Thursday, December 17, 2015

Consensus at last - but what does the EU General Data Protection Regulation mean for you?

Discussions over the EU General Data Protection Regulation (GDPR) have rumbled on since 2012. Consequently, it's understandable that this week's breaking news about a final agreement over the legislation already seems like old news. However, while it may have been almost three years since the need for change was acknowledged, the regulation as it stands today is vastly different to that under which organisations currently operate.

As a result, there is an inevitable widespread need for an update to policy, procedure and technology. With the regulation on track to be formally adopted in January 2016 and enforced a short two years later, organisations need to evaluate, implement and adopt processes and technology now, so they don’t fall foul later.

Two points to watch out for

Across the board, two of the most significant changes to be introduced are mandatory reporting of data breaches that are 'likely to harm individuals' within 72 hours and hefty fines of up to 4% of global turnover for non-compliance (the ICO's current maximum of £500,000 will pale in comparison for many large organisations).

Mandatory notification is expected to result in a rise of in the number of data breaches being reported - not because more breaches are happening but because fewer can be swept under the carpet. Consequently, organisations will be forced to open themselves up to scrutiny, with regulatory bodies looking at how the sensitive data they handle is protected throughout its lifecycle. Any shortcomings will be exposed and will count against them.

As we recently examined, TalkTalk's data breach from October 2015 is estimated to cost them £35m in one-off costs alone. We need only add 4% of their global turnover to that and we can see why the EU GDPR will be keeping CFOs awake at night!

The good news is that now there's clarity, there can be action. Boards across Europe need to immediately start planning and implementing the right processes, training and technologies to protect the entire lifecycle of their data so they're prepared for when the regulation is enforced. We can see from previous breaches that it is the small slip ups, caused by human error, that have been the most common and largely the most damning. As a result, security policy need to be matched with user training and education, and underpinned by smart, intuitive technology. Getting a head start on this now can only pay dividends in the future.

Friday, December 11, 2015

There’s no job security when your job is security

“There’s no job security when your job is security”. That’s the kind of line that would be enough for any CSO, CIO or even CEO to start penning their resignation letter.

The reality is obviously somewhat different. However if the history of the last 12-18 months has taught us anything, it is that no-one is exempt from a high-profile data breach. Breaches so severe that jobs can be lost and reputations so badly damaged that businesses are put at risk.

Finally, it seems, the penny has dropped. Organisations including the likes of TalkTalk, Facebook, Gmail and Twitter now accept that no set of security measures is completely infallible to a breach.

As a result, they are starting to assess two things.

The cost of a data breach

Research carried out by IBM and the Ponemon Institute earlier this year found that on average, the global total cost of a data breach increased from $3.52m to $3.79m within the last year. The average cost paid for each lost or stolen record with sensitive data rose as well, to $154, from $145 in 2014. In the case of TalkTalk, it is estimated their breach could cost as much at £35m.

Of course, a monetary value also tells us nothing about the inconvenience and emotional cost of a breach to the real victims of PII loss – you and me. Consumers are now much more aware both of the risks of a breach and their rights if the worst happens. For example, research by Deloitte warns that three-quarters of customers would reconsider using a company in the event of a breach.

What to do when the inevitable happens

Probably as annoying, if not worse than an actual breach, is a company who appears to have no grip on exactly what happened or how bad the breach was. Again, take TalkTalk as an example. Their high-profile breach and the subsequent media circus that followed it was made worse by their own confusion about what had happened and the lack of communication to their already worried customers. In fact, it was more than 24 hours before customers were even notified there had been a breach. What then followed was confusion about what data had been stolen, the number of accounts affected and whether the stolen data had been encrypted in the first place. TalkTalk’s CEO continues to cling onto her job and claims to currently have the support of the founder and the board. However, one has to question how long this will be the case, particularly once the true implications of the breach are felt through lost revenue and lack of customer support.

The risk to data extends further than just a cyber-attack

Organisations need to consider the complete lifecycle of the data they own and manage, therefore understanding where the vulnerabilities lie. This could, of course, be an external cyber-attack orchestrated by a third party intent on accessing and profiting from sensitive data. However, it could also be an inexperienced employee sending highly sensitive information in a clear text email to the wrong recipient, as highlighted by the recent email breach at the North Carolina DHHS.

As research shows, often the biggest risk to any business is human error.

So what does a CSO, CTO or CEO make of this? In time I think we will reflect on these high-profile breaches and realise that they signalled a gear change in data security. At an exec / board-level, suddenly focus and – more importantly – budget are being allocated to better understand all aspects of data security across a business. No longer will complacency rule, because everyone knows that in all likelihood at some point they will be forced the answer the question:

“You had one job: Secure the data. What happened?”

If this results in greater information assurance, more vigorously tested security measures and processes, then it has to be a positive for our data and our confidence as consumers in the market.