Alan Calder on IT Governance, information security & ISO 27001

We carried out an analysis of the data breach cases which led to the UK’s Information Commissioner extracting an undertaking from the organisation concerned. Over the last 18 months (May 2010 – mid-November 2011), this is the breakdown of 85 cases:

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

A recently published study into Global 2000 IT-spending intentions identified that 39% of corporations are spendng more on information security this year, with 37% planning to increase spending in 2012.

With cyber security identified as a key strategic threat facing organisations worldwide, sensible CIOs and CISOs will now be spending at least 13% of their IT budget directly on information security. There is a growing body of evidence that points to increased expenditure having a direct impact on reducing frequency and impace of cyber crime. In particular, the 2010 Cyber Security Watch Survey found that there was, on average a 10% reduction in the losses from cybercrime resulting from significantly increasing spend on cyber security. As individual cyber incidents can cost $3 million or more, a 10% reduction can be seriously worth having!

In fact, adopting and applying cyber security standards for managing information security and business resilience can pay off massively – depending on whether you adopt a self-help approach or bring in outside consultants, a best practice ISO27001 Information Security Management System can cost as little as £3.5k to £10k to implement and more than pay for itself in reduced financial damages in almost  no time!

At the end of October, we submitted the manuscript of the 5th Edition of our best-selling book on implementing an ISO27001 Information Security Management System (ISMS) to our external publisher, Kogan Page. It should be in bookshops across the world in Spring 2012.

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

Codemasters have just demonstrated the weakness of a fallback strategy, when attacked by hackers, of taking your website offline: the hackers will already have got away with a whole lot of valuable information. So Codemasters appear now to be in a position where their website is offline, their customers are upset – and a lot of their customers data is in the hands of those not entitled to have it. It’s not really a good way to run an Internet business, is it?

Sensible online organisations will usually do one – or both – of two things. The first is to run quarterly vulnerability scans across all websites that collect customer information – and one of the best tools for doing this is the HackerGuardian Scan service. It is PCI DSS compliant, which means that it meets requirements for e-commerce sites as well as scanning for all other website vulnerabilities.

The second thing to do is to have a detailed external penetration test carried out at least once per year and, ideally, on a quarterly basis – to make sure that your website and network access are both secured against attack. Pen testing is not expensive, and is not complicated – particularly when you purchase a pentesting package.

For most organisations, spending less than £10k per annum on Internet and network security testing must be a more sensible, more cost effective option than hoping that hackers won’t strike you – becasue they will.

“We’re really, really sorry for the PlayStation Network outage” is, apparently, the gist of the Sony announcement on this issue. I guess it’s also, in essence, the message of the US organisations which experienced the 662 data breaches in 2010, exposing more than 16 million records (adding to an astonishing 480 million other records exposed in the US since 2005). These statistics are quoted in the just-published Ponemon report, together with the equally interesting finding of the CSO CyberSecurity Watch 2011 Survey, which found that 81% of respondents had experienced a data breach in the last 12 months.

Is ‘really, really sorry’ enough? When you look at the recent spate of hack attacks – Sony, Nintendo, Lockhead Martin, Google’s Gmail – you have to conclude that there are lots of people out there who like breaking into networks – and you probably also have to conclude that there are lots of organisations out there who don’t care enough about the personal data with which they’re entrusted to take adequate steps to look after it.

Let’s think about it for a minute. If you live in a neighbourhood where casual crime is rife – people popping in through windows left open, slipping in through front doors left ajar, and likely to make off with your car if you leave it in the street with the keys in the ignition – what would you do? Yes, you’d probably start locking doors and windows and stuff like that.

Well, if you have a website, you’re in a tough neighbourhood – called the Internet. And what’s the Internet equivalent of locking your doors? It’s patching vulnerabilities in your websites. And how do you do that? You deploy a penetration test - straightforward, easy to do – and then you fix (what’s called remediation) the security holes that are identified.

And how much does a penetration test cost? It does depend – but for the average website, it will cost marginally less than £2k - and is £2k a better investment than the millions that a successful breach might cost you? (The Ponemon report estimates that the average data breach costs USD 7.2 miillion).

It’s unusual to see India leading the way in terms of Information Security Management – dealing with cyber security threats in a structured, systematic way.
Rule 8 (4) of The Information Technology (Reasonable security practices and procedures and sensitive personal data or information) Rules, 2011)  says:”The body corporate or a person on its behalf who have implemented either ISO/IEC 27001 standard or the codes of best practices for data protection as approved and notified under sub-rule (3) shall be deemed to have complied with reasonable security practices and procedures provided that such standard or the codes of best practices have been certified or audited on a regular basis by entities through independent auditor, duly approved by the Central Government.”

That effectively makes accredited certification to ISO/IEC 27001 a legal requirement for Indian organizations. Maybe, with more organisations forced to follow Information Security Management best practice, we may see a gradual, long term improvement in the protection of personal data – worldwide.

If a hacker issues a statement saying they have broken into your website and stolen 1 million plain text passwords, as well as compromising a whole lot of other information, what would you do?

And if you’re the same global corporation that was previously hacked and had 1 million other customer records compromised, what would you do the second time it happens?

Of course, you’d issue a statement saying that you were investigating the claims. That should do the trick, shouldn’t it?

Sony (Sony Pictures, this time) doesn’t appear to care about your security at all. Stored in plain text was a whole lot of useful personal information: name, address, telephone number, password……and all accessed by means of a basic SQL injection attack.

If you’re a corporation or run a website that stores personal data, you need to check it out for vulnerabilities (it’s called penetration testing - and it’s neither complex nor expensive, but it is essential – a bit like checking your front door to make sure that it really is locked and won’t fall over if pushed).

If you’re an individual who had a Sony Pictures account, you need to:

1. Go change your password on any other online account that has the same password;
2. Watch out for phishing attacks – targeted right at you, with very relevant information – something like guidance on what to do if you are worried that your personal details may have been stolen;
3. Watch out for vishing attacks – phishing attacks by VoIP – telephone callers asking you for critical missing information, like date of birth or mother’s maiden name – maybe claiming to call from your bank…….
4. Keep any eye on your credit record – investigate suspicious stuff asap (and, remember, your bank will probably want to sell you insurance against identify theft, even though this may be designed not to pay out under most reasonably imaginable circumstances);
5. Avoid Sony in future!!

“Sony suffers second data breach with theft of 25m more user details.” Actually, (according to the Guardian) this was their first loss – the Sony Online Entertainment (SOE) network was hacked on 16 & 17 April, while the PlayStation Network (PSN) was hacked between 17 & 19 April. Sony discovered the second hack first, didn’t think that the hackers had taken anything other than the initial 77 million records and then discovered that, actually, the hackers had already made off with 25 million other records. 102 million records - each with a value to hackers for whom identity theft is the new, wild opportunity – and, two weeks after the hack, Sony said: “on May 1, we concluded that SOE account information may have been stolen and we are notifying you as soon as possible.”

Two weeks is not really as soon as possible, Sony, is it? Two weeks after the event is more than enough time for these records to have been used maliciously. A tried and tested incident response procedure - which combines forensic investigation with rapid client communication in the event of a breach – should be part of any organisation’s information security management system. Perhaps Sony should get itself an ISMS?

One of the most frequent questions I’m asked by CEOs is: “But what’s the real bottom-line benefit of more effective information security, or of an ISO27001-certificated Information Security Management System?”

One real benefit is the effective information security protects the bottom line. The reason you put money in a bank, is to protect it. The reason that you secure information, is to protect it – and the company that is responsible for the information. 

The recent security breach at ACS: Law has been widely reported. A law firm appears to have broken a basic law (the Data Protection Act), is now apparently under investigation by the Information Commissioner and by the Solicitors Regulation Authority and, in addition to the possibility of a fine of up to £500k, it faces unquantifiable current and future damage to its reputation, brand and future business. It’s not always clear that firms subject to this level of challenge will survive the resulting storms.

So, what might effective information security actually have cost ACS: Law? Well, a Web Application Penetration Test might have set them back £3k; implementation of an ISO27001 ISMS in a firm of this size might only have required an investment of about £10k (with another £3k or so for certification). Of course, effective information security also requires top management commitment as well as the deployment of internal time and resource – but, when you’re implementing an ISMS, you’re in control of the process. When you’re responding to a serious breach, you’re not.

Let me put it another way: an investment of about £20k, plus internal effort, might have been sufficient to prevent financial damages that could be somewhere between 10 and 100 times greater than the investment – or more. That’s the point about ‘unquantifiable damages’.

Prevention, in information security, is always better than cure.

I agree entirely with John Verry’s description of today’s drivers for the adoption of ISO27001, which we expect to become more widely adopted over the next 15 years than ISO9001 is today (there are currently about 1 Million ISO9001 certifications worldwide).

“Driven to ISO 27001 … Driven by ISO 27001″ – presented by John Verry, principal consultant at Pivot Point Security (Hamilton, NJ) to the Unisys Community of Practice Group on June 15, 2010, focuses on three “pain” points driving organizations to the ISO-27001 framework as a simple and logical response. Verry cites the “cloud economy”, a “flatter world” and the growth of increasingly ambiguous and overlapping information security regulations as the main factors – and then explores how and why ISO 27001 is poised to change information security.

We’ve been working on ISO27001 since its inception and our unique, and uniquely comprehensive and integrated range of ISO27001 books, tools and resources is designed to help organisations around the world use this standard in their businesses – drawing on advice, tools, guidance, training or consultancy as required.