What do these three statements have in common?
- “Butlin’s take the security of our guest data very seriously”
- “The protection of our data has to be at the heart of our business”
- “Adidas is committed to the privacy and security of its consumers’ personal data”
They are all extracted from statements from companies that have experienced a data breach.
Number one was after the recent breach at Butlins where a reported 34,000 guest details were stolen. Number two was Dixons Carphone Warehouse where 1.2 million personal records were lost. I do have to be a little fair to DCW, they did say they had fallen short. Finally, number three was after the recent Adidas data breach where an undisclosed amount of customer’s data might have been lost.
These statements are usually followed with, ‘but we can find no evidence of fraudulent activity’, or ‘no financial data was lost’. So that’s alright then! No, it isn’t.
Daily we are trusting more and more organisations with our personal data. Many of these organisations are paying ‘lip service’ to the statement: ‘we take security of our customers data seriously’. If they do why are there so many data breaches happening?
Just a quick search on the internet and I find:
- In June the number of records lost through data breaches was around 145,942,680
- In July the number of records lost through data breaches was around 139,731,894
These are massive numbers. Since the arrival of GDPR in May, the UK ICO has seen a significant increase in data breach reporting. In April 2018 there were 367 reported cases, in May this rose to 657 a small rise as the Regulation came in on the 25th, but in June they had 1792 breach reports. So how many had gone unreported previously?
If organisations want to convince us they take our data security seriously, surely this is a good case of actions speaking louder than words.
When one looks at the anatomy of many of these breaches they fall into a small number of categories:
- Exploiting known vulnerabilities: As our systems become more complex vulnerabilities increase. The hardware and software industries do a good job of providing patches quickly as vulnerabilities are identified. Patching systems reduces the risks associated with vulnerabilities. Patching may have prevented the Equifax data loss and the NHS WannaCry incident. using anti-virus or anti-malware applications that would reduce the chances of exploits running.
- User mistakes: The most common among these are Phishing attacks. Phishing attacks are becoming increasingly sophisticated and we are failing to train our staff adequately to identify and how to deal with them. In addition, users are making mistakes, probably thinking the technology will protect them. Look at the Independent Inquiry into Child Sex Abuse who sent an email to participants using the ‘CC’ not ‘BCC’ field.
- Detecting attacks: Quick detection of attacks or issues can significantly reduce the impact. Google managed to shut down a Phishing attack in less then one hour, limiting the damage to about 1 million accounts. Equifax failed to identify their attack for one and a half months, in this time 143 million user accounts were plundered.
Reducing the risks associated with these three areas are easy. Certainly, one and three, there are plenty of technical solutions available to support these. For many organisations, this will be a matter of switching on what they already have. There are also certification schemes in place to prove to your customers you do this, one such is Cyber Essentials sponsored by the UK Government.
Training your staff to be alert is no so easy, but there are businesses out there that can help. They will set up no jargon courses especially for your staff focusing on your business. They will also help you run regular awareness campaigns. Organisations need to start considering this sort of training equal to H&S and fire safety training. A data breach can do untold damage to a business.