Security is a busy field, and 2019 was no exception. Following last week’s blog looking back at the first six months of the year, here’s the second part covering cybersecurity, data protection and privacy stories that emerged between July and December.
Summertime and the living wasn’t easy if your company was called BA or Marriott. The UK Information Commissioner’s Office announced an intention to fine them £184 million and £99 million respectively for GDPR breaches. The (provisional) fine levied against BA would amount to 1.5 per cent of its annual revenue. Our take on the news was that the fines were not for having the breaches but for having poor security practices that led to them.
Later that same month, we published nine tips on responding to and recovering from data breaches. The advice included paying attention to security alerts, communicating verifiable information and setting up an incident response team.
Turning to data protection, research found that website privacy statements leave a lot to be desired – and understood. Separate investigations by the New York Times and the European Commission described these notices as “an incomprehensible disaster” and “too long and difficult to understand”.
July also saw the EU Cybersecurity Act came into force, complete with a new security framework for digital products.
A major breach dominated headlines again in August, but instead of the victim being a company, it was a country. Bulgaria’s National Revenue Agency suffered a breach that saw attackers gain access to personal data of about 70 per cent of the country’s citizens. “It is safe to say that the personal data of practically the whole Bulgarian adult population has been compromised,” Vesselin Bontchev, a cybersecurity researcher, told the BBC. Some of the data ended up on hacker forums. Some Bulgarian citizens worried the breach could put them at greater risk of scams. Consequently, as we noted in reporting the story, an incident like this “gives fresh ammunition to privacy campaigners who warn against trusting governments to protect citizens’ personal data”. (More of which next month.)
Elsewhere, data protection issues dominated. The EU Data Protection Board (formerly the Article 29 Working Group) published its 2018 annual report. The document included practical application of guidelines; the group’s recommendations and best practice; binding decisions; and the levels of data protection of natural persons in the EU.
However, that helpful material apparently escaped the attention of privacy guardians at some of Ireland’s leading tourism sites. In an incredibly literal interpretation of the General Data Protection Regulation was by the Office of Public Works. They removed visitor books from popular destinations, depriving tourists of a way to sign their names and leave messages. It’s the type of story you tend to see during the so-called ‘silly season’ but it shows how some organisations are still getting the issue badly wrong.
Valerie Lyons returned to this theme, noting that some organisations and companies are “hiding behind” their data protection obligations. She urged them to follow the spirit of the regulations rather than a narrow interpretation. By not doing so, she argued that they risk missing an opportunity to build trust and deliver a better customer experience.
The Irish Government’s controversial Public Services Card scheme turned out to be a data protection debacle. The project overreached its remit, almost becoming a national ID card by default. Data protection activists and experts had been very vocal about their concerns over scope creep. Then came the Data Protection Commission’s 170-page report, and its order to the Department of Social Protection to delete all data it held on the 3.2 million citizens who applied for the card.
BH Consulting’s Tracy Elliott reacted to the news with a blog listing the key points of the case. Her three lessons were:
- Develop a clear, concise privacy notice to provide to all service users, detailing the purposes of processing, the legal basis for doing so, and retention policies.
- Be aware of the impact of any change in the processing of personal data within your business. Consider if a Data Protection Impact Assessment (DPIA) is required or indeed, if a previous DPIA should be revised in the event of a change in how you process personal data.
- Having a retention policy is not enough; you also need to implement it by deleting and destroying the data – so get the shredder serviced and start securely destroying data you no longer need. Stop being a personal data hoarder!
And because it’s always someone’s first day in security, we published a fresh version of our 13 steps to protect networks from cybersecurity threats. In a similar vein, we wrote about good password practice, drawing on our blog archive. Research from Microsoft had revealed the 10 most common passwords in guessing attacks. It also reached a surprising conclusion: longer doesn’t mean stronger when it comes to passwords. Multi-factor authentication can’t come quickly enough.
October saw the first publication in eight years of the MITRE Common Weakness Enumeration (CWE) Top 25. The report lists frequent and critical weaknesses that can lead to serious software vulnerabilities. It doesn’t say much for security’s progress since then that many of the flaws are the same as in the previous list.
Meanwhile there was a fresh development in the world of business email compromise, or CEO fraud. It seems scammers have studied legitimate marketing techniques and are timing their spoof emails to land at times when people are most likely to open them.
At BH Consulting, we’re big believers in the ISO 27001 information security standard. After the International Organisation for Standardisation published an extension for privacy information management, we picked apart what this would mean for managing GDPR compliance and what’s involved in becoming certified to the new standard.
We’re also believers in the importance of cybersecurity culture. David Prendergast wrote an extensive two-part blog about how to foster an enduring culture. This is where people are empowered to spot threats. Also, where security thinking is embedded into the entire approach to business. You can read part one here and part two here.
This month, we published a blog inspired by Brian Honan’s keynote address at the BSides Belfast security conference. Brian wrote about the need for a different approach to security; mature industries like aviation have very clear processes to learn from past incidents. “We need more rigour to ensure that every level of a system is secure, not just the operating system that sits on top,” Brian said.
Other actions for cybersecurity professionals include: engage with the business to understand its risks, improve accountability; encourage others into the profession; foster diversity; understand the audience to communicate messages better, and to make security easier, not harder, by improving usability.
November is also the month of Irisscon, the Irish Cybercrime Conference. We reported from the event, where the human factor was very much to the fore. That covered the need for people to enter the industry to meet the demand for security skills. (Dan Raywood of Infosecurity Magazine spoke about research which showed many job ads for cybersecurity roles often require unachievable levels of experience and qualifications.)
Other speakers looked at the subject from the perspective of people as targets for potential attackers. Security researcher Emma Heffernan, in her debut conference talk, spoke about the importance of effective security awareness training.
Ransomware remained on the radar right throughout the year, but this month saw an interesting development. Security consultants and law enforcement have always advised ransomware victims not to pay up. But there are times when organisations have no choice but to do so, either because the cost of the resulting downtime is too high to bear, or they have no other way of getting their data back. However, the FBI softened its previous no-pay stance, and its latest guidance acknowledged that sometimes it’s the only option.
In the spirit of spreading good cheer during the festive season, here’s a link that should trigger a chuckle or two among security professionals. It’s called Why the f*ck was I breached and, well, you can probably guess the rest.
On a more serious note, the Irish Independent reported on a Government memo warning of the potential impact of cyber attacks. The same story also referred to the pending national cyber security strategy. This will see “major investment in protecting public sector IT systems and upskilling private companies”. As we start looking ahead to 2020, it’s a reminder that cybersecurity will be front and centre over the coming year and beyond.
Sign up to our newsletter here to receive our monthly newsletter on everything cybersecurity, data protection and privacy related.
This month, we take a look back on 2019 and our experienced consultants say what they see ahead for 2020.