Epsilon’s statement that, on March 30th, it had detected that “a subset [about 2%] of Epsilon clients’ customer data were exposed by an unauthorized entry into Epsilon’s email system” has sparked a flurry of activity for a wide range of household names, whose email lists may have been exposed in this hack.
The fact that Epsilon has been hacked exposes one key myth about ISO27001 certification: it does not equate to 100% security. ISO27001 is simply a management system which, effectively deployed, improves an organisation’s information security and resilience. In Epsilon’s case (and Epsilon does have an ISO27001-certified ISMS) it would appear that there is an effective incident management procedure in place, as this breach seems to have been identified quickly, followed by appropriate noises about investigation and notifications.
On the other hand, it would appear that there was a significant failure in Epsilon’s risk assessment process. Risk assessment is at the heart of effective information security management and, in the case of an organisation that manages email data, the risk of an external cyber attack should be high on the list of worries. Epsilon’s IT infrastructure has been penetrated; cyber criminals have found one or more vulnerabilities in the Epsilon infrastructure and taken advantage of them to steal email data (and, remember, as email lists have real value to cyber criminals, the likelihood of a cyber attack on an email database is high).
Epsilon’s selected controls were inadequate to deal with this risk and, as a result, it is now suffering a highly significant impact, the full scale and cost of which have yet to emerge.
What should Epsilon have done differently? It needed (and needs) a much more comprehensive security or penetration testing regime than it clearly has. Organisations that have a low likelihood of cyber attack may feel confident that an annual penetration test (calling on a packaged penetration testing service) is an adequate check of the effectiveness of their cyber defences; organizations like Epsilon, where the likelihood and impact are both very high, should be looking at least at weekly penetration tests.
Regular penetration testing, for high value data systems like that of Epsilon, is essential but not enough. Zero day vulnerabilities are now common. Organizations need a systematic approach to tracking information about emerging vulnerabilities, identifiying occurrences on their systems, and rapidly remediating them. This requires a much more pro-active information security function than most organizations have in place – but it is exactly what is envisaged in the ISO27001 Annex A control 12.6.1 Control of Technical Vulnerabilities – see the best practice guidance in ISO/IEC 27002 for more information on this (and related) controls.