under legislation that has been around since 1998, and won’t report breaches voluntarily to the Information Commissioner, then what on earth is going to cause them to share information about much more damaging cyber breaches?

The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.

Another day, another (damning) survey.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

• Leicestershire City Council lost an unencrypted USB stick containing personal information of 80 children;
• a Scottish advocate whose unencrypted laptop (containing personal data of individuals involved in cases she was working on) was stolen while she was on holiday;
• An ASCL employee had a laptop containing unencrypted personal data stolen from home;
• Holly Park School in London had an unencrypted laptop stolen from an unlocked office at the school;
• Two London Housing Associations allowed details of thousands of their tenants to find their way onto an unencrypted USB stick belonging to one of their contractors – which was then left in a pub!;
• Southwark council ‘misplaced’ - for two years – an unencrypted laptop containing the personal information of 7,200 people – which was then found on a skip;
• A survey revealed that 17,000 USB sticks were left in dry cleaners during 2010!

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

It’s encouraging that Malaysia has passed a Privacy and Data Protection Act. It is even more encouraging that the government is taking practical steps – working with public and private sectors – to translate the legislation into practical data security. This new Malaysian law seems to have many of the attributes of the EU and UK data protection and privacy legislation and recognises that individual data must be properly protected and maintained.

Coming on the heels of India’s more comprehensive Information Technology (IT) Rules 2011, which also contains stringent requirements around privacy and data protection, it is evident that developing economies are increasingly recognising the need for governments to take a clear, regulatory lead in terms of creating appropriate frameworks for protecting personal data.

I would expect to see ISO 27001 – the international standard for data security – become ever more widely deployed as governments recognise the importance of information security management. India, of course, has already set out a requirement for organisations to undergo an annual audit to ISO27001.

It’s a pity that the United States – the world’s biggest digital economy – still lacks a single, federal law that protects individual data (other than on a sectoral basis, such as HIPAA or GLBA). Still, I guess we have to hope that, where the developed economy leads, the mature US economy will follow!

Do you imagine that your website and network are as safe and secure against external cyber attack as those of the IMF, the CIA and the US Senate? Are you likely to have spent as much on cyber security as Sony, Nintendo, Sega, Fox, PBS and the rest? And do you think that, because you’re not a high profile organisation, you are immune to cyber attack?

If your answer to the first two questions is ‘No’ but you’ve answered ‘yes’ to third, then I have to tell you that you are deluding yourself: all organizations, irrespective of size or sector, are at risk of cyber attack. The organisations that make the headlines are those with a high media profile – the multitudes of smaller hacked organisations do not make interesting front-page news and therefore get to suffer in silence. Absence of press coverage does not mean absence of cyber attack.

The first part of a cyber attack is usually automated: an free-standing, web-based ‘sniffer’ programme seeks out web security vulnerabilities (remember, security vulnerabilities are all publicly listed) and, in many instances, the subsequent attack - aimed at stealing information or simply taking over computers to use as part of a zombie botnet – is also automated. 

Sometimes the attack comes by means of an increasingly carefully crafted ‘spear-phishing’ email and, increasingly, the attack is made possible when a member of staff downloads malware from an infected site – malware disguised as something important.

Every organisation has to take adequate steps to protect itself against external cyber attack. There are two practical ways of doing this. The first is to have quarterly ‘hackerguardian’ vulnerability scans run to check the security of your websites and externally facing IP addresses. PCI-compliant organisations already do this, but this is a basic security step that all organisations should take.  The second is to have six monthly penetration tests carried out. Pen tests look for opportunities to exploit vulnerabilities and security weaknesses that might have been missed. Sensible organisations will do both of these things, and will also take steps to ensure that they have a tried and tested incident response procedure to deal with those instances where front line defence fails.

Unless you take action today, you may be tomorrow’s cyber victim.

Surrey County Council’s recent £120k fine from the Information Commissioner was for failing, on three separate occassions, to assess and address the security risks of sending sensitive personal information by email. In each case, highly sensitive information ended up in the wrong hands by mistake – and the fine wasn’t for the mistake, it was for failing to realise that sometimes emails are mis-directed and takin appropriate steps to control the risks.

And that’s one of the important points about the Data Protection Act – it expects organisations to assess risks to personal information, and then to take appropriate administrative, technical and organisational steps to control the identified risks. In the case of sending sensitive information by email, it should by now be self-evident that mistakes sometimes happen and that applying encryption to such emails, as a standard, should be as much a default information security control as applying encryption to laptops and mobile media and USB Sticks.

“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.

Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.

Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.

Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test - straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.

And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k - and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).

It’s unusual to see India leading the way in terms of Information Security Management – dealing with cyber security threats in a structured, systematic way.
Rule 8 (4) of The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)  says:”The body corporate or a person on its behalf who have implemented either ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

That effectively makes accredited certification to ISO/IEC 27001 a legal requirement for Indian organizations. Maybe, with more organisations forced to follow Information Security Management best practice, we may see a gradual, long term improvement in the protection of personal data – worldwide.

According to a recently published Which? report (based on the results of an FoI requesst to the ICO), there were, in the year up to August 2010, nearly 1,200 allegations of breaches of the DPA made to the ICO in respect of UK banks and building societies. The Which? report said that only 13% of people knew they could report DPA breaches to the ICO, suggesting that the number of actual breaches may be much, much higher.

And who could be surprised?  UK financial institutions – which once had a reputation for honesty and probity – have been implicated in scandal after scandal – pension mis-selling, the bank fee/charges scandal, the debt crisis and, more recently, the payment insurance scam. (They’re now selling insurance against identify theft – watch this turn into another scandal, with another multi-billion compensation pot.)

UK banks appear to have invested heavily in their complaint-suppression processes. Consumers are to be exploited, not cared for, appears to be their real philosophy. At least a Nigerian Advance Fee Fraud is self-evidently dishonest – UK banks cloak their schemes in legalese. glossy advertisements and implacable complaints processes. Failure to protect data is just one of the areas in which failure follows inadequacy follows absence of care. While we can avoid buying the banks’s schemes, we can’t avoid the fact that they have our personal data. We can – and should – insist that our data is maintained in line with the DPA. Banks will not do this voluntarily.

I believe that we have reached a point where financial institutions should be required to immediately report all DPA breaches to the ICO, that breaches should automatically attract a compensation award to the individuals affected and that repeated breaches should automatically attract a significant fine from the ICO, with the amount of the fine increasing with every subsequent breach.

What do you think?