Computing research: keeping data out of the wrong hands

John Leonard explains how organisation can safely navigate the changing threat landscape

Earlier this month, the Information Commissioner's Office (ICO) issued financial services giant Prudential with a penalty charge of £50,000 for a serious breach of the Data Protection Act (DPA), after a prolonged mix-up of two customers' accounts.

This is significant because it is the first time that a fine has been levied with no data loss having taken place. It is also unusual because the action was brought against a private-sector organisation.

Unlike their central government counterparts, private organisations are under no obligation to agree to an ICO audit. There is also no legal compulsion and certainly little incentive for companies to admit to a breach, such as the theft of an unencrypted memory stick or an intrusion into their systems by hackers.

However some experts believe that mandatory data breach notification for the private sector in the UK is just a matter of time, in part because of recent EU directives, and also because disclosure is now law in some US states such as California, which provides a precedent.

More leaks mean more laws

The backdrop to all of this is a massive rise in reported breaches of the DPA. According to the ICO, these have jumped ten-fold over the past five years, with a consistent increase in the number of incidents reported every year. To some extent, this increase may be due to the huge rise in data volumes - there's simply more data to leak - and also to mandatory reporting in the public sector since 2010 (the largest rises have been for councils and other public-sector bodies).

Whatever the cause, these figures will put pressure on politicians to further strengthen the powers of an ICO that is already baring its teeth more than before, extend mandatory audits and reporting, and possibly increase the range of sanctions available to the watchdog. Many argue that even the maximum £500,000 penalty is small beer to a large financial organisation, for example, and unlikely to force a change in attitude.

What will make a difference to corporate boards, though, is customers jumping ship. Unlike local authority services, people can easily take their bank accounts elsewhere. And they do. Custo-mer "churn" is particularly high in the financial services sector.

The charity sector is another in which reputation is vital. In October, social care charity Norwood Ravenswood was served a penalty of £70,000 by the ICO after highly sensitive information about four children was lost. Donors will think twice before giving money to such a careless organisation.

In addition to lost custom, there is the time and expense of putting things right following a serious breach. Such costs can include compensation, helpdesk activities, investigations, training, legal expenditure, product discounts and regulatory interventions.

Hackers make headlines

Despite the headlines, malicious activity - particularly by outsiders - is the least likely cause of a data breach. Most recent studies put all malicious activity (including by internal staff, the source of the majority of attacks) around the 25-30 per cent mark, followed by systems failure, with simple human error topping the list. The proverbial laptop left on a train is a far more common cause of data loss than a successful hack.

That said, malicious attacks are the most costly type of breach. Research by Ponemon and Symantec in 2011 found that such attacks carried an average cost of £90 per record, compared with £62 for a systems glitch. Following a malicious attack an organisation must go into overdrive to bring systems back online, repair any damage, and most importantly communicate with customers and partners. Failure to do so is likely to exacerbate the damage - as the PlayStation arm of Sony found to its cost last year.

Hacks may also be hard to hide. If a website goes down or is defaced, this is obvious for all to see. The other difficulty with protecting against malicious activity is the constantly shifting nature of the environment that needs protecting. Bring your own device (BYOD) is one such disruptive shift. A related one is the increasing use of apps.

A Computing survey of 130 IT professionals running a transactional website found that 15 per cent of them are now taking advantage of the spread of mobile devices by offering their own downloadable app to customers. Of these, around a third were collecting personally identifiable data (PID) such as date of birth, social media logins and credit card information via their apps; similar proportions were recorded for transactional websites (figure 1).

[Click to enlarge]

Computing research: keeping data out of the wrong hands

John Leonard explains how organisation can safely navigate the changing threat landscape

As well as providing one more potential vector for attack that must be guarded against, many mobile apps, especially when hosted on open platforms such as Android/Google Play, have been found to be particularly susceptible to malware. Combined with the BYOD trend, this is particularly unwelcome news for IT departments.

While the vast majority of survey respondents have some kind of anti-snooping protection in place on their website, such as SSL or two-factor authentication, when it comes to storing the PID, 13 per cent said they do so without encrypting it. This is an obvious risk factor and one that is quite easily rectified by simply encrypting the data. What’s more, the survey results suggest that in the majority of organisations PID is being stored for more than six months.

Looking now at how the information is backed up (figure 2), 17 per cent are using the cloud. However, one quarter of these respondents are unsure about the physical location of the provider. If the cloud company is American or a subsidiary of a US organisation, or if the data passes through US jurisdiction it is subject to the Patriot Act, meaning that the US authorities can access it without prior consent.

[Click to enlarge]

Thirty four per cent keep back-ups on their own premises, which could put them at risk of a breach in the event of fire or flood. That said, however, many breaches that are due to negligence are routinely blamed on third parties – including outsourcers, cloud providers and business partners - so many will prefer to retain the on-premise option.

To err is human

Looking at the recent fines imposed by the ICO, a picture of blundering, short-cutting and forgetfulness becomes apparent.

In October the Greater Manchester Police Force was fined £120,000 for carrying sensitive data on unencrypted USB sticks despite a prior warning. In September, Scottish Borders council had to pay £250,000 when former employees’ pension records were found in a recycling bank, and last year Newcastle Youth Offending Team breached the DPA by failing to encrypt a laptop containing personal data that was later stolen.

Encryption is only part of the answer, however. To guard against data breaches organisations need to fully get to grips with the issue, engaging it on all fronts, especially in staff education. In short, data protection requires a change in culture. It will never be more than an afterthought if it is not taken up vigourously by the board, by appointing data stewards and someone in overall control, such as a chief information security officer (CISO), and by enforcing policy.

Clear policies with legal and liable guidelines are needed for both organisation and employees, to cover all devices whether they are owned by the company or staff, and regular training is needed to keep staff fully aware of their responsibilities.

Finally, technical solutions such as intrusion detection and prevention and anti-malware software need to be kept patched and up to date. Encryption should be automated, where possible, and mobile device management solutions deployed.

For some firms, especially smaller ones, this may represent a significant change in practice. However, in many cases improving data governance will have a knock-on effect of streamlining processes and creating better customer relationships, as well as guarding against an expensive trip to the court.

@ComputingJohn