Whaley Bridge hit the news in late Summer when the dam above the village threatened to burst and swamp its inhabitants. Although weather forecasts predicted the oncoming storm well in advance, what wasn’t anticipated was the structural weakness which was suddenly revealed.
Marriott must have experienced a similar feeling when confronted with a £99 million notice of intent from the ICO relating to a data breach in the Starwood chain it acquired in 2014. Having failed to discover the breach until 2018, the hotel combine stands accused of a failure in its due diligence.
High profile breaches like this one, alongside BA, have put chief information security officers (CISOs) under the spotlight and emphasised the limitations of what conventional cyber-security can achieve. “Vulnerabilities in software and web sites can be open for years and exploited by hackers long before they get spotted,” explained Peter Galdies, managing director of data governance specialists DQM GRC.
As revealed in the 2019 report from IBM Security, “The cost of a data breach,” it now takes an average of 206 days for organisations to identify that their defences have been penetrated, up by 5% from 2018. That means a lengthy attack surface for hackers to explore before any remediation is even begun. Once a breach has been identified, the clock starts to tick even faster with GDPR mandating notification to the regulator within 72 hours.
“The regulator will ask why you were not aware of it. There are likely to be a lot of reasons, but the ICO does expect organisations to ensure they maintain the technology stack sitting behind solutions and have processes in place to prevent attacks, including running penetration tests,” said Galdies. Failing to keep security software up-to-date and to implement new security patches in solutions has been behind many historical breaches.
But the risk is not just from software. “On the human side, things are even tougher because people are tempted to access data and even to steal it,” he noted. The classic example is of a sales person moving to a rival firm, but disgruntled employees are a similar risk, as Morrison’s discovered.
Locking down all data access is not a viable option, Galdies pointed out, nor is disconnecting from the internet. “The front office can’t operate in that environment. And the whole point of the connected economy is that it is connected.”
"The whole point of the connected economy is that it is connected.”
Instead, organisations need to look at introducing data monitoring alongside their hardwired cyber-security and firewalls. DQM GRC has just launched BreachTrak™, an innovative solution that seeds semi-synthetic data into databases and follows how it gets used subsequently. While the associated names are not legal entities, email addresses are live, phone numbers get answered and physical mail is redirected to the company.
Crucially, all of this activity is then scanned and assessed for its points of origin and whether the sender has permission to use that data. DQM GRC also scans both the open and the dark web every 15 minutes looking for instances of the data which might indicate it has been stolen.
“You can use this to demonstrate you are doing due diligence. It shows you are serious and concerned about how the organisation’s data is being used,” he said. “Awareness of this issue is rising, especially in areas like HR, but it is still not being thought about often enough. You can’t just leave it to the CISO.”
Like all forms of data protection and cyber-security, there is a constant tension between overt actions to secure data assets and the covert attacks being carried out. CISOs can build the best firewall imaginable, but, as Galdies points out, “how would they know where there is a gap?”
Like the dam at Whaley Bridge, what you expect (in the form of storm flooding or hackers) might not be what creates the problem (which could be a structural weakness or your own employees going rogue). Unless you track where data is ending up, you could find yourself overwhelmed by a big fine.