2016 over the shoulder – Another year of the Data Breach?

• by Ellie Hurst
• Advent IM Blog

So long, farewell, auf wiedersehen, good bye…2016

For the last few years, we have seen The Year of the Breach, resolutely attributed to the preceding year. 2016 is not going to buck that trend and in terms of breach it certainly doesn’t disappoint. Indeed some breaches from years past, such as Ashley Madison in 2015, have still rumbled on in 2016.  In the case of AM, their very large fine for security failures and willful deceptions of their users regarding security and privacy, hit the news yesterday (19.12.16). Yahoo! have suffered two very high profile breaches and the fall out from those will continue for years, as people who have repeated their Yahoo! password on other platforms discover that you don’t have to have lost a huge amount in an initial breach but the impact can spin on and across many different platforms. They will also have to hope that the vulnerable emails do not contain plain text login or password details for other sites. Breach is the gift that keeps on giving and assurances from businesses that they take our security ‘very seriously’ is really starting to wear thin. Especially when the evidence seems to contradict that.

Calls from MP Andrew Tyrie that GCHQ should do more to protect banking in the face of the Tesco Bank breach, were published today in Computing Magazine. Given the nature of some of the security failures and poor processes involved in the Tesco Bank security incident, makes me wonder what GCHQ could have done to have prevented it. Businesses, including banks, have to take responsibility for security and poor process or training will let them down every time. We are not talking about exceptional hacking here and whilst poor process does not, an exciting headline make, it is at the heart of many breaches we have seen this year.

This year also saw the installation of a new Information Commissioner, Elizabeth Denham. Thus far in her tenure, she has been very vocal in her condemnation of sloppy security practices and indeed has addressed a House of Commons Public Bill Committee stating that Directors should be personally liable for data breach in their businesses. Adding this to the approaching General Data Protection Regulation (GDPR) which requires enhanced accountability for Data Protection and offers much greater financial penalties for failure and there is a perfect storm for serious business problems.  Of course, it does offer businesses the opportunity to really get to grips with their security and Data Protection policies and processes as well as training, of course. It is a chance to ‘clean house’ and elevate how these key areas are handled and planned to our boardrooms and business leaders’ agendas. Their strategic input is vital if the increased accountability is going to be a positive and business-enhancing thing. Organisations of all types and sizes not have a chance to genuinely realise the value of their information assets and reconnect with the concept that they are the guardians and not the owners of the information supplied to them by users and customers.  They need to understand that having effective, capable and engaged information asset owners along with embedded and devolved information risk ownership, is far more powerful when aligned to their security strategy than IT alone.  The security and Data Protection future could be so much brighter once this is embraced.