“Is is always a matter of “when” not “if” a breach will happen”
Oliver Rooney, VoxSmart CTO.
All risks are inherently unpredictable and this is equally true of information security risks. While we can always draw general inferences about how likely an event may be in the future, none of us can accurately foretell when a security incident or a breach of personal information is actually going to occur. For all this uncertainty though, we can be absolutely sure that incidents and breaches will continue to happen and the mantra of security professionals these days is that it is always a matter of “when” not “if” a breach will happen.
An ICO investigation found TalkTalk breached the Data Protection Act because it allowed staff to have access to large quantities of customers’ data. Its lack of adequate security measures left the data open to exploitation by rogue employees. – ICO (Information Commissioner’s Office)
Doubtless it is still a shock to an organisation when a breach does happen. Recent weeks have seen surprises delivered to HBO in the form of a hack, loss of commercial and personal data and subsequent attempt at extortion. Less surprising that the incidents though are the consequences and today (10/08/2017) gives us another example of the inevitability of regulatory sanction for loss of personal data: TalkTalk, who are no stranger to the ICO or the Data Protection Act, have been fined £100,000 for a previous breach which involved the disclosure of more than twenty thousand customers’ personal details from insecure systems used by an offshore provider of outsourced customer support.
This is a surprisingly small fine as it amounts to less than £5 per person. It may be that the ICO judged that the actual harm they suffered was small or it may be that the DPA simply does not allow proportionate fines as the cap is so low at £500,000. Still the cost per record of this breach in fines is well below the average cost per record you’d expect which usually runs to hundreds of dollars. Equally as predictable as the regulatory consequences of a breach is the onward march of regulators: regulation is increasing in scope and the levels of fines that can be levied is ever increasing. This trend, which started in the aftermath of the financial crisis of 2008 and continues to struggle to keep up with the increasing pace of technological advances, doesn’t show any sign of slowing down.
The two most significant regulatory changes coming into force soon are GDPR and MIFID II. MIFID II comes into force in January next year and will bring a large number of financial services organisations within the scope of regulation, in the UK by the FCA, and will require these firms to record and retain mobile voice calls to provider greater transparency of communication between market participants. GDPR follows in May next year and has two effects that interact with MIDIF II to markedly raise the stakes: GDPR increases the breadth of the definition of personal data to include identifiers like IP addresses, cookies or IMEI that were not previously considered personal and also increases the largest possible fine from £500,000 to €20,000,000 or 4% of global annual turnover. What would TalkTalk have been fined under GDPR?
Adding to this, GDPR also marks a change from the Data Protection Act’s seventh principle of ensuring appropriate organisational and technical controls to protect privacy to requiring “privacy by design and default” that makes specific reference to “state of the art” technical measures. This leads us to an important question. If the scope of regulation increases, if we use more technology to store and process more personal data, if there are ever greater fines for breaches, how can we control risks effectively?
Traditional security risk management would have us implement more controls and make out existing controls more rigorous. By then traditional risk management is too often about saying “no”, about curtailing people’s ability, not enabling them to do their jobs in the simplest and most secure way. Think of the common sayings: “There is always a trade-off between security and usability” or even more extreme: “ The only secure systems are the ones that are off”. Common sense says this can’t work and our experience agrees so it is good to see regulators catching up with common sense for once with NIST now acknowledging that password complexity rules and forcing regular password changes just make people choose worse passwords and reduce security.
At VoxSmart we don’t agree with the old approach to risk management. For us, risk management is about adding value because, not only is mitigating risk directly creating value by reducing expected costs of fines and reputational damage, but the targeted best of breed solutions that will exceed basic requirements. Our solutions will enable you to do more than meet obligations, they let you meet them in the best possible way, with the lowest risk and highest security.
How do we do it? Take the latest release of the VSmart™ product as a case in point: We have added Multi-Factor Authentication which hugely strengthens the user authentication process by requiring a username and secret password to log in and then generating a random one-time password and delivering this to the VSmart™ Control Centre user by SMS to a previously arranged mobile phone number. The requirement for “something you know” or the password, with “something you have”, the mobile phone makes unauthorised access much harder to obtain: keyloggers could capture a password but it is no use by itself, you could capture the SMS by malware on the mobile phone or by attacking the mobile network. Not only are these attacks hard to carry out they are also effectively blocked by IP address restrictions you can configure in VSmart™ which put you in control of the network traffic that is allowed to your portal. You can allow only your organisation’s networks to connect to your portal. On top of these we also have a granular and fully-customisable permissions model that lets you define your own roles, grant or deny them specific permissions which allows powerful segregation of duties and limits the impact of any credentials compromise. The last piece of the puzzle is the comprehensive audit logs available, these contain entries for all the user interactions with the portal and cannot be deleted by any user. Further, you can download them in an open format for your own analysis.