DATA PROTECTION AND PRIVACY

LEARNING LESSONS FROM DATA BREACHES 

By Piers Wilson, Head of Product Management, Tier-3

Tier-3 logo onlyDespite ever tightening legislation, and growing awareness of the threats poised by attackers, insiders and technical failures we continue to see frequent lapses in privacy controls, data losses and thefts of personal data. Are there things that businesses commonly get wrong? What steps should they be taking to lift the levels of protection that they afford to personal data?

Pierce Wilson_Data ProtectionOver the last few years we have seen a dramatic rise in the level of awareness of privacy and information risk. This has been evident in the security profession, in the wider IT field, at all levels of management and in the views of society as a whole. This has been accompanied by tighter legislation (including a proposed new EU Directive), heightened media interest and greater coverage of cyber crime, data losses and the implications of identify theft and cyber-fraud.
PRIVACY IS A WIDER ISSUE THAN SECURITY
The result of this is continued unease at the way our data is stored, processed and used by large businesses. This extends beyond the protection of information from theft, loss or disclosure (security) – and encompasses additional focus on what businesses do with the data itself (privacy).
Recent examples have included:
  • Speculation around the implications of the Facebook/Whatsapp tie-up on privacy, identity and communications.
  • The UK care.data initiative to enable GPs to pass health data to a central database for a range of health-related uses, potentially including use by third parties.
  • Interception of SMS, web, voice and email traffic from within the communications and Internet businesses by various governments and intelligence agencies.
Although this wider debate continues – there is now a tangible distrust in the eye of the consumer, employee or citizen around the safety, security and sanctity of their information. For businesses, the way data is used and shared with “authorised” parties is as important as how it is protected from access by “unauthorised” ones.
Piers Wilson - Data protection 2THE IMPACTS OF RECENT CASES
Looking at recent security breaches it is often easy to identify where exposures have occurred. However, the actual impacts can be harder to pin down. A major breach commonly impacts on the company or organisation themselves as well as to the data subjects. These impacts can be blended and confused in the desire to quantify the effects of a breach – often masking an underlying trend or wider repercussion.Simplistic calculations of impact may take the fraud losses, the impact on share price, the cost to investigate, the cost to notify, reissue cards to and fund identity theft insurance for affected customers etc. This really needs to be added to the damage to reputation and the strategic implications resulting from alterations to service models, revenue generation and partner relationships.It is often possible to define at least some bounds around the scale or severity of a breach at the organisational level. However, for the data subject themself the resultant risk, fraud exposure or privacy impact may be highly variable. Certainly, where the case includes an element of monetary risk or fraud exposure, privacy may not be felt to be the worst component of the problem. Who cares if people know that I shop at Target or what my old credit card number was? Ironically, an individual victim of a well publicised, large scale breach may find they are better insulated from the resultant fraud and theft risks (due to the media attention and response) that a single individual whose individual personal data is stolen in a one-off case.

The other recent newsworthy privacy breach in the UK saw the Morrison’s supermarket chain lose a database containing employee details, bank and salary data. At the time of writing, this case is fairly new, although there are indications that an insider was involved (which prompts a whole new trust question). Here we see more complex impacts on the business, and also on the individuals who work for it – not only does trust in the organisation get shaken, but trust in colleagues as well.

So at an individual level, the impacts of a breach are less easy to quantify. For many people, having a credit card reissued is not a major inconvenience, whereas radically changing your shopping habits would be. Similarly, the level of annoyance from having to change your bank account details, reset all your online passwords (as in the case of the Heartbleed vulnerability) is often arguably greater than having your salary information leaked to the world.

In general therefore, we commonly see situations where personal data is not as well protected as the companies and data subjects would like, certainly with hindsight. However, the impacts on the parties involved, the motivations and eventual outcomes are so diverse even in the recent cases noted above, the privacy “lessons learned” are often quite different depending on the case itself and your one’s individual point of view.

CHANGING PRIVACY LEGISLATION
The current UK Data Protection Act is now somewhat long in the tooth; the forthcoming (currently delayed) EU directive as currently set out will tighten the rules further once it becomes legislation.

Heightened scrutiny, higher fines and requirements for breach notifications might provide assurance that breaches of personal data will be more heavily sanctioned and hence more often averted or deterred. In some respects these changes pose interesting questions. On the face of it, forcing organisations to declare breaches is a good idea – either to a regulator or to the data subjects themselves (or both). It requires an increased level of oversight and monitoring, coupled with the ability to swiftly detect when an actual breach has occurred and to diagnose its nature.

Historically, most breaches that have been publicised have come to light through other means (e.g. by the resultant fraud, due to the wider impacts, or by the involvement of the press). This is often not ideal, and can be driven by the motivations of the attacker or the media organisations themselves. It also leads to the conclusion that there will have been breaches – potentially quite serious ones – that have not been noticed, or been kept away from the public and dealt with quietly. Although, one could question whether such a “hidden” breach is significant if the impacts have not been noticed.

So a requirement for breaches to be detectable and reported is a major shift. It should improve visibility and may also reduce some of the more alarmist reporting. However, we may risk de-sensitising consumers through the number of these breaches as they become more widely reported. As a consumer, if every bank has suffered a breach, then how do I choose a bank that will protect my data? If my local supermarket chain has suffered a breach, then do I drive further to the next shopping centre? If my employer loses my data, do I change jobs to a company with tighter internal security?

While increased visibility and openness is desirable, society we may not like the results that emerge or even start to treat losses as less significant when they do occur. One can also speculate as to whether the embarrassment of detecting and having to report every low severity breach will drive companies to scale back internal detection? Or will companies reach a point where, having been attacked and survived, they will simply optimise their communications and reporting processes rather than increase the security protection of sensitive data. If good brand management after a breach is cheaper and more effective than good security beforehand, we could start to see a shift in corporate behaviour. Yet tighter legislation seems inevitable, and is likely to cause a change in how we consider privacy risk and how businesses manage it.

Piers Wilson Data protection 3UNDERSTANDING THE VICTIM
A common concept in many data breaches that involve personnel data is the consideration of who the victim of the breach actually is. It is common to highlight the impacts on firms who suffer attacks and data subjects when their data has been compromised or their communications intercepted.Whilst it is easy to paint the companies involved in security and data breaches as careless, negligent or naïve, there is also a defence that businesses need to take a proportionate approach to controls. In some cases they have, after all, been the victim of a crime.One expects point-of-sale systems at checkout areas to be somewhat accessible to the general public – a degree of physical security risk has to be accepted. Similarly, employees have access to sensitive data held by their employer; so in employment contracts there is a requirement on employees to sign a confidentiality clause and security policy.

There is a counter-argument that exposures such as these can be foreseen and hence that they should be defended against. In reality, a degree of risk management is needed and that can introduce subjectivity. To expand on the examples, publicly accessible systems dictate a more robust set of controls around connection of rogue devices or tampering; and prevention of unauthorised access to data necessitates access controls for employees (despite the contractual and policy safeguards) and often means deploying an identity and access management mechanism to manage this.

It is easy to condemn the inadequate controls after the event. However, it would be wrong to assume that in all cases where breaches have occurred, that security decisions were not well intentioned or even well informed. Recent cases do highlight failings – but often failures occur despite the controls that are in place, or because a single inadequate control leads to an exposure.

Clearly, cases of insider attack or misuse are particularly insidious. The perpetrator has knowledge of the control environment, often the ability to cover their tracks and commonly a specific, targeted motive. In such a circumstance, the victim of a privacy breach may be a customer, a set of customers, another member of staff or a third party who has a relationship with the perpetrator – and the defensive stance of the organisation needs to reflect this.

LIVING WITH RISK
Clearly, a degree of “privacy risk” has to be acknowledged – both as organisations and as individuals. One only has to look at the social media environment to see individuals sharing considerable amounts of personal information with friends, colleagues, contacts, co-workers or even sometimes strangers; often on the basis that they have a degree of (perceived) control over what happens to it, how it is used or who can see it.Realistically, organisations will continue to suffer lapses in security, vulnerabilities will continue to be reported and databases will continue to be compromised. Yet people will continue to bank, shop, create user accounts, publicise online profiles and share information. The need for privacy and security risk management is as important as ever.
EXTRACTING POSITIVE MESSAGES
To conclude, it is worth drawing some lessons from the emerging worldview on privacy and security and the recent examples that we have discussed in this article.In each case there are lessons that can be learned and wider trends, including those driven by regulation, that can be leveraged to shape a more progressive privacy and security stance for your organisation.
  1. Collecting and processing data “fairly” is easier if you are open about how you use the information you collect
    Although this sounds obvious, and is required in the UK by current legislation, there is still public disquiet when information that a data subject feels “ownership of” is subverted for commercial gain. Witness the (now delayed) UK NHS care.data initiative and the unease at email providers who use subscriber message content to target advertising.
  2. Users expect a balance between security controls and ease of use – the ability to share data easily when they want to, but to protect them when they don’t
    One example of this is passwords, where there is continual tension between complexity and security, ease of use and the poor passwords chosen by users. Finding the balance is key – and this has to be reflected in the overall security provisions, but also in the way user settings around data sharing and access are defined and how default options are chosen and advertised.
  3. Prevention is fine, but focus on detection and diagnosis
    It is vital to try to protect data; however, protective measures in a real business environment will never be 100% successful and hence there is a strong likelihood (even a certainty) of a breach at some point. Consequently, being able to detect the expected breach quickly, understand it, limit the impacts and restore order are at least as important as building layer upon layer of defensive controls in isolation.
  4. When a breach occurs the way you respond matters – possibly more than the nature of the breach itself
    The process of dealing with a breach is important; how you utilise the security and access control solutions, the audit trails, work as a team, interact with customers, stakeholders, the media and the regulators or legal bodies has a big impact on the perceived scale, newsworthiness or severity of a breach. Regrettably, there are many more examples of how not to handle serious incidents than there are examples of well-handled ones – but finding ways to accelerate this learning process (without having the indignity of being ravaged by the media yourself) is vital.
  5. Don’t overlook “lower hanging security fruit” in an effort to defeat the “advanced organised criminal web site hack”
    Make sure you have got a threat view that spans physical access attacks, insiders and employees, third parties and users/customers themselves – and includes low sophistication attacks. It is very easy to focus on “the targeted attacker”, and protection from worrying zeroday vulnerabilities or advanced malware. However, make sure that basic security is in place – patching, user access controls, anti-virus, physical security, application security and awareness etc. so that you have protection from “trivial” or “simpler” incidents that are often just as serious and hard to detect but potentially more embarrassing.
  6. Respond quickly to global issues and quicker to local ones
    Internet security issues frequently emerge that have a broad effect (e.g. Heartbleed). It is important to be aware of these and able to rapidly update controls, systems, processes and applications to ensure they are addressed – and be visible and communicative about it. However, more specific issues that affect you or your systems directly may be more damaging – and you don’t have the excuse that “it is affecting everyone, not just us”. Avoid thinking that the perceived scale or notoriety of vulnerabilities necessarily corresponds with the urgency to address them.
  7. Consider the way security and privacy considerations are handled “as a process” in your organisation
    Do you have the right processes, the right people with the right skills, and the right tools to make decisions, steer technical and business activities and to handle security and privacy incidents. Many breaches of privacy or security result from “process failures” and these can occur at several levels; often where the understanding of the specific problem or any wider issues is scarce.
What is increasingly clear, both from the examples earlier and the suggestions above, is that privacy and security are becoming more than just an adjunct of the operational or IT functions. Wider organisational issues with correspondingly broad are involved and impact stakeholder communities.Being cognisant of the basics, the requirements of customers and users and the wider threats and issues that can affect the control environment must become a higher priority for modern businesses. As regulations change, as technology becomes more complex and dynamic and as consumers become more demanding, updating approaches to privacy and security are vital activities and must be prioritised as such by all organisations. ■
ABOUT THE AUTHOR

Piers WIlson
Piers Wilson is Head of Product Management at Tier-3, a leading provider of intelligent security and threat monitoring solutions. Prior to that, he spent many years working in senior roles as a consultant in cyber-security and the related fields of information assurance and data protection – most recently as a Senior Manager at PricewaterhouseCoopers and before that as Head of Technical Assurance at Insight Consulting. Over the last 20 years, he has worked in both the public and private sectors and on a wide range of technical and managerial projects. He is also a Director of the Institute of Information Security Professionals (IISP). See www.tier-3.com and www.iisp.org.