Search

Brian Pennington

A blog about Cyber Security & Compliance

Tag

data protection

Elizabeth Denham’s speech at the Data Protection Practitioners’ Conference 2017

6th march Manchester, UK.

Good morning, and welcome to Manchester. It’s cold and it’s grey, but for those of us who live around here, we kind of like it, and we’re proud it’s where the biggest data protection conference of the year takes place.

We’ve got a busy schedule today. Lots on GDPR, of course. Trevor Hughes from IAPP talking about the role of the data protection officer internationally. Practical workshops on everything from breach notification to consent. And a very engaging information market – the speakers’ corner looks sure to be a conversation starter, and don’t miss our experts talking about the law enforcement directive too.

So lots to engage you. Let’s get started by getting your grey matter warmed up: a quick general knowledge quiz. One question:

What links the following:

  • the Labour Party;
  • international weightlifting;
  • the music you heard when I entered the room; and
  • the ICO?

The answer is right before your eyes: all have performed right here at this venue. I’m not sure which of the four had the rowdiest audience…!

Manchester Central has been the home of the Data Protection Practitioners Conference for the best part of a decade, and I’m sure you’ll agree it’s an excellent venue. It was converted from a railway station built more than 125 years ago by Sir John Fowler, the architect famed for his work on the Forth Railway Bridge.

Sir John once said: “Engineers are not mere technicians and should not approve or lend their name to any project that does not promise to be beneficent to man and the advancement of civilization.”

DPOs in the mainstream

I think there’s something in that comment for us here today. About not merely being technicians. About looking to see how the projects we contribute to can be beneficial to citizens. How we can put the customer first.

I don’t think that’s too grand an aim. This is an exciting time to be in data protection. Like many of you, I’ve worked in this sector a long time. I remember when we were a back office function. When we often were seen as “mere technicians”. That seems a very long time ago.

My colleague Rob Luke, who you’ll hear from shortly, is speaking before an advertising conference later this week. Fifteen years ago, which advertiser would have invited the data protection regulator to their annual event? Who thought data protection when they booked a slot in the ad break during Coronation Street? But today, data protection is central to their work. Making the most of customer data. Combining big data sets. Finding new ways to better understand what consumers want, to track how they act or predict what they will do next.

Last week, we opened an inquiry into privacy risks arising from the use of data analytics for political purposes following public reports about the role of private firms in the Brexit referendum. We often find ourselves at the heart of many debates of modern society.

It’s an exciting time to work in data protection, whatever your sector, with real opportunities. We’ll talk a lot today about the practical aspects, from how GDPR will change things at your organisations, to the steps you can take to use the coming change in the law as an opportunity to inform your practices.

But let’s not lose sight of what good data protection can achieve. We have an opportunity to set out a culture of data confidence in the UK. We just need to keep in mind that when we lend our name to projects, we should think about how they can be of benefit to citizens.

Review of last 12 months

I think it’s fair to say that a recap of the files we’ve been involved in over the past twelve months can be characterised by organisations failing to put customers first.

Our work with WhatsApp and Facebook springs to mind. We all rely on digital services for important parts of our lives. But my office felt these apps were not taking enough responsibility for data protection. Companies have legal responsibilities to treat people’s data with proper care and transparency – to give them persistent control and choice.

Similarly the record fine we issued to TalkTalk. You could write an essay discussing the technical detail of the cyber-attack itself, but fundamentally, not enough respect – not enough care – was being given to the type of protection consumers would have expected of their personal information.

And without rehearsing the conversations we’ve had with parts of charity sector, there’s a similar theme: insufficient thought about the level of transparency donors would want, expect, or support.

They’re examples of organisations getting it wrong under the current Data Protection Act. GDPR is going to put even more of an onus on organisations to understand and respect the personal privacy rights of consumers.

GDPR

Because while the General Data Protection Regulation builds on the previous legislation, it provides more protections for consumers, and more privacy considerations for organisations. It brings a more 21st century approach to the processing of personal data.

The GDPR gives specific new obligations for organisations, for example around reporting data breaches and transferring data across borders.

But the real change for organisations is understanding the new rights for consumers.

Consumers and citizens will have stronger rights to be informed about how organisations use their personal data. They’ll have the right to request that personal data be deleted or removed if there’s no compelling reason for an organisation to carry on processing it, and new rights around data portability and how they give consent.

On that subject, do take a look at the guidance on consent that is now out for consultation, and will be discussed at our workshop later today.

Accountability and breadth

At the centre of the GDPR is the concept of broader and deeper accountability for an organisation’s handling of personal data. The GDPR brings into UK law a trend that we’ve seen in other parts of the world – a demand that organisations understand, and mitigate – the risks that they create for others in exchange for using a person’s data. It’s about a framework that should be used to build a culture of privacy that pervades an entire organisation. It goes back to that idea of doing more than being a technician, and seeing the broader responsibility and impact of your work in your organisation on society.

Making it matter to the boardroom

I’ve already spoken to some of you this morning, and I hear what you’re saying. You understand why having your organisation accept more accountability for data protection matters. You want to change the culture of your organisation. But in many cases, you need to convince your senior management first. So, what can I give you today to help you make that case when you go back to your offices tomorrow?

The fines are the obvious headline. The GDPR gives regulators greater enforcement powers. If an organisation can’t demonstrate that good data protection is a cornerstone of their business policy and practices, they’re leaving themselves open to enforcement action that can damage their public reputation and possibly their bank balance. That makes data protection a boardroom issue.

But there’s a carrot here as well as a stick, and as regulators we actually prefer the carrot. Get data protection right, and you can see a real business benefit.

Accepting broad accountability for data protection encourages an upfront investment in privacy fundamentals, but it offers a payoff down the line, not just in better legal compliance, but a competitive edge. Whether that means attracting more customers or more efficiently meeting pressing public policy needs, I believe there is a real opportunity for organisations to present themselves on the basis of how they respect the privacy of individuals. Over time this can play a real role in consumer choice.

What the ICO is doing

Gandhi said the future depends on what we do in the present. So let me talk a little about what my office is doing now, to help you prepare for the future.

I’ve worked as a regulator in this field for more than twelve years and my focus has always been on making sure the regulator is relevant. On making sure we’re taking on that challenge of not being mere technicians but instead are making a difference to the organisations we regulate through education. Making a difference to the public, through giving them an avenue to file a complaint and by sanctioning the bad actors.

Each of us in the information rights field, on a daily basis, tries to make a difference to the public. Collectively, we do a good job: I think people have never been more aware of their rights, of what they can expect of the businesses and organisations they trust with their data. But consumer trust hasn’t followed that. An ICO survey last year showed only one in four UK adults trust businesses with their personal data. And I don’t believe the figure would be much higher for the public sector. As a regulator, it’s one of my jobs to give you the tools and the support to turn that around.

I want to see comprehensive data protection programs as the norm, organisations better protecting the data of citizens and consumers, and a change of culture that makes broader and deeper data protection accountability a focus for organisations across the UK. I think that’s achievable.

We’ll be shortly announcing work we’ll be doing to contribute to that. We want to support independent research that helps people better navigate the digital world. Our research and grants programme will dedicate funds over the next five years to engaging the research community in finding ways to help consumers. More details in due course.

Post Brexit

And of course we need to be looking to the horizon, to what might exist beyond GDPR.

Fourteen months ago I was writing a speech for a different audience, in a different role. My appearance was at the Canadian annual privacy and security conference, as information and privacy commissioner for British Columbia. I was talking about the challenges of a digital economy that required data to flow across borders, where different legal systems and cultural norms about privacy make this a complicated undertaking. More specifically, I spoke about how changes within the EU affect those outside of it, particularly around adequacy.

How familiar does that sound today? The UK EU referendum decision means we’re facing the same challenges. The UK’s digital economy needs data to flow across borders: how do we make sure that can happen? How can we foster economic growth while still respecting citizen’s rights?

When the government comes to answer those questions beyond the implementation of GDPR in 2018, we expect to be at the centre of many conversations, speaking up for continued protection and rights for consumers, and clear laws for organisations. And addressing the strong data protection laws we’d need if we want to keep the UK’s approach at an equivalent standard to the EU.

Conclusion

Which brings us back to today. The GDPR is a strong data protection law. It gives consumers more control over their data. And it includes new obligations for organisations.

Today is about learning more about those obligations, more about data protection best practice, more about how to get it right.

Today is about helping you make the best use of tomorrow.

DataMotion_IG4_BriefHistoryofHCDataBreaches_092915

UK Businesses unprepared for changes to the Data Protection Act

Crown Records Management survey of IT decision makers reveals companies are woefully unprepared for EU General Data Protection Regulation.

European politicians met on the 24th June 2015 in a bid to ratify huge changes in data protection regulation, but a survey has revealed UK businesses are woefully unprepared.

The EU General Data Protection Regulation aims to unify data protection across Europe with a single law and will be fine-tuned in Brussels at a ‘trilogue’ meeting of the EU Commission, European Parliament and the Council of the EU.

Once passed, it will bring with it huge fines (up to 100m Euros or 2% of global turnover) for companies that breach the regulation – as well as a raft of new rules about collecting, editing and processing the personal data of European citizens. Many companies will also be compelled to employ at Data Protection Officer for the first time.

Experts predict it will affect every single company that operates from within the EU, does business with companies inside the EU, stores its data in EU member countries or handles the personal data of European citizens.

A Crown Records Management Censuswide survey of IT decision makers at UK companies with more than 200 employees revealed businesses here are painfully unprepared – and one in five hasn’t even heard of the Regulation.

Results include:

  • 19.6% are totally unware of the changes
  • 29.4% of decision makers aged 55+ know nothing about the challenges ahead
  • 25.3% will wait for the final details of the Regulation before taking any action at all
  • 52% who know about the Regulation still aren’t currently reviewing policies
  • 42.5% of decision makers in companies with a turnover of more than £500m are ‘not really concerned’ or ‘not concerned at all’ about the impact of the new structure.
  • 63% have not yet appointed a Data Protection Officer, which will soon become compulsory for many companies
  • 59% have no plans in place to train staff despite the changes looming

Reproduced from Crown Records Management.

Read my 2012 review of the Proposed European Data Protection Act here 

Who breached the Data Protection Act in 2014 (UK)? Find the complete list here.

Who breached the Data Protection Act in 2013(UK)? Find the complete list here.

Who breached the Data Protection Act in 2012(UK)? Find the complete list here.

Shadow Cloud Services 20 Times More Prevalent than Sanctioned Cloud

Skyhigh Networks released its new “Cloud Adoption & Risk in the Government Report.” The Q1 2015 report reveals that shadow IT is prevalent in government agencies.

The average public sector organization uses 742 cloud services, which is about 10-20 times more than IT departments expect. Despite the security initiatives in place, such as FedRAMP, FISMA, and FITARA, many government employees are unaware of agency rules and regulations or simply ignore them and use cloud services that drive collaboration and productivity.

As agencies grapple with how to manage shadow IT and securely enable sanctioned IT, they need visibility into the real usage and risk of cloud services as well as the ability to detect threats and seamlessly enforce security, compliance, and governance policies,” said Rajiv Gupta, CEO of Skyhigh Networks. “Skyhigh manages shadow IT and securely enables sanctioned IT, allowing public sector organizations to use hundreds of cloud services while providing robust data protection services, thereby meeting data privacy requirements and conforming to regulations

Despite clear benefits of cloud services Federal agencies are slow to migrate to the cloud due to security concerns. As a result, employees adopt cloud services on their own, creating shadow IT. Under FITARA, Federal CIOs must oversee sanctioned cloud services as well as shadow IT. This new requirement underscores the uncertainty about how employees are using cloud services within their agencies.

Understanding Shadow IT
The average public sector organization now uses 742 cloud services, which is about 10-20 times more than IT departments report. What agencies don’t know can hurt them. When asked about insider threats, just 7% of IT and IT security professionals at public sector organizations indicated their agency had experienced an insider threat. However, looking at actual anomaly data, Skyhigh Networks found that 82% of public sector organizations had behavior indicative of an insider threat.

Agencies cannot rely on the security controls offered by cloud providers alone. Analyzing more than 12,000 cloud services across more than 50 attributes of enterprise readiness developed with the Cloud Security Alliance, the report found that just 9.3% achieved the highest CloudTrust Rating of Enterprise Ready. Only 10% of cloud services encrypt data stored at rest, 15% support multi-factor authentication, and 6% have ISO 27001 certification. Skyhigh Networks helps Federal agencies address these security gaps and gain control over shadow IT by providing unparalleled visibility, comprehensive risk assessment, advanced usage and threat analytics, and seamless policy enforcement.

Password Insecurity
Compromised credentials can also mean disaster for Federal agencies. According to a study by Joseph Bonneau at the University of Cambridge, 31% of passwords are used in multiple places. This means that for 31% of compromised credentials, attackers can potentially gain access not only to all the data in that cloud service, but all the data in other cloud services as well. The average public sector employee uses more than 16 cloud services, and 37% of users upload sensitive data to cloud file sharing services. As a result, the impact of one compromised account can be immense.

The Skyhigh “Cloud Adoption & Risk in the Government Report” reveals that 96.2% of public sector organizations have users with compromised credentials and, at the average agency, 6.4% of employees have at least one compromised credential.

Cloud Services in the Public Sector
Most cloud services deployed in the public sector are collaboration tools. The average organization uses 120 distinct collaboration services, such as Microsoft Office 365, Gmail, and Cisco Webex. Other top cloud services are software development services, file sharing services, and content sharing services. The average employee uses 16.8 cloud services including 2.9 content sharing services, 2.8 collaboration service, 2.6 social media services, and 1.3 file sharing services. Shockingly, the average public sector employee’s online movements are monitored by 2.7 advertising and web analytics tracking services, the same services used by cyber criminals to inform watering hole attacks.

The report also reveals the top cloud services used in the public sector.

Top ten enterprise cloud services are:-
1. Microsoft Office 365
2. Yammer
3. Cisco WebEx
4. ServiceNow
5. SAP ERP
6. Salesforce
7. DocuSign
8. NetSuite
9. Oracle Taleo
10. SharePoint Online

Top ten consumer cloud services are:-
1. Twitter
2. Facebook
3. YouTube
4. Pinterest
5. LinkedIn
6. Reddit
7. Flickr
8. Instagram
9. StumbleUpon
10. Vimeo

The “Cloud Adoption & Risk in the Government Report” is based on data from 200,000 public sector employees in the United States and Canada.

Cloud Security: What Higher Education Needs to Know

Cloud Security: What Higher Education Needs to Know
Cloud Security: What Higher Education Needs to Know
by Ellucian

Corporate Data: A Protected Asset or a Ticking Time Bomb?

Corporate Data: A Protected Asset or a Ticking Time Bomb? is a Ponemon Institute study sponsored by Varonis, surveying a total of 2,276 employees in US and European organizations (United Kingdom, Germany and France), including 1,110 individuals (hereafter referred to as end users) who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,166 individuals who work in IT and IT security (hereafter referred to as IT practitioners).

In the context of this research, both IT practitioners and end users are witnessing a lack of control over their organizations’ data and access to it, and the two groups generally concur that their organizations would overlook security risks before they would sacrifice productivity. Employees are often left with needlessly excessive data access privileges and loose data-sharing policies.

Compounding the risk, organizations are unable to determine what happened to data when it goes missing, indicating a lack of monitoring and further absence of controls.

This presents a growing risk for organizations due to both accidental and conscious exposure of sensitive or critical data. Efforts to address these risks will need to overcome employee perceptions, as they believe data protection is not considered a high priority by senior leadership.

Following are research findings that illustrate the growing risks and challenges to productivity that data growth and a lack of internal controls currently present for organizations of all sizes:

End users believe they have access to sensitive data they should not be able to see, and more than half say that access is frequent or very frequent. 71% of end users say that they have access to company data they should not be able to see. 54% characterize that access as frequent or very frequent.

End users believe data protection oversight and controls are weak. 47% of end users say the organization does not strictly enforce its policies against the misuse or unauthorized access to company data and 45% say they are more careful with company data than their supervisors or managers. Furthermore, only 22% of employees say their organization is able to tell them what happened to lost data, files or emails.

IT agrees. Most IT practitioners surveyed state that their companies do not enforce a strict least-privilege (or need-to-know) data policy. Four in five IT practitioners (80%) say their organizations don’t enforce a strict least-privilege data model. 34% say they don’t enforce any least-privilege data model.

End users and IT agree that data growth is hindering productivity more every day. 73% of end users believe the growth of emails, presentations, multimedia files and other types of company data has very significantly or significantly affected their ability to find and access data.

Uncertainty about whether senior executives view data protection as a priority affects. compliance with security policies. Only 22% of end users believe their organizations overall place a very high priority on data protection. About half (51%) of IT practitioners believe their CEO and other C-level executives consider data protection a high priority.

IT practitioners say end users are likely to put critical data at risk. 73% of IT practitioners say their department takes data protection very seriously. However, only 47% believe employees in their company take the necessary steps to make sure confidential data is secure. Thus, IT departments know end user security risks exist but think they are limited in what they can do about it.

End users think it is OK to transfer confidential documents to potentially unsecure devices. 66% of end users say there are times when it is acceptable to transfer work documents to their personal computer, table, smart phone and even the public cloud. Only 13% of IT practitioners agree.

End users and IT practitioners do not think their organization would accept diminished productivity to prevent the risk to critical data. 55% of end users say their company’s efforts to tighten security have a major impact on their productivity. Only 27% of IT practitioners say their organization would accept diminished productivity to prevent the loss or theft of critical data.

End users and IT agree that employees are unknowingly the most likely to be responsible for the leakage of company data. 64% of end users and 59% of IT practitioners believe that insiders are unknowingly the most likely to be the cause of leakage of company data. And only 46% of IT practitioners say employees in their organizations take appropriate steps to protect the company data they access.

Information Security and Cyber Liability Risk Management – a 2014 survey

Advisen Ltd and Zurich have partnered for a fourth consecutive year on a survey designed to gain insight into the current state and on going trends in information security and cyber liability risk management. Invitations to participate were distributed via email to risk managers, insurance buyers and other risk professionals. The survey was completed at least in part by 507 respondents.

The majority of respondents classified themselves as either

  • Member of Risk Management Department (not head) (38%)
  • Chief Risk Manager/Head of Risk Management Department (33%)

Respondents with more than 20 years of risk management and insurance experience represented the largest group at 39% of the total, followed by 25% with between 11 – 20 years, 18% with 5 years or less, and 17% with between 6 – 10 years.

A summary of the survey is below.

Perception of Cyber Risks

Respondents’ perception of cyber risk is largely unchanged from last year with 88% considering cyber and information security risks to be at least a moderate threat to their organization. Respondents do however believe that board members and executive management are viewing cyber risks more seriously.

“In your experience, are cyber risks viewed as a significant threat to your organization by:”

  • 64% said “yes” for Board of Directors (54% in 2013)
  • 72% said “yes” for C-Suite Executives (6% in 2013)

Perception of risk varies based on size of business. Although studies have suggested that small companies are targeted as frequently, if not more so, than larger companies, as a group they continue to view cyber risks less seriously. In response to the question

How would you rate the potential dangers posed to your organization by cyber and information security risks?”

  • 81% of the smallest companies (revenues less than $250 million) consider cyber risks to be at least a moderate danger
  • 93% of the largest companies (revenue greater than $10 billion) consider them to be so.

Consistent with last year’s study, on a scale of one to five, with 5 as very high risk and 1 as very low risk, “damage to your organization’s reputation resulting from a data breach” is the biggest concern of respondents with 64% rating it a 4 or 5. This was closely followed by “incurring costs and expenses from a cyberattack” with 62%, and “privacy violation/data breach of customer records” with 61%.

In contrast, the exposure perceived as the least risky was “theft or loss of customer intellectual property” with 43% rating it a 1 or 2. This was followed by “business interruption due to customer cyber disruptions” with 33%, and “employment practice risk due to use of social media” with 32%.

Data Breach Response

Over the past year, huge and highly recognizable U.S. businesses have fallen victim to some of the largest data breaches in history. These breaches are proof that even those with the most sophisticated information security practices and infrastructures are vulnerable to a cyber-attack. Some suggest that corporate data breaches are no longer an “if” or even a “when” proposition, but rather “how bad” will the inevitable breach be. When a breach does occur, research suggests that organizations that have data breach response plans in place prior to a breach, fare much better than those who do not.

“Does your organization have a data breach response plan in the event of a data breach?”

  • 62% said yes
  • 14% said no
  • 24% did not know

“In the event of a data breach, which department in your organization is PRIMARILY responsible for assuring compliance with all applicable federal, state, or local privacy laws including state breach notification laws?”

  • IT – 38%
  • General Counsel – 21% received the highest percentage of the responses.

Information Security and Cyber Risk Management Focus

Consistent with the 2013 survey, 80% claim that information security risks are a specific risk management focus within their organization. Larger companies are slightly more likely to make it a focus with 83% of companies with revenues in excess of $1billion doing so, compared with 77% with revenues under $1billion. However, the 6% point difference between small and large companies is significantly less the 17% difference from a year ago.

The difference is even more significant when comparing the largest companies (revenues of $10 billion or greater) and the smallest companies (revenues of $250 million or less), with 92 % of the largest companies making information security a risk management focus compared with only 72% of the smallest companies.

For a second consecutive year, the percentage of respondents with a multi-departmental information security risk management team or committee has declined, 52% have an information security risk management team or committee which is down from 56% in 2013, and 61% in 2012. Although statistically still within the margin of error, this is a potential trend worth following. As in previous years, however, this varies materially based on the size of company with 58% of larger companies ($1billion in revenue or greater) claiming to have this team or committee compared to 42% of smaller companies (under $1billion in revenue).

The departments most likely to have representation on the information security risk management team are:

  • IT – 90%
  • Risk Management/Insurance – 73%
  • General Counsel – 63%
  • Compliance – 55%
  • Internal Audit – 47%
  • Treasury or CFO’s Office – 40%
  • Chief Privacy Officer – 36%
  • Marketing – 10%
  • Investor Relations – 6%
  • Sales – 5%
  • 9% Didn’t Know
  • 15% said Other
  • The most common write-in responses under “Other” were Operations and Security

The IT department is still acknowledged as the front line defense against information losses and other cyber liability risks. In response to the question “Which department is PRIMARILY responsible for spearheading the information security risk management effort?”

  • 69% responded IT
  • 11% Risk Management/Insurance
  • 5% responded Other. The most common other being Information Security

Social Media

Social media provides businesses with an array of benefits such as increasing brand awareness, promoting products, and providing timely support. It also exposes organizations to a degree of risk, such as the potential for reputational damage, privacy issues, infringing other intellectual property, and data breaches.

“Does your organization have a written social media policy?”

  • 74% responded yes
  • 17% no

Cloud Services

For a third consecutive year respondents were asked questions on cloud services. Thanks to its cost effectiveness and increased storage capacity, cloud services have become a popular alternative to storing data in-house. Warehousing proprietary business information on a third-party server, however, makes some organizations uncomfortable due to the lack of control in securing the information. Nonetheless, security concerns continue to be outweighed by the benefits.

“Does your company use cloud services?

  • 66% responded yes, up from 55% last year, and 45% in 2012.

“Is the assessment of vulnerabilities from cloud services part of your data security risk management program?”

51% responded yes – consistent with last year

Mobile Devices

“Does your organization have a mobile device security policy?”

  • 74 % said yes
  • 15 % said no
  • 13 % did not know

Larger companies continue to be more likely to have such a policy with

  • 82 % of large companies ($1 billion or greater) responding yes
  • 62 % of smaller companies ($1 billion or less).

The use of personal handheld devices for business purposes is increasingly preferred by employees and allowed by employers. These non-company controlled devices, however, are accessing proprietary corporate information and frequently exposing organizations to a higher degree of risk.

“Does your organization have a bring your own device (BYOD) policy?”

  • 47% responded yes which is consistent with last year’s response.

The Role of Insurance in Information Security and Cyber Risk Management

The upward trend in the percentage of companies purchasing cyber liability insurance plateaued in 2014.

“Does your organization purchase cyber liability insurance?”

  • 52% responded yes
  • 35% said no
  • 13% did not know

Of the respondents who purchase coverage

  • 32% have purchased it for less than two years
  • 47% between three and five years
  • 22% for more than five years
  • The percentage of companies who buy coverage for loss of income due to a data breach dropped slightly from 54 % in 2013 to 48 % this year.

Finally, respondents that do not currently purchase cyber insurance were asked “Are you considering buying this coverage in the next year?” 54% said yes. This was only a one percentage point increase from 2013.

The full survey can be found here.

What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

Ponemon Institute has released its CA Technologies sponsored study “The Identity Imperative for the Open Enterprise: What IT Users and Business Users Think about Bring Your Own Identity (BYOID)

They surveyed 1,589 IT and IT security practitioners and 1,526 business users with more than 1,000 employees in United States, Australia, Brazil, Canada, France, Germany, India, Italy and the United Kingdom to understand current trends in Bring your Own Identity or BYOID, which is defined as the use of trusted digital or social networking identities.

  • 74% of the IT users surveyed report to the CIO
  • 15% report to the CISO
  • 55% of the business users in this research report to the lines of business leader
  • 10% report to the marketing officer 

The majority of respondents in both groups have high levels of interest in BYOID, but IT users and business user groups have different views about the perceived potential value of BYOID. 

  • IT users view BYOID primarily for fraud reduction, risk mitigation and cost reduction
  • Business end users are more interested in how BYOID can streamline customer’s experience and assist in targeted marketing campaigns.

Some of these differences can be expected because of the different job responsibilities of each group. These differences do not necessarily portend conflict, but rather show the need for collaboration between IT and the business functions to yield maximum benefits for any organisation deploying a BYOID system. By developing a cross-functional BYOID strategy around several well-defined use cases, organisations can differentiate themselves from competitors and further grow their business.

Key finding of the study are:

The Application Economy Drives BYOID Interest

In today’s application economy, organisations need to securely deliver new apps to grow their business quickly. This can increase IT risks, which puts a premium on an organisation’s ability to simplify the user experience without sacrificing security. Using an existing digital or social identity issued by a trusted third party to access applications can help organisations meet the need for simplicity, security and a positive customer experience.

  • 67% of IT users say the primary value of BYOID is from strengthening the authentication process
  • 54% from reducing impersonation risk
  • 79% of Business users believe the BYOID value comes from delivering a better customer experience 76% believe it is from increasing the effectiveness of marketing campaigns

While IT sees value primarily in risk mitigation/cost reduction, business users see the value of BYOID in improving the consumer experience to increase customer loyalty and generating new revenue streams. This underscores the need for IT and business collaboration to address the challenge that today’s organisations face: how to secure the business while simultaneously empowering

Mobile and Web Users Drive BYOID

Today’s IT organisations must deliver secure access to a highly distributed and growing user population. These users expect to access information anywhere, anytime from multiple devices. This is changing how user identities should be managed and is affecting the demand for BYOID.

When IT practitioners and business users were polled on their level of interest in accepting identities for different user populations such as job prospects, employees, contractors, retirees, website customers or mobile customers, mobile and web customers received the most interest, far exceeding that of the other populations.

  • 50% of IT respondents and 79% of business respondents have very high or high interest in BYOID for website user populations
  • 48% of IT respondents and 82% of business respondents have very high or high interest in BYOID for mobile user populations

BYOID Requires Security Enhancements to Drive More Adoption

While the survey results indicate interest in BYOID from both IT users and business users, both groups identified features that could contribute to broader BYOID adoption.

When asked which features would most likely increase BYOID adoption within their organisation;

  • 73% of IT users’ top features are identity validation processes
  • 66% have multi-factor authentication as the top feature
  • 71% of Business users say both identity validation processes and simplified user registration are the most popular features for increasing adoption.

The study also indicates a high level of interest for some level of accreditation of the identity providers

  • 59% of IT saying it is essential or very important
  • 21% saying it is important
  • 27% of business respondents say accreditation is essential or very important with 48% believe it’s important

.

Information Commissioners Office provides data protection advice to the legal profession

The Information Commissioner’s Office (ICO) is warning barristers and solicitors to keep personal information secure, especially paper files. This follows a number of data breaches reported to the ICO involving the legal profession.

The ICO can serve a monetary penalty of up to £500,000 for a serious breach of the Data Protection Act provided the incident had the potential to cause substantial damage or substantial distress to affected individuals.

In most cases these penalties are issued to companies or public authorities, but barristers and solicitors are generally classed as data controllers in their own right and are therefore legally responsible for the personal information they process.

In the last three months, 15 incidents involving members of the legal profession have been reported to the ICO. The information handled by barristers and solicitors is often very sensitive. This means that the damage caused by a data breach could meet the statutory threshold for issuing a financial penalty. Legal professionals will also often carry around large quantities of information in folders or files when taking them to or from court, and may store them at home. This can increase the risk of a data breach.

Information Commissioner, Christopher Graham, said:

The number of breaches reported by barristers and solicitors may not seem that high, but given the sensitive information they handle, and the fact that it is often held in paper files rather than secured by any sort of encryption, that number is troubling. It is important that we sound the alarm at an early stage to make sure this problem is addressed before a barrister or solicitor is left counting the financial and reputational damage of a serious data breach.

“We have published some top tips to help barristers and solicitors look after the personal information they handle. These measures will set them on the road to compliance and help them get the basics right

The ICO has published the following top tips to help barristers and solicitors keep the personal information they handle secure

  • Keep paper records secure. Do not leave files in your car overnight and do lock information away when it is not in use.
  • Consider data minimisation techniques in order to ensure that you are only carrying information that is essential to the task in hand.
  • Where possible, store personal information on an encrypted memory stick or portable device. If the information is properly encrypted it will be virtually impossible to access it, even if the device is lost or stolen.
  • When sending personal information by email consider whether the information needs to be encrypted or password protected. Avoid the pitfalls of auto-complete by double checking to make sure the email address you are sending the information to is correct.
  • Only keep information for as long as is necessary. You must delete or dispose of information securely if you no longer need it.
  • If you are disposing of an old computer, or other device, make sure all of the information held on the device is permanently deleted before disposal.

The ICO is currently working with The Bar Council to update the Information Security Guidance provided to Barristers in England and Wales.

The original ICO post is here.

Most organisations struggle to resolve the effects of a breach

According to IDG research in a CSG Invotas white paper “Security Automation: Time to Take a Fresh Look” most organisations struggle to resolve the effects of a breach.

There’s no doubt that improving intrusion response and resolution times reduces the window of exposure from a breach,” said Jen McKean, research director at IDG Research. “More companies seek security automation tools that will enable them to resolve breaches in mere seconds and help maintain business-as-usual during the remediation period

Researchers polled decision makers of information security, strategy, and solution implementations at companies with 500 or more employees. They explored the security challenges commercial organizations face when confronted with security breaches across their networks. Key findings include:

  • 46% of respondents report an average detection time of hours or days
  • 54% reporting average resolution times of days or months
  • On going management of electronic identities that control access to enterprise, cloud, and mobile resources take the most time to change or update during a security event
  • A majority of respondents seek ways to reduce response time in order to address risk mitigation, preserve their company’s reputation, and protect customer data
  • 61% of respondents admit they are looking for ways to improve response times to security events
  • 82% of respondents report no decrease in the number of network security events or breaches last year whilst more than a quarter of those surveyed report an increase
  • 60% of IT Security Resources dedicated to protecting the network layer
  • 10% of respondents reporting they’re able to resolve issues in seconds or minutes; 54% say it takes days, weeks or months
  • 28% of respondents say the number of security events or breaches increased in 2013
  • 24% report that the severity of incidents increased
  • 39% of respondents say they can detect a security breach within seconds or minute

Business process automation solutions offer a new approach to the most difficult step in security operations: taking immediate and coordinated action to stop security attacks from proliferating. Building digital workflows that can be synchronized across an enterprise allows a rapid counter-response to cyber-attacks. Speed, accuracy, and efficiency are accomplished by applying carrier-grade technology, replicating repetitive actions with automated workflows, and reducing the need for multiple screens.

It is no longer a surprise to hear that a breach has compromised data related to customers, employees, or partners,” said Paul Nguyen, president of global security solutions at CSG Invotas. “CIOs recognize that they need faster, smarter ways to identify security breaches across their enterprises. More importantly, they need faster, smarter ways to respond with decisive and coordinated action to help protect threats against company reputation, customer confidence, and revenue growth

A quarter of respondents say they are comfortable with the idea of automating some security workflows and processes and that they deploy automation tools where they can. 57% of respondents say they are somewhat comfortable with automation for some low-level and a few high-level processes, but they still want security teams involved. On average, respondents report that 30% of their security workflows are automated today; but nearly two-thirds of respondents expect they will automate more security workflows in the coming year.

The full survey and key findings are available here.

110 million Americans hacked in the last 12 months

In a CNNMoney commissioned study Ponemon Institute researchers found:;-

  • 110 million Americans — roughly half of the nation’s adults — in the last 12 months alone.
  • 432 million accounts were hacked accounts

It’s becoming more acute,” said Ponemon Institute head Larry Ponemon. “If you’re not a data breach victim, you’re not paying attention

The CNNMoney article points to recent examples of large hack attacks:-

  • 70 million Target customers’ personal information, plus 40 million credit and debit cards
  • 33 million Adobe user credentials, plus 3.2 million stolen credit and debit cards
  • 4.6 million Snapchat users’ account data 3 million payment cards used at Michaels
  • 1.1 million cards from Neiman Marcus “A significant number” of AOL’s
  • 120 million account holders
  • Potentially all of eBay’s 148 million customers’ credentials 

Full article here.

Cost of business cyber security breaches almost double

Information security breaches affecting UK business have decreased over the last year but the cost of individual breaches has almost doubled. 

The number of information security breaches affecting UK businesses has decreased over the last year but the scale and cost of individual breaches has almost doubled. 

The Information Security Breaches Survey 2014, commissioned by the Department for Business, Innovation and Skills (BIS) and carried out by PwC, found

  • 81% of large organisations suffered a security breach, down from 86% a year ago
  • 60% of small businesses reported a breach, down from 64% in 2013

Although organisations are experiencing fewer breaches overall, the severity and impact of attacks has increased, with the average cost of an organisations’ worst breach rising significantly for the third consecutive year. For small organisations the worst breaches cost between £65,000 and £115,000 on average and for large organisations between £600,000 and £1.15 million.

The majority of businesses have increased IT security investment over the last year

Universities and Science Minister David Willetts said:

These results show that British companies are still under cyber attack. Increasingly those that can manage cyber security risks have a clear competitive advantage. Through the National Cyber Security Programme, the government is working with partners in business, academia and the education and skills sectors to equip the UK with the professional and technical skills we need for long-term economic growth.”

Andrew Miller, cyber security director at PwC, said:

Whilst the number of breaches affecting UK business has fallen slightly over the past year the number remains high and in many companies more needs to be done to drive true management of security risks. Breaches are becoming more sophisticated and their impact more damaging. Given the dynamic nature of the risk, boards need to be reviewing threats and vulnerabilities on a regular basis. As the average cost of an organisation’s worst breach has increased this year, businesses must make sure that the way they are spending their money in the control of cyber threats is effective. Organisations also need to develop the skills and capability to understand how the risk could impact their organisation and what strategic response is required.”

70% of companies that have a poor understanding of security policy experienced staff related breaches, compared to only 41% in companies where security is well understood. This suggests that communicating the security risks to staff and investing in on going awareness training results in fewer breaches.

The survey also found that there has been an increase in the number of businesses which are confident that they have the skills required within their organisations to detect, prevent and manage information security breaches, up to 59% from 53% last year.

Ensuring that we have the cyber skills capability to meet the evolving needs of businesses is a key objective of the UK’s National Cyber Security Strategy. Earlier this year (2014), the government unveiled a raft of new proposals to meet the increasing demand for cyber security skills. These include a new higher-level apprenticeship, special learning materials for 11 to 14 year-olds and plans to train teachers to teach cyber security.

Earlier this year (2014) the government launched a new scheme to help businesses stay safe online. Cyber Essentials provides clarity to organisations on what good cyber security practice is and sets out the steps they need to follow, to manage cyber risks. From this summer (2014) organisations that have complied with the best practice recommendations will be able to apply to be awarded the Cyber Essentials Standard. This will demonstrate to potential customers that businesses have achieved a certain level of cyber security and take it seriously.

The press release can be found here

European Union: Data Protection and the dangers of the web

It’s something we all worry about: 76% of Europeans are concerned that their personal data is not safe in the hands of private companies demonstrates the extent of the fear.

The Infograph was published as part of “Data Protection Day: the challenge of keeping your personal information safe – Citizens’ rights − 28-01-2014”

SafeNet and SafeMonk have recently produced the results of a survey titled “Cloud App Usage vs. Data Privacy”.

The survey show the attitude of people, including C-Levels, to cloud storage and data privacy, a summary of the survey  is below.

Do you frequently use cloud based applications (i.e. Banking, business applications, social media, etc.)?

  • 64% Yes
  • 25% No
  • 11% what is a cloud based application…

Do you store any personal or professional data in the cloud?

  • 55% Yes
  • 28% No
  • 14% I think so
  • 3% not sure

Are you worried at all about the security of the cloud-based applications or data stored in the cloud?

  • 55% Yes
  • 32% No
  • 15% Still trying to figure out what cloud is

Of the applications that you use, which are you most concerned about someone hacking into?

  • 52% Banking Application
  • 17% File Storing / Sharing Application
  • 14% Email
  • 9% None of the Above
  • 8% Social Media Account

What system do you use most frequently for file storage?

  • 39% Dropbox
  • 25% The drawers on my desk
  • 24% Google Drive
  • 6% Other
  • 5% Microsoft SharePoint
  • 1% Box.net

Reading the above is even more interesting when you see the next question and answers.

What system for file storage and sharing does your company ask you to use?

  • 52% Internal Network
  • 13% Google Drive
  • 12% Microsoft SharePoint
  • 12% Dropbox
  • 7% Other
  • 3% iCloud
  • 1% Box.net

When it comes to your data privacy, who are you most concerned with?

  • 46% Government
  • 22% Google
  • 22% I’m not concerned about the privacy of my data.
  • 6% Boss
  • 3% Spouse
  • 1% Mom

Does your company have a policy regarding usage of file sharing applications such as DropBox?

  • 39% No
  • 33% I don’t know
  • 28% Yes

If your company has a policy against usage of applications such as DropBox, do you use it anyway?

  • 79% Yes
  • 21% No

What types of files do you store online?

  • 50% Personal
  • 24% Professional
  • 18% Both
  • 8% None of your business

What keeps you up at night regarding your data and personal information?

  • 52% Nothing keeps me up at night. I sleep like a baby.
  • 29% It will be maliciously exploited
  • 17% The government will have visibility into my private information
  • 2% My peers will know my secrets

What this survey suggests is that cloud app usage and document storage continue to proliferate, and that organizations should re-examine antiquated attitudes towards usage of these apps across the enterprise,” said Tsion Gonen, Chief Strategy Officer, SafeNet, Inc. “It’s clear that top-level executives understand the advantages of cloud app usage, and should enable their companies to leverage these advantages by adopting contemporary security tools and practices

Infographic: BYOD Security is still a problem

Insufficient BYOD security management and lax exit processes puts organisations at risk.

An update on the progress of the European Data Protection Act

At last week’s Information Commissioners Data Protection Officers Conference in Manchester I had the privilege of being updated on the progress, or lack of progress, of the revised European Data Protection Act.

With the existing directive dating back over 17 years an upgrade is well over due but there is significant pressure from businesses to water down any revisions to the directive.

A watered down directive does not serve anyone, the privacy campaigners or those with commerce in mind, because breaches are happening far too often and breaches affect consumer confidence.

This means the larger retailers should be supporting stronger Data Protection controls so the smaller, less funded or less skilled businesses have the detailed controls and the incentives to put privacy and security first.

In the main hall and in the breakout room there was constant reference to the thinking about the issues before systems and processes are put in place. The two terms used were:-

  1. Privacy by Design
  2. Security by Design

Both Privacy by Design and Security by Design are essential for consumer confidence because they are demonstrable actions organisations can refer to when dealing with the users of their data.

Françoise Le Bail of the EU Commission stated that “23% of users feel they do not have complete control of their data when shopping online”. In other words almost a quarter of those who buy on line are suspicious of the people who want to take money from them. If those statistics were applied to bricks and mortar retailers the high street would look a lot worse than it does now and it already looks pretty bad.

Françoise Le Bail also stated that the EC’s priorities for the Act are: –

  • The architecture of the framework
  • Key provisions to include all personal data and consent
  • A more risk based approach – proportionality
  • Data Protection Offices are needed
  • A consistent European wide level of governance
  • Support for authorities by providing training and not just fines

David Smith the UK Deputy Information Commissioner stated the UK was not 100% in favour of the current draft proposals but the UK was largely supportive.

David Smith had a list of items that were favoured including:-

  • Improved consistency across Europe
  • Enhanced Individual rights
  • Code of conduct and certification

However, the UK is looking for additional items to be added and a clarification on others, for example:-

  • The UK wants a more “risk” based approach to personal data
  • Individual compensation should not be restricted to monetary loss. It should also take into account aggravation and heartache.
  • Data Protection training needs to be added to the school curriculum
  • There are two proposals in place by the EU and the UK doesn’t want any more than that. The two proposals are Law Enforcement and everyone else.

Other items of note

  • The date for the Act to be passed is likely to be June 2014 with enforcement two years later in 2016
  • The 24 hour mandatory breach notification is likely to slip to 72 hours
  • The maximum 2% of global turnover is likely to be approved but some members of the commission are pushing for it to be 10%
  • Right to be forgotten is a big problem due to the nature of what can be forgotten and what should never be forgotten
  • Data Portability is both a target for Europe and a problem and negotiations are on-going with the US and other nations on cross border data sharing.
  • MiData now has 26 signed up companies and the drive for more is growing

Other blog posts on the subject are below:-

How Employees are Putting Your Intellectual Property at Risk

“What’s Yours is Mine: How Employees are Putting Your Intellectual Property at Risk” is a white paper produced by the Ponemon Institute on behalf of Symantec.

The paper reviews the way employees perceive corporate data and their mindset and motivations for copying data and Intellectual Property

Key Findings

  • Employees are moving IP outside the company in all directions
  • When employees change jobs, sensitive business documents often travel with them
  • Employees are not aware they are putting themselves and their companies at risk
  • They attribute ownership of IP to the person who created it
  • Organizations are failing to create a culture of security

Impact on Organizations

According to Ponemon Institute, employees are moving IP outside the company in all directions

  • Over half admit to emailing business documents from their workplace to their personal email accounts
  • 41% say they do it at least once a week
  • 44% also say they download IP to their personally owned tablets or smartphones, leaving confidential information even more vulnerable as it leaves corporate-owned  devices

The data loss continues through employees sharing confidential information in the cloud

  • 37% use file-sharing apps (such as Dropbox or Google Docs) without permission from their employer
  • Worse, the sensitive data is rarely cleaned up; the majority of employees put these files at further risk because they don’t take steps to delete the data after transferring it.

When employees change jobs, sensitive business documents often travel with them. In most cases, the employee is not a malicious insider, but merely negligent or careless about securing IP. However, the consequences remain. The IP theft occurs when an employee takes any confidential information from a former employer

  • Half of the survey respondents say they have taken information
  • 40% say they will use it in their new jobs

This means precious intelligence is also falling into the hands of competitors, causing damage to the losing company and adding risk to the unwitting receiving company.

Understanding Employee Attitudes about IP Theft

The attitudes that emerged from the survey suggest that employees are not aware that they are putting themselves and their employers at risk when they freely share information across multiple media. Most employees do not believe that transferring corporate data to their personal computers, tablets, smartphones, and cloud file-sharing apps is wrong. A third say it is OK as long as the employee does not personally receive economic gain, and about half justified their actions by saying it does not harm the company. Others blamed the companies for not strictly enforcing policies and for not proactively securing the information. These findings suggest that employees do not recognize or acknowledge their role in securing confidential company data.

To shed further insight, over half do not believe that using competitive data taken from a previous employer is a crime. Employees attribute ownership of IP to the person who created it. When given the scenario of a software developer who re-uses source code that he or she created for another company, 42% do not believe it is wrong and that the a person should have ownership stake in his or her work and inventions. They believe that the developer has the right to re-use the code even when that developer does not have permission from the company. These findings portray today’s knowledge workers as unaware that intellectual property belongs to the organization.

Recommendations from the paper

Given these findings, what can companies do to minimize risk? We suggest that companies take a multi-pronged approach:

  • Educate employees. Organizations need to let their employees know that taking confidential information is wrong. Employee training and awareness is critical, companies should take steps to ensure that IP theft awareness is a regular and integral part of security awareness training. Create and enforce policies that provide the do’s and don’ts of information use in the workplace and when working remotely. Help employees understand that sensitive information should remain on corporate-owned devices and databases. Make it clear that new employees are not to bring IP from a former employee to your company.
  • Enforce non-disclosure agreements (NDAs). Review existing employment agreements to ensure that it uses strong and specific language regarding company IP. Conduct focused conversations during exit interviews with departing employees and have them review the original IP agreement. Include and describe, in checklist form, an overt description of information that may and may not transfer with a departing employee. Make sure all employees are aware that any policy violations will be strictly managed and will affect their jobs. Employment agreements should contain specific language about the employee’s responsibility to safeguard sensitive and confidential information.
  • Implement monitoring technology. Support education and policy initiatives by using monitoring technology to gain insight into where IP is going and how it’s leaving. Deploy data loss prevention software to notify managers and employees in real-time when sensitive information is inappropriately sent, copied, or otherwise inappropriately exposed. Implement a data protection policy that monitors inappropriate access/use of IP and notifies employees of violations, which increases security awareness and deters theft. Leverage technology to learn what IP is leaving your organization and how to prevent it from escaping your network.

.

EU Commission proposes a comprehensive reform of the Data Protection rules

This week the European Commission proposed a comprehensive reform of the EU’s 1995 data protection rules to strengthen online privacy rights and to boost Europe’s digital economy.

The press release states:

Technological progress and globalisation have profoundly changed the way our data is collected, accessed and used. In addition, the 27 EU Member States have implemented the 1995 rules differently, resulting in divergences in enforcement. A single law will do away with the current fragmentation and costly administrative burdens, leading to savings for businesses of around €2.3 billion a year. The initiative will help reinforce consumer confidence in online services, providing a much needed boost to growth, jobs and innovation in Europe.

“17 years ago less than 1% of Europeans used the internet. Today, vast amounts of personal data are transferred and exchanged, across continents and around the globe in fractions of seconds,” said EU Justice Commissioner Viviane Reding, the Commission’s Vice-President. “The protection of personal data is a fundamental right for all Europeans, but citizens do not always feel in full control of their personal data. My proposals will help build trust in online services because people will be better informed about their rights and in more control of their information. The reform will accomplish this while making life easier and less costly for businesses. A strong, clear and uniform legal framework at EU level will help to unleash the potential of the Digital Single Market and foster economic growth, innovation and job creation.”

The Commission’s proposals update and modernise the principles enshrined in the 1995 Data Protection Directive to guarantee privacy rights in the future. They include a policy Communication setting out the Commission’s objectives and two legislative proposals: a Regulation setting out a general EU framework for data protection and a Directive on protecting personal data processed for the purposes of prevention, detection, investigation or prosecution of criminal offences and related judicial activities.

Key changes in the reform include:

  • A single set of rules on data protection, valid across the EU. Unnecessary administrative requirements, such as notification requirements for companies, will be removed. This will save businesses around €2.3 billion a year.
  • Instead of the current obligation of all companies to notify all data protection activities to data protection supervisors – a requirement that has led to unnecessary paperwork and costs businesses €130 million per year, the Regulation provides for increased responsibility and accountability for those processing personal data.
  • For example, companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible (if feasible within 24 hours).
  • Organisations will only have to deal with a single national data protection authority in the EU country where they have their main establishment. Likewise, people can refer to the data protection authority in their country, even when their data is processed by a company based outside the EU. Wherever consent is required for data to be processed, it is clarified that it has to be given explicitly, rather than assumed.
  • People will have easier access to their own data and be able to transfer personal data from one service provider to another more easily (right to data portability). This will improve competition among services.
  • A ‘right to be forgotten’ will help people better manage data protection risks online: people will be able to delete their data if there are no legitimate grounds for retaining it.
  • EU rules must apply if personal data is handled abroad by companies that are active in the EU market and offer their services to EU citizens.
  • Independent national data protection authorities will be strengthened so they can better enforce the EU rules at home. They will be empowered to fine companies that violate EU data protection rules. This can lead to penalties of up to €1 million or up to 2% of the global annual turnover of a company.
  • A new Directive will apply general data protection principles and rules for police and judicial cooperation in criminal matters. The rules will apply to both domestic and cross-border transfers of data.

The Commission’s proposals will now be passed on to the European Parliament and EU Member States (meeting in the Council of Ministers) for discussion. They will take effect two years after they have been adopted.

The official press release was a short summary of what will be debated by the politicians. For a more detailed summary, based upon the January 2012 release and other research read my May 2012 post “Proposed European wide Data Protection Act – a review“.

As for the politicians debating the Act before passing it to law it is worth while reading the post “The Information Commissioner provides an update on the European Data Protection Act“.

It is disappointing that the delays will see the revised Act and the improvements in Data Protection and Privacy not being enforced until 2015.

.

What will fraud look like in 2013?

UK Fraud has identified 10 key trends that will characterise the UK domestic fraud prevention market in 2013.

The forecasted trends are:

  1. With more high quality data becoming available to fraudsters than ever before, an economy forecast to contract and the UK’s benefits spend reducing, overall fraud levels will continue to increase dramatically across the UK and the rest of Europe. Fraud hotspots most likely to be affected in 2013 include: banks and card companies, insurers, online merchants, retailers and government be it HMRC, the universal credit scheme or local authorities.
  2. The types of fraud likely to see the biggest growth will be CNP (Card Not Present) card fraud, other forms of cybercrime, internal fraud, and supply chain fraud. Procurement fraud is also set to rise significantly. In contracting economies, evidence suggests that people inside this function can be put under pressure to defraud.
  3. Mortgage fraud is also set to surge in 2013, with credit rating experts pointing the finger at further rises in first-party fraud – i.e. where people misrepresent their finances whilst applying for mortgages. Once again the economic climate is a significant contributor in this.
  4. Recent spectacular mass data breaches and suspicion of cloud security in some areas will continue. An increasingly greater emphasis will be placed upon PCI DSS and other data security and integrity issues. Already, the daily number of automated attacks on bank and retailer systems runs into the millions, which means that we will continue to see major high-profile data breaches both reported and otherwise.
  5. Solutions will be based around systems for acquirers, online merchants and PSPs, who are regularly the victims of CNP fraud – where fraud is growing fast in line with the growth in internet based payments. Increasingly, solutions will move to better and newer generations of screening, scoring and risk based monitoring, such as those based upon Bayesian based fraud detection systems. These will start to pose a real challenge to older systems based on ‘so called’ Neural Networks.
  6. Most people feel that there could be a lack of unified central direction and strategy from government. The lack of a pan-European strategy will also prevail. The UK government’s response is divided between the NFA, the Cyber Crimes unit and the Cabinet Office’s FED (Fraud Error and Debt Initiative). Some believe passionately that the lack of a unified central government strategy will drive up fraud significantly in 2013. On the positive side, at least some of the civil servants who have been involved in the NFA since the beginning are starting to gain real experience of the sector and an appreciation of the enormous challenges they face. The DWP is also tendering to get some real-world fraud strategy skills into their midst too, which should prove invaluable given the changes due with the Universal Credit.
  7. The USA is increasingly ready for a policy U-turn on the adoption of signature as the CVM of choice. The US market will find it increasingly difficult to evolve in a global payment systems world without the protections offered either by PINs – or a ‘next generation’ solution. As the rest of the world is moving (or largely has moved) in this direction already, 2013 could see this U-turn as fraud increasingly migrates to the US.
  8. Major insurers will continue to develop a strong and very credible fraud prevention solution based around the ‘front end’ (underwriting stage of business) The emphasis on delivering a strong industry wide data-sharing drive will also continue to increase; although a whole re-think of the industry fraud register will be needed to address Data Protection Act requirements.
  9. There will be a major shift in the presence, position and fraud service offerings of one or more of the major data-bureaux (such as credit reference agencies), as more solutions either move ‘in-house’ or move to systems developed by a host of new players in various fraud sectors.
  10. And there will be some surprises as there always are – whether they are policemen ‘on-the-take’, another raft of politicians fiddling their expenses, or further high profile banks brought to their knees by (usually) rogue traders.

“The current economic climate is driving change and there is an evolution in the world of fraud prevention that we have not seen before,” Says Bill Trueman, CEO of UK Fraud. “However, if we are to stay ahead of the fraudster, we have to be able to read these trends and manage both our strategy and the risks accordingly. In highlighting what we see as the trends, we aim to contribute to the debate and raise awareness of the risks. By keeping this debate alive we hope that fraud prevention will shortly gain an even greater emphasis in key seats of power – be that in the boardroom or within key government departments.”

Source: UK Fraud.

An overview of EU security legislation and the impact of cyber incident reporting

The European Network and Information Security Agency (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe’s citizens.

ENISA has responded to the growing threat posed by cyber security incidents by producing an overview paper of current legislation and the impact of incident reporting.

I have summarised the ENISA paper below.

ENISA started the paper by quoting five recent incidents to support their findings and conclusions:-

  1. In June 2012 6.5 million (SHA-1) hashed passwords of a large business-focussed social network appeared on public hacker forums. The impact of the breach is not fully known, but millions of users were urged to change their passwords and their personal data could be at risk.
  2. In December 2011, the storm Dagmar affected power supplies to electronic communication networks in Norway, Sweden and Finland. As a result millions of users were without telephony or internet for up to two weeks.
  3. In October 2011 there was a failure in the UK datacentre of a large smartphone vendor. As a result millions of users across the EU and globally could not send or receive emails, which severely affected the financial sector.
  4. Over the summer 2011, a Dutch certificate authority experienced a security breach, allowing attackers to generate fake PKI certificates. The fake certificates, the result of the breach, were used to wiretap the online communications of around half a million Iranian citizens. Following the breach many Dutch e-government websites were offline or declared unsafe to visit.
  5. In April 2010 a Chinese telecom provider hijacked 15% of the world’s internet traffic through Chinese servers for 20 minutes, routing traffic to some large e-commerce sites, such as http://www.amazon.de and http://www.dell.com as well as the .mil and .gov domains, et cetera. As a result, the internet communications of millions of users were exposed (to eavesdropping).

The five quoted incidents are just the tip of the iceberg, as you will find out later in the post, but to give an insight into UK breaches read my post on who the UK’s Information Commissioner has caught this year for breaching the current Data Protection Act here.

Article 13a of the Framework directive: “Security and Integrity”

The Telecoms reform passed into law in 2009, adds Article 13a to the Framework directive, regarding security and integrity of public electronic communication networks and services. Article 13a states:

  • Providers of public communication networks and services should take measures to guarantee security and integrity (i.e. availability) of their networks.
  • Providers must report to competent national authorities about significant security breaches.
  • National authorities should inform ENISA and authorities abroad when necessary, for example in case of incidents with impact across borders.
  • National authorities should report to ENISA and the European Commission (EC) about the incident reports annually.

Article 13a also says that the EC may issue more detailed implementation requirements if needed, taking into account ENISA’s opinion.

The EC, ENISA, and the national regulators have been collaborating for the past 2 years to implement Article 13a and to agree on a single set of security measures for the European electronic communications sector and a modality for reporting about security breaches in the electronic communications sector to authorities abroad, to ENISA and the EC.

In May 2012 ENISA received the first set of annual reports from Member States, concerning incident that occurred in 2011. ENISA received 51 incident reports about large incidents, which exceeded an agreed impact threshold. The reports describe services affected, number of users affected, duration, root causes, actions taken and lessons learnt. While nationally incident reporting is implemented differently, with different procedures, thresholds, et cetera, nearly all national regulators use a common procedure, a common template and common thresholds for reporting to the EC and ENISA.

Article 4 of the e-Privacy directive: “Security of processing”

The Telecoms reform also changed the e-Privacy Directive, which addresses data protection and privacy related to the provision of public electronic communication networks or services. Article 4 of the e-Privacy directive requires providers to notify personal data breaches to the competent authority and subscribers concerned, without undue delay.

The obligations for providers are:

  • to take appropriate technical and organisational measures to ensure security of services,
  • to notify personal data breaches to the competent national authority,
  • to notify data breaches to the subscribers or individuals concerned, when the personal data breach is likely to adversely affect their privacy
  • to keep an inventory of personal data breaches, including the facts surrounding the breaches, the impact and the remedial actions taken.

Article 4 also says that the EC may issue technical implementing measures regarding the notification formats and procedures, in consultation with the Article 29 Working Party, the European Data Protection Supervisor (EDPS) and ENISA.

Articles 30, 31 and 32 of the Data Protection regulation

The EC has proposed to reform the current European data protection framework (Directive 95/46/EC), and has proposed an EU regulation on data protection. The regulation regards organisations that are processing personal data, regardless of the business sector the organisation is in. Security measures and personal data breach notifications are addressed in Articles 30, 31 and 32:

  • Organisations processing personal data must take appropriate technical and organisational security measures to ensure security appropriate to the risks presented by the processing.
  • For all business sectors the obligation to notify personal data breaches becomes mandatory.
  • Personal data breaches must be notified to a competent national authority without undue delay and, where feasible, within 24 hours, or else a justification should be provided.

Personal data breaches must be notified to individuals if it is likely there will be an impact on their privacy. If the breached data was unintelligible, notification is not required, e.g. Tokenised data.

Read my summary of the proposed New EU Data Protection Act here.

Article 15 of the e-Sig and e-ID regulation: “Security requirements”

The EC recently released a proposal for a regulation on electronic identification and trust services for electronic transactions in the internal market. Article 15 in this proposal introduces obligations concerning security measures and incident reporting:

  • Trust service providers must implement appropriate technical and organisational measures for the security of their activities.
  • Trust service providers must notify competent supervisory bodies and other relevant authorities of any security breaches and where appropriate, national supervisory bodies must inform supervisory bodies in other EU countries and ENISA about security breaches.
  • The supervisory body may, directly or via the service provider concerned, inform the public.
  • The supervisory body sends a summary of breaches to ENISA and the EC.

EU Cyber Security Strategy

The European Commission is developing a European Cyber Security Strategy. The roadmap for the strategy refers to Article 13a and mentions extending Article 13a to other business sectors. The Commission has indicated that there will be five main strands:

  • Capabilities and response networks, for sharing information with public and private sector
  • Governance structure including the national competent authorities, to address incidents and develop an EU contingency plan.
  • Incident reporting for critical sectors like energy, water, finance and transport.
  • Pre-commercial procurement of security technology and public-private partnerships to improve security across the single market
  • Global cooperation, to address global interdependencies and the global supply chain.

A European Cyber Security Strategy is an important step to increase transparency about incidents, and ultimately to prevent them or limit their impact.

ENISA’s Review

Security measures and incident reporting, implemented across the EU’s digital society, are important to improve overall security. EU legislation plays an important role here as it allows harmonization across the EU member states. This in turn prevents weak links and unnecessary costs for providers operating cross-border.

The European Commission, in collaboration with the EU Member States, has undertaken a number of legislative initiatives aiming to further improve transparency about incidents. Another important step is the proposed Cyber Security Strategy, which emphasizes incident reporting and the importance of exchange across the EU about incidents and how to address them. We conclude with some general remarks.

Regulatory gaps: In the introduction we gave five examples of cyber incidents with a severe impact on the security or privacy of electronic communications. The 2nd incident, caused by the Dagmar storm, is in scope of existing incident reporting legislation and as such reported to authorities. The proposed regulation on electronic trust providers would also cover the 4th incident. But the remaining incidents (the 1st, 3rd, and 5th) are not clearly in scope or subject of debate between providers and the national regulator.

It is important that national authorities and the EC discuss, agree, and clarify the scope of legislation on electronic communications and address these and other gaps. This can be done without necessarily changing the text of existing legislation, such as the telecom regulatory framework, but rather the interpretation of what the services are, because the landscape of electronic communications is continuously changing (from landline telephones and minitel in the past, to mobile phones, internet and VoIP).

Model security articles: There is a lot of similarity between Article 13a of the Framework directive and Article 15 of the e-Signatures and e-Identities regulation. The former has been taken as a model for drafting the latter. Both articles combine security measures and incident reporting, at a national level and at an EU level. Consistency and standardization in the legislative texts allows for more easy governance by the member states, and more easy implementation by the providers. Furthermore, the combination of national reporting and EU reporting (present in both Article 13a and Article 15) allows national authorities room to adjust to national circumstances, while at the same time providing overview and feedback at an EU level, which allows Member States to optimize implementation and to ensure a harmonized approach across EU member states.

Governing security measures: Mandatory breach reporting receives a lot of media attention and it is arguably the most visible part of the security articles. The ultimate goal is to limit the impact of security and personal data breaches or prevent them altogether by making sure appropriate security measures are taken. This type of governance is crucial and not easy. In security much depends on the technical details of the implementation and these details are hard to capture in (high-level) legislation and subject to change.

National authorities should exchange knowledge about an effective and efficient combination of high-level legal obligations and technical implementation requirements. For the latter it is important to adopt a bottom up approach (i.e. commonly agreed recommendations), taking into account the (changing) state of the art and the practical experiences of regulators and experts from the private sector.

As a second, but related point, the need to take “appropriate technical and organisational security measures” is mentioned in all the security articles. Although these articles are aimed at different providers and different types of breaches, there is still a large overlap between the security measures that have to be taken. The competent national authorities should collaborate (nationally and at an EU level) to ensure that these security measures are implemented consistently and where there is an overlap, similarly, to allow providers to comply more easily, and to allow equipment vendors to adapt their products accordingly.

Optimizing incident reporting procedures:

  • Incident response versus incident reporting: To prevent incidents from escalating Member states should encourage providers to quickly contact technical experts, incident response teams (like national CERTs), crisis coordination groups, and other organizations relevant in the response phase, should this be necessary. Member states should underline that incident response receives priority. The purpose of mandatory incident reporting to national authorities is supervision over whether or not providers comply with legal requirements, while the purpose of information exchange in the response phase, for example with a national CERT, is to tackle the incident. Member states should encourage transparency and trusted information sharing in the response phase and ensure that response processes are independent and not slowed down by legal reporting requirements. Member states should for instance ensure that incident reporting procedures are easy and quick to apply.
  • Exchange and sharing: Over the past years CERTs have developed effective platforms for collaboration and information exchange. Beyond the response phase, however, there is still little exchange of information about breaches between different national authorities. The EC should continue to support the working groups and platforms for exchanging information between national authorities, about breaches, about lessons learnt and best practices.
  • Granularity and tools: An important aspect of the evaluation of existing legislation on incident reporting should be an analysis of costs and benefits. Both for national and EU level reporting it is important to review over time the thresholds for reporting, the type of information that is reported, the level of detail, and so on. If too few incidents are reported, then it will be difficult to draw meaningful conclusions about common root causes or trends. This would defeat the purpose of the legislation altogether and make the legislation cost ineffective. National authorities should analyse what is a good balance, taking into account the costs and benefits for providers as well as the national authorities. Providers and national authorities should investigate automated tools and computer interfaces to allow for cost-effective incident reporting at a sufficient level of detail, while avoiding the burden of manual and ad-hoc reporting procedures. For example, one could distinguish between small and large incidents and use less reporting detail for the (many) smaller incidents.

ENISA Conslusion

ENISA would like to remark that in recent years a lot of progress has been made, in terms of addressing incidents and increasing transparency about incidents. The national authorities, for example, recently submitted to ENISA and the EC, the first Article 13a incident reports regarding severe incidents that occurred in 2011. The vast majority of national authorities use a single set of security measures and a common reporting template allowing for efficient collection and analysis. ENISA will publish an analysis of the 51 severe incidents in September 2012. From next year, every spring ENISA will collect annual incident reports and publish an analysis of the incidents of the previous year. For example, next spring 2013 ENISA will publish an analysis of the 2012 incidents.

ENISA looks forward to continuing our work with national authorities and the European Commission to support an efficient and effective implementation of Article 13a, Article 4, and the other security articles across the single digital market, and to support collaboration and information exchange between national authorities across the EU, to improve security across the EU’s digital society.

Find the ENISA press release here.

.

Blog at WordPress.com.

Up ↑

%d bloggers like this: