The threat of a £500k fine hasn’t led to a dramatic increase in the number of UK organisations reporting data breaches, but nor has there been a dramatic decline in the number of successful hack attacks reported – initially, usually by the hackers, not by the hacked.

The European Commission appears to understand that organisations, public and private, are not pre-disposed to protect personal data. The proposed revisions to the European Data Protection Directive should, if enacted as currently drafted, bring substantial change – the threat of a fine equivalent to 5% of global revenue (applicable to EU entities, including EU subsidiaries of foreign companies) should bring a substantial change to data protection behaviour. Allied to a legal requirement to report breaches within 24 hours, this regulatory imperative may finally bring real protection to individual data.

Now, imagine how quickly UK organisations would get their cyber security houses in order if they were faced with a requirement to report all breaches within 24 hours and faced a very substantial fine – on top of the losses and other penalties they incurred. And imagine how quickly cyber security would find its way onto the corporate governance agenda and onto the list of issues about which shareholders are concerned.

It will be interesting to watch the progress of the EU directive and, alongside it, progress in implementing the UK’s current cyber security strategy. I hope there will be progress in both and fear that both may ultimately be ineffective – the EU law because the compulsion element is watered down, and the UK strategy because it is already quite watery.

A recent report from Big Brother Watch “uncovered more than 1000 incidents across 132 local authorities, including at least 35 councils who have lost information about children and those in care.
Highly confidential information has been treated without the proper care and respect it deserves. At least 244 laptops and portable computers were lost, while a minimum of 98 memory sticks and more than 93 mobile devices went missing.
Yet of the 1035 incidents, local authorities reported that just 55 were reported to the Information Commissioner’s Office. Perhaps more concerning, just 9 incidents resulted in termination of employment.”

This survey is just the latest in a long series of reports and news releases that all point at the same three inadequacies: 

• Leicestershire City Council lost an unencrypted USB stick containing personal information of 80 children;
• a Scottish advocate whose unencrypted laptop (containing personal data of individuals involved in cases she was working on) was stolen while she was on holiday;
• An ASCL employee had a laptop containing unencrypted personal data stolen from home;
• Holly Park School in London had an unencrypted laptop stolen from an unlocked office at the school;
• Two London Housing Associations allowed details of thousands of their tenants to find their way onto an unencrypted USB stick belonging to one of their contractors – which was then left in a pub!;
• Southwark council ‘misplaced’ - for two years – an unencrypted laptop containing the personal information of 7,200 people – which was then found on a skip;
• A survey revealed that 17,000 USB sticks were left in dry cleaners during 2010!

The list goes on – as I identified yesterday, nearly 50% of breaches reported to the ICO elate to lost, unencrypted laptops or USB sticks. And it appears that the number of (so far) unreported losses may exceed those reported.

And the position on encrypting laptops and USB sticks is clear. According to the ICO’s Acting Head of Enforcement, Sally Anne Poole:

“The ICO’s guidance is clear: all personal information – the loss of which is liable to cause individuals damage and distress – must be encrypted. This is one of the most basic security measures and is not expensive to put in place – yet we continue to see incidents being reported to us. This type of breach is inexcusable and is putting people’s personal information at risk unnecessarily.”

There are three things that every organisation must do as a matter of course:

1. Ensure that all laptops – or at least all laptops that might at some point contain personal information – have boot-level, FIPS 140-2 encryption software installed;
2. Ensure that all USB sticks that come onto corporate premises, or which are used by staff and contractors, are also encrypted to FIPS 140-2;
3. Ensure that all staff – managers as well as front line staff – have adequate training and awareness around their responsibilities for protecting personal data.

Any organisation can do these three things. It isn’t hard.

My own company has tried to make it easy for our customers. We’ve provided specific DPA classroom training as well as a comprehensive DPA Compliance Documentation Toolkit for some years.

We’ve now gone a step further, and identified appropriate laptop encryption software, as well as appropriate CESG-approved encrypted USB sticks, and we’re supplying both – in single units or in bulk – directly from our UK website and service centre. We’ve also developed a unique DPA e-Learning Staff Awareness course that can be deployed across the largest organisation and which will ensure (with necessary evidence) that staff have received the core awareness training they need.

Isn’t it remarkable that, nearly 14 years since the passage of the DPA, and in spite of the Information Commissioner having the power to levy pretty significant fines, there should be such a pervasive disregard of the basic principles of protecting personal data?

The largest category of data breaches is to do with paper records, not with digital data. Many people don’t seem to think that that DPA also applies to paper records. More than that, it is harder for organisations to impose technical security controls on paper documents. This gap can only be filled by training. In today’s climate, the most cost-effective way to train people is DPA Staff Awareness eLearning - this ensures that all staff get a consistent message, tests staff understanding of the key concepts, retains records of completion of training and testing, and enables the employer to systematically train everyone at a low individual cost.

Nearly 50% of the cases are due to an absence of encryption – either of a laptop or of a USB stick. Failure to require staff to use encrypted USB stick (SafeSticks) s is, bluntly, reckless.

The breakdown of organisations concerned is also interesting:

I’m convinced that the only reason the private sector does so well in these statistics is the anomaly that the public sector is required to report data breaches, but the private sector is not (yet). This may change a bit with the new PECR requirement on ISPs to report data breaches but, until the appearance of a broader pan-european data breach reporting requirement, I would expect this reporting imbalance to continue.

The private sector is, however, subject to potentially hefty financial penalties – from the ICO and from individual regulatory bodies, such as the FSA. More importantly, breached private sector organisatons are subject to those most severe of business penalties – reputation destruction and customer desertion. The sensible private sector organisation will be taking steps, now that ISO27035 has been published, to ensure that its incident management and security breach reporting capabilities are up to scratch.

There are a number of reasons why SMBs are increasingly hunted as cyber prey:

1. Their cyber defences are usually inadequate – poorly written web applications, loopholes in their network defences, out-of-date patching, default security configurations, and so on;
2. SMBs also have valuable information – credit card data, personal information, intellectual property, and so on – and stealing an aggregate 10,000 records from 100 SMBs is likely to be easier than a single theft of 10,000 records from a larger, better defended organisation;
3. Infecting hundreds of SMB websites with malware is an inexpensive way of creating pharming sites, or Trojan downloader sites, which have the added advantage of legitimate URLs;
4. Controlling hundreds of SMB network servers in an SMB ‘bot net’ can be more effective for a hacker than controlling 1,000s of domestic PCs.

The cost of recovery from a successful cyber attack can be significant; the damage done to clients and credibility can be even more significant. Most smaller organisations shy away from penetration testing because it seems arcane, technical and expensive. It doesn’t have to be.

With cyber security identified as a key strategic threat facing organisations worldwide, sensible CIOs and CISOs will now be spending at least 13% of their IT budget directly on information security. There is a growing body of evidence that points to increased expenditure having a direct impact on reducing frequency and impace of cyber crime. In particular, the 2010 Cyber Security Watch Survey found that there was, on average a 10% reduction in the losses from cybercrime resulting from significantly increasing spend on cyber security. As individual cyber incidents can cost $3 million or more, a 10% reduction can be seriously worth having!

In fact, adopting and applying cyber security standards for managing information security and business resilience can pay off massively – depending on whether you adopt a self-help approach or bring in outside consultants, a best practice ISO27001 Information Security Management System can cost as little as £3.5k to £10k to implement and more than pay for itself in reduced financial damages in almost  no time!

This 5th Edition is completely updated and combines the content of International IT Governance, the version of the book that we produced for the North American market, with that of IT Governance. This means that there will now be a single edition, with coverage of IT governance, legal, security and compliance issues in the UK and in North America, as well as in Europe and elsewhere across the world.

We’ve obviously also updated all the technology content of the book, and have included the most recent information about Advanced Persistent Threats, attack vectors, cyber crime standards, the cyber resilience agenda, social media governance, PCI DSS and, of course, cloud computing.  

While the core standards, ISO/IEC 27001 and ISO/IEC 27002, have not yet been updated from the versions published in 2005, a whole family of ISO27000 standards has been created and are being published with great regularity.  Our new book incorporates material from a number of these standards and places them in their broader implementation context.

While working on the book, I came across a growing number of surveys and reports in which the link between increased expenditure on information security and a reduced incidence of cyber breaches (and, therefore, reduced financial and business impairment) is clear.  It has always been obvious to us that, in an insecure neighbourhood – and the Internet is a deeply insecure environment – it is simply good sense to lock the doors, alarm the house and secure one’s valuable assets.

The growing number of organisations certificated to ISO27001 (many of whom have taken advantage of our range of certificated ISO27001 training courses to prepare themselves) all contribute to greater information security awareness amongst users of digital assets. We hope that the 5th edition of IT Governance: a Manager’s Guide will help many more organisations around the world make the first step toward better digital self-preservation.

It is a very COBIT-focused framework – COBIT as the solution to everything. It would be useful for the framework to have included more work on integration with other widely-implemented standards and frameworks like ITIL and ISO27001 – and, while there is a solid definition of the difference between governance and management in COBIT 5, I didn’t see anything which specifically addressed the board-level issues which are (I think) so well dealt with in ISO/IEC 38500.

And, if that’s not enough, kids are being taught hacking basics at DEFCON kids (for 8 to 13-year olds), so that takes care of hacking for the future. And, as I’ve said on many occasions in the past, it’s not just hackers doing it for the craic, there is a whole commercial hacking scene as well: for instance, a cyber-spying company in India specialises in hacking into email and stealing information contained therein.

The Internet is an extremely insecure environment. There are lots of bad people out there. It’s like medieval Europe – when bands of predatory attackers roamed around, looking for opportunities to rape, rob and pillage – and towns and cities threw up battlements and turrets, and dug moats, and installed portcullises and so on – all to keep the bad people out. If you decided to build your house on the plain, or to run a fair beside the river, you would very quickly lose everything. It’s like that on the Internet today. You can’t just connect to the Internet and expect to remain unpillaged for long – you need battlements and other such stuff. Today, we call that stuff Internet Security and, because we can’t check it by walking (or riding) around the walls just looking for cracks that a pillager might exploit, we use penetration testing and vulnerability scanning to make sure that we’ve identified and closed down any security holes BEFORE they are exploited.

It does tend to be cheaper to close vulnerabilities before they are exploited…..

Inactions have consequences. DistributeIT.com.au ceased to exist as an independent business because it hadn’t identified the possible impact of a devastating hack attack: it didn’t have adequate offsite backups for the 4,800 websites it hosted.  And that’s what business continuity plans are for: to ensure that, as an organisation, you can survive when something terrible happens. You would have thought that an IT company would understand the importance of backups but, again, my experience is that most organisations never actually think through the circumstances in which they might have to recover from their backups and they are therefore never prepared when disaster strikes.

The good news, of course, is that there are internationally recognised standards for business continuity management – BS25999 (shortly to be ISO22301) and ISO/IEC 27031  - and there are Business Continuity Management Toolkits to help you with an BCM implementation – but there is no substitute for directors paying attention to what is going on in the risk world around us, and taking appropriate action to survive the unexpected. Right now, of course, being hacked is one of the more likely things to happen - so there really isn’t an excuse for being caught napping on this one!