- Posted by Marie Murphy
- On January 5, 2017
- data security, good data practice, information security, privacy by design, security
What New Year’s Resolutions can organisations make that will halt the onward march of serious data breaches? What New Years Resolutions really make a difference to data security? How can we implement the lessons learned from 2016 as we start 2017?
This time of year, lots of articles look back at the old year and predict what will be different in the coming year. I am addicted no matter what the topic. What great films did I somehow miss? What awful films was I lucky to miss?
2016 was hailed as the year of the data breach and I have been hooked on the reviews. Previous breach records were smashed. Yahoo set the record for the biggest ever data breach and then a few short months later beat their own record by a very significant margin.
The numbers should be shocking…. and we are desensitised
3.04 million records were compromised every day during the first half of 2016 (Source: Gemalto) . The real number is even greater than these official figures. That number only counted reported breaches and represented a best guess at the number of records stolen. Exact numbers of stolen records were not known in just over half the cases (52%). These numbers represent a 31% increase on the previous six months.
Enough of numbers. Numbers don’t convey the harm caused by these breaches. Numbers don’t describe the nuisance when your email is hijacked and dubious content is distributed to all your contacts? Think of the hassle when you must change all your banking details because your financial information is compromised. What impact will the loss of revenue and productivity have for a small business targeted by ransomware. How do you recover from the loss of reputation when physical devices have inadequate security, are hijacked and bring down huge sections of the web. How many employees could lose their jobs if the deal you need to save your business falls through.
Will we ever learn?
Here’s the 6tn dollar question – will we ever learn from these breaches and take data protection and security seriously? Will 2017 be different?
My realistic assessment is – NO! We make the same old, same old mistakes time and time again even though we are smart enough to know how to avoid them. We cut corners – through ignorance, as a result of inexperience or for short term gain.
Take a look at just one of those 2016 articles looking at the lessons learned from the top 5 US data breaches in 2016. It makes for depressing reading because it’s the same stuff we have been hearing about for years now.
Top 5 2017 Resolutions for anyone serious about avoiding data breaches?
If you are serious about avoiding a data breach what should you do differently in 2017? What can you learn from the Year of the Data Breach? How can you avoid repeating the same old mistakes?
Protecting data has to be a board level priority
In 2016, Yahoo were criticised for side-lining their security teams and not taking them seriously enough. The Democratic National Party were criticised for lax implementation of the NIST Security framework.
Yahoo(again) were found to have an inadequate response to its data breach and not following legal requirements for disclosing the breach. OWASP found in 2014 that inadequate breach response is No. 3 in the top 10 internet privacy threats.
These are very fundamental issues that need to be taken seriously across the entire organisation. They will only be taken seriously by an organisation that gives information protection and security strategic attention at board level.
Make protecting personal and business data a top priority at board level in 2017.
Password and identity management must be addressed
The Mirai breach that took out large sectors of the internet at the end of 2016 was largely attributed to poor password protection on IoT devices. This is shoddy work in the extreme. Millions of devices were shipped with default passwords that cannot be changed by the manufacturer or end user. That’s a time bomb that was just waiting to be detonated.
Poor password management practices were at the heart of the Linked-in breach also. Employees reusing passwords across multiple accounts allowed one breach to lead to another.
This one is not so easy to address. For most of us it’s too complex to use a different password – and make each robust and difficult to hack – on every single app and website registration. We would have to remember dozens of complex letter, number and symbol combinations and then remember which to use where.
Password management sites are a reasonably good solution for now. 2-step authentication should be the norm. We should minimise password reuse and at the very least use different passwords across work apps, apps taking financial information and purely social apps. Never ever share a password with anyone.
Longer term we need truly robust identity management solutions that don’t erode our privacy. I optimistically think these are possible. Technology has proven to be excellent at solving complex problems when the need is urgent.
Perhaps 2017 will be the year when the need to solve the password conundrum will be great enough to drive a truly innovative solution.
Patching hardware and software for known vulnerabilities
Some of the higher profile breaches over the last number of years were at least partially as a result of organisations failures to keep software up-to-date. The UK ICO found Talk-Talk had vulnerabilities for which patches existed for years and had not been applied.
The mirai breach again highlighted that IoT devices are particularly vulnerable. Manufacturers cannot issue software updates to many devices when vulnerabilities are discovered. This is an incredibly important issue – the security of basic utilities like communications, water and electricity is at stake. It is such a fundamental concern that these devices should never make it to market. Privacy and Security by Design are important approaches that could address these fundamental issues.
In 2017 let’s get back to basic design principles and take privacy and security considerations seriously in the design process.
Robust software engineering processes are necessary to ensure secure applications.
This is close to my heart as I spent many years managing test teams bringing critical new communications systems to the field. We had high standards because our systems could not afford to fail outside the lab environment.
So, it is with a heavy heart that I read about breaches that happen because of failures to retest software after fixing security issues found during penetration testing. Again, a failure in fundamental software engineering processes. Text, fix, text, fix, test…. The fundamental rule of software testing is that systems always require retesting after fixes are applied.
Lets get back to standard good practice for software development in 2017.
And finally – 2017 is the year to start preparing for GDPR!
All too many of the 2016 breach reports document breaches that could have been avoided by addressing fundamental security concerns. Basic security activities are not carried out – such as patching software in time and implementing better password and access management. Many organisations don’t formally address security during the design process or ignore good practice during product development and test. Others don’t react promptly or comprehensively when they become aware of a data breach and their inaction makes matters worse.
Breaches that could have been avoided tend to attract paltry fines. The record breaking Talk Talk fine handed down by the UK ICO works out at £2.50 per breached record. This is less than the same records will fetch on the dark web and certainly less than the cost of the disruption to the 150k+ Talk Talk customers who had to change their banking details as a result of the breach.
GDPR is a signal that this will change. Potential fines are truly punitive. Organisations need to get their house in order and take data protection and security more seriously than ever before if they are to avoid those fines.
2017 is the time to start preparing for GDPR by assessing personal data handling activities and getting your policy, process, design, security and operational action plans in place.
Will 2017 bring more of the same or will it be the year we stop making the same fundamental data security mistakes?
Wishing you all a safe and secure 2017 and reminding you that Safe Data Matters!