Actions speak louder than words

What do these three statements have in common?

  1. “Butlin’s take the security of our guest data very seriously”
  2. “The protection of our data has to be at the heart of our business”
  3. “Adidas is committed to the privacy and security of its consumers’ personal data”

Clapper Board 2They are all extracted from statements from companies that have experienced a data breach.

Number one was after the recent breach at Butlins where a reported 34,000 guest details were stolen.  Number two was Dixons Carphone Warehouse where 1.2 million personal records were lost.  I do have to be a little fair to DCW, they did say they had fallen short. Finally, number three was after the recent Adidas data breach where an undisclosed amount of customer’s data might have been lost.

These statements are usually followed with, ‘but we can find no evidence of fraudulent activity’, or ‘no financial data was lost’. So that’s alright then! No, it isn’t.

Daily we are trusting more and more organisations with our personal data.  Many of these organisations are paying ‘lip service’ to the statement: ‘we take security of our customers data seriously’.  If they do why are there so many data breaches happening?

Just a quick search on the internet and I find:

  • In June the number of records lost through data breaches was around 145,942,680
  • In July the number of records lost through data breaches was around 139,731,894

These are massive numbers.  Since the arrival of GDPR in May, the UK ICO has seen a significant increase in data breach reporting.  In April 2018 there were 367 reported cases, in May this rose to 657 a small rise as the Regulation came in on the 25th, but in June they had 1792 breach reports.  So how many had gone unreported previously?

If organisations want to convince us they take our data security seriously, surely this is a good case of actions speaking louder than words.

When one looks at the anatomy of many of these breaches they fall into a small number of categories:

  1. Exploiting known vulnerabilities: As our systems become more complex vulnerabilities increase.  The hardware and software industries do a good job of providing patches quickly as vulnerabilities are identified.  Patching systems reduces the risks associated with vulnerabilities.  Patching may have prevented the Equifax data loss and the NHS WannaCry incident.  using anti-virus or anti-malware applications that would reduce the chances of exploits running.
  2. User mistakes: The most common among these are Phishing attacks.  Phishing attacks are becoming increasingly sophisticated and we are failing to train our staff adequately to identify and how to deal with them.  In addition, users are making mistakes, probably thinking the technology will protect them.  Look at the Independent Inquiry into Child Sex Abuse who sent an email to participants using the ‘CC’ not ‘BCC’ field.
  3. Detecting attacks: Quick detection of attacks or issues can significantly reduce the impact.  Google managed to shut down a Phishing attack in less then one hour, limiting the damage to about 1 million accounts.  Equifax failed to identify their attack for one and a half months, in this time 143 million user accounts were plundered.

Reducing the risks associated with these three areas are easy.  Certainly, one and three, there are plenty of technical solutions available to support these.  For many organisations, this will be a matter of switching on what they already have.  There are also certification schemes in place to prove to your customers you do this, one such is Cyber Essentials sponsored by the UK Government.

Training your staff to be alert is no so easy, but there are businesses out there that can help.  They will set up no jargon courses especially for your staff focusing on your business. They will also help you run regular awareness campaigns.  Organisations need to start considering this sort of training equal to H&S and fire safety training.  A data breach can do untold damage to a business.

So, come on start valuing our data by taking action and demonstrate you have.

Advertisements
Actions speak louder than words

GDPR – Forget me not!

flower-2197679_1280December was the last time I blogged about GDPR.  I can’t believe it is 7 months.  It isn’t because I got bored of GDPR and gave up talking about it, it was because between January and June, my feet didn’t touch the ground.  There was a massive demand for GDPR advice.  In June I took a bit of a well-earned break and when I return in July, I see the entire world seems to have forgotten about GDPR.

Remembering back to the Data Protection Professionals conference in April, Elizabeth Denham (Information Commissioner) gave a very insightful keynote speech:  She said that May 25th 2018 was not the deadline for GDPR but the start of a new way of doing things.  From what I’m seeing, it appears many are thinking the deadline has gone and there have been no big fines.  What was all the fuss about?  The fist fine to be levied since GDPR day has been £500,000 to the massively rich Facebook.  So, what was this about massive fines of 4% of global turnover?  It was all stuff and nonsense obviously!

Facebooks fine was indeed £500,000 but that was because the offence was made under the Data Protection Act 1998, not the new one.  I’m sure treasury would have loved that particular fine to come under the new law.   That would have probably dealt with the healthcare issues for a couple of years.

GDPR isn’t about the fines.  It isn’t about what businesses have done up to 25th May 2018.  It is about how they evolve over the next few years in the management and handling of personal data.  This requires businesses to look at themselves holistically and change.  Not change for the sake of change but change for the better.  In my experience of helping several companies prepare for GDPR, much of that change has meant improving the way they do business.

Let’s look at few examples:

  • Reducing costs of data storage. Many businesses have made real cash savings by reviewing their data retention policies and reducing the amount of data they hold.
  • Improving communications. Some organisations had multiple data stores and a lack of document control across those stores.  By implementing better storage techniques and document control processes they have reduced the number of incidents of poor or cross communication.
  • Improving site security. GDPR means looking at your whole business.  If someone can easily access your business premises and steal data, it is a GDPR issue.  Some businesses through improving their site security have made the working environment for their staff a better and their sites easier to manage.
  • Reviewing process has given some businesses the opportunity to revise outdated, complex and time-consuming processes into ones suitable for the way the they do business now. Saving money and making staff happier.

I have said this before: GDPR if looked at as a business enhancement exercise can return real benefit.  On the flip side if looked as a compliance exercise it can be a total pain in the butt.  That is because doing compliance creates work and it shouldn’t.

However, back to my main point.  GDPR isn’t over.  We need to be continuing the good we were doing before may.  With August upon us, the silly season, when traditionally things go a little quiet, isn’t it a good time to have a think about what you need to?  You can then action those plans when everyone is back fresh from their summer holidays.

GDPR – Forget me not!

It’s all about RISK and Reward

salzburg-708785
What a reward

I’m working with a lot of businesses who are attempting to implement General Data Protection Regulation (GDPR).  Some get it and some don’t.  To be honest that is not a surprise, there is a lot of misinformation out there about GDPR.  Probably the most misleading are the ‘come buy our software, it will make you GDPR compliant’ or ‘complete our templates and you will be GDPR compliant’.  Neither approach will make you fully compliant.  Anyway, what is compliance?

The way a business needs to manage privacy under GDPR, changes from the often misjudged approaches adopted under the current Data Protection Act (DPA).  It can make compliance less black and white, but also make it more manageable for businesses to adopt. Some of the key changes that are not being widely explained are:

  1. The requirement for businesses to prove they don’t process Personal Data. Rather than opting in, as businesses do today, they will need to prove they can opt out.
  2. The requirement of the Data Subject to prove that a business is not processing data in accordance with the DPA.  Under GDPR, businesses will need to prove that they process data correctly.
  3. It is a risk based approach.  Businesses need to understand the risks their data subjects are exposed to while their data is in their custody.

For points one and two, most businesses that comply with the DPA will have a small amount of work to do.  However point three will require some effort and some thinking.

For small businesses, management of risk can be a mysterious process.  Difficult to understand because there are no right and wrong answers, but it really isn’t too difficult.

First you have to understand the data that is held by your organisation.  I don’t think I have encountered a single one yet that has not been surprised at the amount of data they hold.  Usually the first exercise is to question the amount of data, storage locations and retention.  Reducing the amount of data to the minimum needed to run the business is a risk reduction exercise in itself.

Once you understand the data, examine the risks that your business is exposed to and assess what the impact would be to the data subject if that risk was to materialise.  I assess this impact by using the model developed by NIST .  I have adapted this slightly for GDPR see below:

NIST CIA Matrix
This matrix is adapted from NIST

I then prioritise the high impact risks and work on them.  First identifying what level of risk would be acceptable and then working out what actions are needed to reduce the risk to that level.  These actions are then assigned to individuals to ensure they are put into operation.

Risk is largely subjective.  There are approaches which attempt to quantify it, but for most businesses attempting to implement GDPR, this type of qualitative approach will work.  Because it is subjective, it needs to be reviewed regularly as knowledge matures and risks become clearer, as do the mitigations.  So businesses should start to have this as a regular agenda item for board or management meetings.

There lots of negatives communicated about GDPR, but it doesn’t have to be.  Taking a little time to sit back and understand how your business is functioning and then understanding risk and putting measures in place can return many benefits. Here are just a few I have seen recently:

  • Reduction in the amount of data held. This reduced risk, but it also significantly reduced storage costs
  • Streamlining of processes which have increased speed of production
  • Greater understanding of how the business functions and identification of organisational ‘pinch points’

As I have said in previous blogs, look at GDPR as a tick box exercise and you will not only fail to comply, you could miss some brilliant opportunities.

It’s all about RISK and Reward

GDPR Gain or Pain?

idea-2681503It is clear that the GDPR is starting to gain interest.  Just last week, I presented at an event where 53 people attended.  Just to hear me talk about GDPR.  Only a few months back I could count most of my audiences on one hand.

When I talk about GDPR, I don’t focus on the potential penalties.  That information is everywhere and not helpful.  I choose to focus on what organisations need to do practically to get ready.  However I am still surprised at the amount of people who think getting ready for GDPR is about filling in policies templates.  It’s not.

I have said this many times, but if  you considers GDPR as a compliance task, great opportunities can be missed.  GDPR  is about managing risk and putting processes and procedures in place within an organisation that are appropriate to manage that risk.  For this reason, there can’t be a ‘one size’ fits all solution.  Certainly not one that is managed through macro driven templates.  There is definitely opportunity to realise some real benefits.  Yes there can be positive benefits if you consider GDPR as a catalyst for change.

Let’s look at a typical implementation.  The first task is to understand the data. For most small companies, this exercise is best achieved by looking at the organisational processes.  Done properly, this will uncover all the data the organisation holds, including the unofficial stores and all of their processes both formal and informal.  When was the last time you looked at your data and processes?   I don’t think I have come across a single organisation yet that has not discovered something new about their organisation.  Typically we find processes that don’t work which generates an opportunity to fix them and make them more efficient.  Secondly we normally discover that the organisations data storage has grown beyond their knowledge.  Typically, organisations usually end up reducing either the amount of data they store, or the number of locations they store it in.  This may seem trivial, but improving process and reducing data and storage locations can mean real savings and efficiency.

There are also opportunities to make your business different.  Make a good job of implementing GDPR and whilst your competitors are moaning about it being too much fuss, or another tax on business, you can promote your stance on privacy.

Conversely, if you approached GDPR negatively, you could create additional work in the long run.  I’m not talking about fines or breaches, no worse.  By completing pre-configured templates, you may think you are achieving a quick fix.  What you could be doing is adding inefficiency into your business.  That will be a burden for a long time, inhibit growth and make work more unpleasant.

So if you get this right and go in with an attitude of using GDPR as a catalyst for change and you could benefit twice.  However they do say there is not gain without pain, but the benefits could be worth it.

GDPR Gain or Pain?

GDPR and the people

jumping-off-1966997

When undertaking the Data Protection Impact Assessment (DPIA) –  a mandatory element of the GDPR,  how many businesses will consider the risk staff bring with them?

Remember that the DPIA is a process all businesses need to go through to assess the risk they expose data subjects to in holding their data.  If you are conducting a risk assessment, then you need to cover all aspects and one of those has to be the people aspect.

I recently spent an interesting afternoon looking at the actions taken by the ICO.  I was surprised to see some trends.  When I looked at the civil monetary penalties that have been imposed since 2010, most were for breaches under the Privacy of Electronic Communication Regulation (PECR). This covers spam emails, texts etc. However the next highest at 37%, seemed to be for things that one would class as human error or lack of knowledge.  These things included:

  • Disclosure of personal data via email to the wrong recipients. There were many of these.
  • Personal data that was hand delivered to the wrong individual.
  • Insecure disposal of personal data, both paper and electronic.
  • Making personal data available via websites.
  • Loss of paper or electronic files containing personal data.

Some of the stories actually made me laugh.  How could such mistakes happen? Obviously they do.

When I examined some of the case histories in more detail, it was obvious that many mistakes had happened due to either lack of process or poor training of staff.

Would any organisation consider letting an employee loose on a Forklift truck without adequate training?  Would they consider letting an employee use dangerous substances without adequate training?  Or heavy machinery?  My guess is no.  The reason I would suggest that many companies would comply is because they understand the risk of the above activities.  But there are also risks with data mismanagement.  OK, they may not have the immediate impact of a Forklift driven by a maniac, but the consequences of data loss can be catastrophic for data subjects.  If you want to see an example, listen to Bennett Arron.  Bennett is a writer and stand-up comedian who had his identity stolen.  He lost everything and it took him years to recover.  Loss of data is not victim-less.

So when considering your risks regarding data, please add in the ‘human cock up’ factor and think about what can be done to reduce the risk.  Certainly training will be a key factor, as will processes that are clear and simple.  Data protection does not have to be complicated – just effective.

Oh and for those interested, the percentage of fines handed out for data loss from cyber attacks; that was 6.5% of the total.

GDPR and the people

200 and counting

200 AttributedIt is a big week for all things GDPR (General Data Protection Regulation).

Firstly Thursday sees us hit the 200 day milestone to GDPR Day (25th May 2018).  This is the day when all businesses will be required to comply with new regulation.

Monday saw the announcement that the new Data Protection Bill will be put before Parliament after the summer recess.  The will once and for all settle what will happen post Brexit.  The Bill will to all intents and purposes transfer the GDPR into UK law as a part of the Brexit preparations.

So GDPR is going to happen.  It is time to extract heads out of the sand and get on with preparations.  200 days is not long.  This isn’t something that will only affect large corporations and the public sector all businesses need to prepare.

Let’s put the record straight on the reasons for GDPR.  It is not to persecute businesses and make it harder to do business it is about making sure the massive amounts of data that are exchanged are exchanged in a way that protects the individual.  And that individual could be you or me.  Also nowhere in the GDPR have seen it say that something cannot be done.  Things just have to be done in a way that protects you and me.

Let’s look at some of the reasons this regulation has be brought in.

  1. The current Data Protection act has not kept up with technology and the power of the internet. In 1995 when the current act was written there were 16m, 0.4% of the population.  In March 2017, it was estimated that there were over 3.7bn people in the world using the internet, that is over 49% of the population.  3.7bn people create a lot of data. actually they create over 2 Exabytes of data a day.   If that was stored on Compact Disks it would take more than 1.5 trillion.  That surely has to be managed well.
  2. What we do on the internet has changed.  in 1998 there was no such thing as social media for example.  Also social media had changed.  What started of a great communications device has morphed into a massive data generation tool used for all manner of analysis.  We have become a commodity of the internet.
  3. There has been a lot of talk about the extended powers that will be given to the Information Commissioners Office (ICO).  Yes the fines have been increased, largely this is to encourage businesses to do the right thing and not take the risk of being fined.  Currently the maximum fine that can be imposed is £500,000. To a business turning over hundreds of millions of pounds a year, it may be worth the risk of a fine rather than spending the money on process and technology.  Change that to between 2% and 4% of turnover or between €10m and €20m and the risk assessment may be a little different.
  4. Businesses will no longer need to register with the ICO, so that puts all business within scope.  That has to be a good thing.  No longer is it just large companies that can process massive amounts of personal data, it is as easy for a small or even micro business to have huge amounts of data.
  5. The rights of the Data Subject will be increased.  The most publicised is that of the right to be forgotten.  But that is not the only big change.  Consent will require all organisations that collect Personal Data using consent to review and possibly change there processes.  This could require website modifications and reprinting of paper forms.  If you haven’t got this planned in yet it could be costly.  I’m fairly certain that Web Developers will be in short supply in the early part of next year.
  6. Finally GDPR aims to simplify the understanding of Data Protection across Europe.  There will be one regulation covering all 28 countries, rather than the current 28 different regulation.

If you want to get some idea of what you need to do to prepare, read some of my earlier blogs.  I also offer one day course on implemented GDPR with the National Cyber Skills Centre.   If you haven’t started yet your first job has to be to understand your data.

Image by Tnarlk Innael used under Creative Commons Licence
200 and counting

I’m confused

cd-443032_1920
Computing and technology is as delicate and fallible today as it was 30 years ago!

In the last 3 weeks we have experience 2 major public IT failures.  I am slightly confused how they could both become so massive.

 

I entered the IT industry nearly 30 years ago.  Like so many in those days, I entered from a previous career and  fell into the profession.  Falling into it, we brought experiences with us from previous careers.  One thing we all acknowledged was the fallibility of technology, or anything mechanical.  We made sure we reduced risk wherever we could and where we couldn’t we had a fall back process. So what  is happening in this world today? (oh ‘eck I’m sounding like me Dad!).

This weekend, we saw British Airways (BA) grounding all its flights because of a catastrophic computer failure.  It is reported that this was caused by a massive power surge at their data centre.  We saw images of airports crammed with disappointed passengers and what looked like confused employees.  As I sat watching the news, my only thought was how could a massive power surge cause such damage?

30 years ago when I was involved in setting up my first data centre for a 1,500 bed hospital, we knew that a power surge on our delicate computing equipment could cause a failure we could find it difficult to recover from.  So we installed a clean supply and a bank of Uninterruptible Power Supplies to smooth out that supply and maintain us long enough for generators to power up in the event of loss of power.  I can only assume that BA didn’t do this in their data centre. One that controls thousands of passenger journeys every day!  We also anticipated that a failure could result in loss of important patient data, so we had a ‘hot fail over’ where we could pick up normal IT services, albeit on a reduced capacity, but a service nevertheless.  And that ‘hot fail over’ was housed away from the main computer facility.  Finally we had manual fallback procedures which we had practised.  These procedures included staff assigned the responsibility of communicating with system users and hospital users. I didn’t see any of this on the news reports.

The measures we put into place were not cheap at the time and took some justification, weeks of writing business cases I remember.  When we lost power to the computer suite and no users noticed, it was justified.

Since then, technology has moved on and many of the things that were expensive then, are now pennies now.   Especially when you put them against the cost of initial implementation and the cost of losing systems businesses have become to rely on. Finally there is the reputation damage, which is not always acknowledged.  This is anecdotal, but the view in my local on Saturday was heavily toward avoiding flying with BA for the foreseeable future.  Sure this will be forgotten over time but what will be the immediate cost?

Have we become complacent?  With our always on society and IT Service companies offering 99.999999% up time are we forgetting the fallibility of these devices?  I would suggest we probably are and it is time to re-evaluate.

One of the first lessons I learned about managing IT was three letters C I A .  No not the US intelligence agency, but maintaining Confidentiality, Integrity and Availability.  Those three letters stand as much today as they did all those years ago, even now, whenever I consider changes to IT or assessing risk, I recite CIA.  In fact they are probably more poignant. Risks haven’t reduced, they have changed and in some areas increased.  I don’t know how much this failure will have cost BA or how much WannaCry will have cost the NHS.  One thing that is certain, it will be more than putting technology, people and processes in place to reduce and manage the risks!

My final though this morning was:  what will the ICO make of both of the NHS and BA incidents?  They both involved personal data.  One involved damage through encryption and the other non availability at the point of need.  Watch this space.  There could be even more cost winging its way.

I’m confused